1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
|
Return-Path: <antoine.riard@gmail.com>
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
by lists.linuxfoundation.org (Postfix) with ESMTP id 4EAB8C0052
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 5 Sep 2020 01:07:35 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by whitealder.osuosl.org (Postfix) with ESMTP id 314D6869CA
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 5 Sep 2020 01:07:35 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id IXrGq+R-K7X7
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 5 Sep 2020 01:07:30 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com
[209.85.221.45])
by whitealder.osuosl.org (Postfix) with ESMTPS id 053A386356
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 5 Sep 2020 01:07:30 +0000 (UTC)
Received: by mail-wr1-f45.google.com with SMTP id m6so9192841wrn.0
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 04 Sep 2020 18:07:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=rczALG0ffb5fhw3sdl1N0yy0viuS4P4B4xiwa3iTiWE=;
b=UKSnIy/vD/71DLUeORY2K8wSi0L5s7Ax8x9Bo92/LwvzjkIEqPlg1CNY7oerNKtz1O
E/kjX3oopYAzCwsz/87udLZ5xIVzyyEJnVejaOLmSQdZq2pNHaxyOp/ucC5Ytrsj5mtL
yDGHJ8dRnG2wpB9SDvh37eIaB9BVrKklsOq5ycP+k3OBQbUZdZ3pG3O5on1FHDwjgLkf
rWvy+6Qu0ep1bKCGCAxvdyIu8UD18cLWZRvmBzfLN1iRf/xbNhV8PABlXp8bzj18Btz3
FOAuxuVPKXPXymznQl2Af2L3vgg2WAlAZ3NIIOUgZ7JtM4/lZJYoTaMWfDk9duJM+Mh9
1+eg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=rczALG0ffb5fhw3sdl1N0yy0viuS4P4B4xiwa3iTiWE=;
b=EnC5oqC3F8M7IUJ1XZmYCDfrtaIdC9WmWFThkQs+irC0hG+zFEgCreSirznEuOWsBt
eOPSI/76efLr7VqG/f+IMFdXM45IxEydpef3S6hX0AqvSlod7cl/jzwyL+6SpGF/dpEu
zsuDkBcyoDAb/OPGlgEs18SG+2iJ+cpEkMxnA5Cs/6F1baUn7e3o4VyUWQZZYnh0TPgs
6ykVzCuKHTY89e5uJHmQ+oMI4Q5qqUfwPPh+2uxZFNaYn0iI3KRYKQFEBXiyE4yT/UCB
PydRW5D1CApTKf+flpdlQcA+AatBuIiZN8AVmw5b0WaF9/e7EWjgmSXmubio8eZnJWM6
0Odg==
X-Gm-Message-State: AOAM531WaheP3cafmNbuv4tA5WOHU91biJXTlPfS2FGAAIlq9T+ntVnO
pU9HpN7nipsLMa1MNG4bDBXtNTvjU9EmJ63imBA=
X-Google-Smtp-Source: ABdhPJxfPeQcoI3sXu3ECgxKQXFdA57BhnwM0mKxBVfsLOJd357Bw9We76ZJj/OzVIOSvgtg3JSEjRpRakxagcQBVnk=
X-Received: by 2002:adf:f44d:: with SMTP id f13mr4442841wrp.224.1599268047910;
Fri, 04 Sep 2020 18:07:27 -0700 (PDT)
MIME-Version: 1.0
References: <813e51a1-4252-08c0-d42d-5cef32f684bc@riseup.net>
<CALZpt+GxKDEDAGUH3Jb3rcZdh_jy_depLRE5KzGTpkZOLVH+QA@mail.gmail.com>
<d08ddff2-f62a-661b-d9cf-2f84f7d3ea9e@riseup.net>
In-Reply-To: <d08ddff2-f62a-661b-d9cf-2f84f7d3ea9e@riseup.net>
From: Antoine Riard <antoine.riard@gmail.com>
Date: Fri, 4 Sep 2020 21:07:15 -0400
Message-ID: <CALZpt+GCwksRTxtyOka75caTGFmP0t6+yjWHthWcaMb9L52M5g@mail.gmail.com>
To: Chris Belcher <belcher@riseup.net>
Content-Type: multipart/alternative; boundary="000000000000e5791005ae869b27"
X-Mailman-Approved-At: Sat, 05 Sep 2020 06:58:07 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Detailed protocol design for routed
multi-transaction CoinSwap
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Sep 2020 01:07:35 -0000
--000000000000e5791005ae869b27
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Chris,
I forgot to underscore that contract transaction output must be grieved by
at least a CSV of 1. Otherwise, a malicious counterparty can occupy with
garbage both the timelock-or-preimage output and its own anchor output thus
blocking you to use the bumping capability of your own anchor ouput.
A part of this, I think it works.
> Another possible fix for both vulnerabilities is to separate the
> timelock and hashlock cases into two separate transactions as described
> by ZmnSCPxj in a recent email to this list. This comes at the cost of
> breaking private key handover allowing coins to remain unspent
indefinitely.
This works too assuming these second-stage transactions aren't malleable at
all (e.g SIGASH_SINGLE). Other ways you can increase their feerate/absolute
fee and you're back to the initial situation.
Beyond note also that anchors-on-second-stage are more risky here, as
otherwise your counterparty can again attach a low-feerate child. In case
of concurrent broadcast (assuming you haven't achieved to claim the output
before timelock expiration due to network outage/mempool-congestion) you
might not see your counterparty version. I.e, your local mempool has the
timelock tx and the rest of the network the hashlock and your CPFP bump
won't propagate as being an orphan.
So you're left with a RBF-range, which is mostly okay minus a theoretical
concern : a party guessing the odds to lose the balance are high can
broadcast/send out-of-band the highest-fee bound to miners thus
incentivizing them to censor a honest, low-fee preimage tx. A
"nothing-at-stake-for-genuinely-evil-counterparty" issue.
> Another possible fix for the second attack, is to encumber the output
> with a `1 OP_CSV` which stops that output being spent while unconfirmed.
> This seems to be the simplest way if your aim is to only fix the second
> attack.
Yes you don't package fee malleability so an honest party can always
unilaterally bump the feerate and override concurrent bids.
That said, I would lean towards anchors and thus unileratel fee bumping.
Feerate interactivity among a multi-party protocol should be seen as an
oracle to leak the full-node of a participant. By sending a range of
conflicting transactions with different feerates to a set of network
mempools I could theoretically observe variations in the protocol feerate
announced.
I would recommend you to have a look on this paper, if it's not done yet :
https://arxiv.org/pdf/2007.00764.pdf, the first one analyzing privacy
holistically across Bitcoin layers.
Cheers,
Antoine
Le sam. 29 ao=C3=BBt 2020 =C3=A0 18:03, Chris Belcher <belcher@riseup.net> =
a =C3=A9crit :
> Hello Antoine,
>
> Thanks for the very useful insights.
>
> It seems having just one contract transaction which includes anchor
> outputs in the style already used by Lightning is one way to fix both
> these vulnerabilities.
>
> For the first attack, the other side cannot burn the entire balance
> because they only have access to the small amount of satoshi of the
> anchor output, and to add miner fees they must add their own inputs. So
> they'd burn their own coins to miner fees, not the coins in the contract.
>
> For the second attack, the other side cannot do transaction pinning
> because there is only one contract transaction, and all the protections
> already developed for use with Lightning apply here as well, such as
> CPFP carve out.
>
>
> Another possible fix for both vulnerabilities is to separate the
> timelock and hashlock cases into two separate transactions as described
> by ZmnSCPxj in a recent email to this list. This comes at the cost of
> breaking private key handover allowing coins to remain unspent
> indefinitely.
>
> Another possible fix for the second attack, is to encumber the output
> with a `1 OP_CSV` which stops that output being spent while unconfirmed.
> This seems to be the simplest way if your aim is to only fix the second
> attack.
>
>
> These are all the possible fixes I can think of.
>
> Regards
> Chris
>
> On 24/08/2020 20:30, Antoine Riard wrote:
> > Hello Chris,
> >
> > I think you might have vulnerability issues with the current design.
> >
> > With regards to the fee model for contract transactions, AFAICT timely
> > confirmation is a fund safety matter for an intermediate hop. Between t=
he
> > offchain preimage reveal phase and the offchain private key handover
> phase,
> > the next hop can broadcast your outgoing contract transactions, thus
> > forcing you to claim quickly backward as you can't assume previous hop
> will
> > honestly cooperate to achieve the private key handover. This means that
> > your range of pre-signed RBF-transactions must theoretically have for f=
ee
> > upper bound the maximum of the contested balance, as game-theory side,
> it's
> > rational to you to burn your balance instead of letting your counterpar=
ty
> > claim it after timelock expiration, in face of mempool congestion. Wher=
e
> > the issue dwells is that this fee is pre-committed and not cancelled wh=
en
> > the balance change of ownership by the outgoing hop learning the preima=
ge
> > of the haslock output. Thus the previous hop is free to broadcast the
> > highest-fee RBF-transactions and burn your balance, as for him, his
> balance
> > is now encoded in the output of the contract transactions on the previo=
us
> > link, for which he knows the preimage.
> >
> > Note, I think this is independent of picking up either relative or
> absolute
> > timelocks as what matters is the block delta between two links. Of cour=
se
> > you can increase this delta to be week-lengthy and thus decrease the ne=
ed
> > for a compelling fee but a) you may force quickly close with contract
> > transactions if the private key handover doesn't happen soon, you don't
> > want to be caught by surprise by congestion so you would close far behi=
nd
> > delta period expiration like half of it, and b) you increase the
> time-value
> > of makers funds in case of faulty hop, thus logically increasing the
> maker
> > fee and making the cost of the system higher in average. I guess a bett=
er
> > solution would be to use dual-anchor outputs has spec'ed out by
> Lightning,
> > it lets the party who has a balance at stake unilaterally increase
> feerate
> > with a CPFP. The CPFP is obviously a higher blockchain cost but a) it's=
a
> > safety mechanism for a worst-case scenario, 99% of the time they won't =
be
> > committed, b) you might use this CPFP to aggregate change outputs or
> other
> > opportunistically side-usage.
> >
> > With regards to the preimage release phase, I think you might have a
> > pinning scenario. The victim would be an intermediate hop, targeted by =
a
> > malicious taker. The preimage isn't revealed offchain to this victim
> hop. A
> > low-feerate version of the outgoing contract transaction is broadcast a=
nd
> > not going to confirm, assuming a bit of congestion. As preimage is know=
n,
> > the malicious taker can directly attach a high-fee, low-feerate child
> > transaction and thus prevent any replacement of the pinned parent by a
> > honest broadcast of a high-fee RBF-transaction under BIP 125 rules. At
> the
> > same time, the malicious taker broadcasts the contract tx on the previo=
us
> > link and gets it confirmed. At relative timelock expiration, malicious
> > taker claims back the funds. When the pinned transaction spending the
> > outgoing link gets evicted (either by replacing child by a higher feera=
te
> > or waiting for mempool expiration after 2 weeks), taker gets it confirm=
ed
> > this time and claims output through hashlock. Given the relative timelo=
ck
> > blocking the victim, there is not even a race.
> >
> > I guess restraining the contract transaction to one and only one versio=
n
> > would overcome this attack. A honest intermediate hop, as soon as seein=
g
> a
> > relative timelock triggered backward would immediately broadcast the
> > outgoing link contract tx or if it's already in network mempools
> broadcast
> > a higher-feerate child. As you don't have valid multiple contract
> > transactions, an attacker can't obstruct you to propagate the correct
> > child, as you are not blind about the parent txid.
> >
> > Lastly, one downside of using relative timelocks, in case of one
> downstream
> > link failure, it forces every other upstream hops to go onchain to
> protect
> > against this kind of pinning scenario. And this would be a privacy
> > breakdown, as a maker would be able to provoke one, thus constraining
> every
> > upstream hops to go onchain with the same hash and revealing the CoinSw=
ap
> > route.
> >
> > Let me know if I reviewed the correct transactions circuit model or
> > misunderstood associated semantic. I might be completely wrong, coming
> from
> > a LN perspective.
> >
> > Cheers,
> > Antoine
> >
> > Le mar. 11 ao=C3=BBt 2020 =C3=A0 13:06, Chris Belcher via bitcoin-dev <
> > bitcoin-dev@lists.linuxfoundation.org> a =C3=A9crit :
> >
> >> I'm currently working on implementing CoinSwap (see my other email
> >> "Design for a CoinSwap implementation for massively improving Bitcoin
> >> privacy and fungibility").
> >>
> >> CoinSwaps are special because they look just like regular bitcoin
> >> transactions, so they improve the privacy even for people who do not u=
se
> >> them. Once CoinSwap is deployed, anyone attempting surveillance of
> >> bitcoin transactions will be forced to ask themselves the question: ho=
w
> >> do we know this transaction wasn't a CoinSwap?
> >>
> >> This email contains a detailed design of the first protocol version. I=
t
> >> makes use of the building blocks of multi-transaction CoinSwaps, route=
d
> >> CoinSwaps, liquidity market, private key handover, and fidelity bonds.
> >> It does not include PayJoin-with-CoinSwap, but that's in the plan to b=
e
> >> added later.
> >>
> >> =3D=3D Routed CoinSwap =3D=3D
> >>
> >> Diagram of CoinSwaps in the route:
> >>
> >> Alice =3D=3D=3D=3D> Bob =3D=3D=3D=3D> Charlie =3D=3D=3D=3D> Alice
> >>
> >> Where (=3D=3D=3D=3D>) means one CoinSwap. Alice gives coins to Bob, wh=
o gives
> >> coins to Charlie, who gives coins to Alice. Alice is the market taker
> >> and she starts with the hash preimage. She chooses the CoinSwap amount
> >> and chooses who the makers will be.
> >>
> >> This design has one market taker and two market makers in its route, b=
ut
> >> it can easily be extended to any number of makers.
> >>
> >> =3D=3D Multiple transactions =3D=3D
> >>
> >> Each single CoinSwap is made up of multiple transactions to avoid amou=
nt
> >> correlation
> >>
> >> (a0 BTC) ---> (b0 BTC) ---> (c0 BTC) --->
> >> Alice (a1 BTC) ---> Bob (b1 BTC) ---> Charlie (c1 BTC) ---> Alice
> >> (a2 BTC) ---> (b2 BTC) ---> (c2 BTC) --->
> >>
> >> The arrow (--->) represent funding transactions. The money gets paid t=
o
> >> a 2-of-2 multisig but after the CoinSwap protocol and private key
> >> handover is done they will be controlled by the next party in the rout=
e.
> >>
> >> This example has 6 regular-sized transactions which use approximately
> >> the same amount of block space as a single JoinMarket coinjoin with 6
> >> parties (1 taker, 5 makers). Yet the privacy provided by this one
> >> CoinSwap would be far far greater. It would not have to be repeated in
> >> the way that Equal-Output CoinJoins must be.
> >>
> >> =3D=3D Direct connections to Alice =3D=3D=3D
> >>
> >> Only Alice, the taker, knows the entire route, Bob and Charlie just kn=
ow
> >> their previous and next transactions. Bob and Charlie do not have dire=
ct
> >> connections with each other, only with Alice.
> >>
> >> Diagram of Tor connections:
> >>
> >> Bob Charlie
> >> | /
> >> | /
> >> | /
> >> Alice
> >>
> >> When Bob and Charlie communicate, they are actually sending and
> >> receiving messages via Alice who relays them to Charlie or Bob. This
> >> helps hide whether the previous or next counterparty in a CoinSwap rou=
te
> >> is a maker or taker.
> >>
> >> This doesn't have security issues even in the final steps where privat=
e
> >> keys are handed over, because those private keys are always for 2-of-2
> >> multisig and so on their own are never enough to steal money.
> >>
> >>
> >> =3D=3D=3D Miner fees =3D=3D=3D
> >>
> >> Makers have no incentive to pay any miner fees. They only do
> >> transactions which earn them an income and are willing to wait a very
> >> long time for that to happen. By contrast takers want to create
> >> transactions far more urgently. In JoinMarket we coded a protocol wher=
e
> >> the maker could contribute to miner fees, but the market price offered
> >> of that trended towards zero. So the reality is that takers will pay a=
ll
> >> the miner fees. Also because makers don't know the taker's time
> >> preference they don't know how much they should pay in miner fees.
> >>
> >> The taker will have to set limits on how large the maker's transaction=
s
> >> are, otherwise makers could abuse this by having the taker consolidate
> >> maker's UTXOs for free.
> >>
> >> =3D=3D Funding transaction definitions =3D=3D
> >>
> >> Funding transactions are those which pay into the 2-of-2 multisig
> >> addresses.
> >>
> >> Definitions:
> >> I =3D initial coinswap amount sent by Alice =3D a0 + a1 + a2
> >> (WA, WB, WC) =3D Total value of UTXOs being spent by Alice, Bob, Charl=
ie
> >> respectively. Could be called "wallet Alice", "wallet
> >> Bob", etc
> >> (B, C) =3D Coinswap fees paid by Alice and earned by Bob and Charlie.
> >> (M1, M2, M3) =3D Miner fees of the first, second, third, etc sets of
> >> funding transactions. Alice will choose what these are
> >> since she's paying.
> >> multisig(A+B) =3D A 2of2 multisig output with private keys held by A a=
nd B
> >>
> >> The value in square parentheses refers to the bitcoin amount.
> >>
> >> Alice funding txes
> >> [WA btc] ---> multisig (Alice+Bob) [I btc]
> >> change [WA-M1-I btc]
> >> Bob funding txes
> >> [WB btc] ---> multisig (Bob+Charlie) [I-M2-B btc]
> >> change [WB-I+B btc]
> >> Charlie funding txes
> >> [WC btc] ---> multisig (Charlie+Alice) [(I-M2-B)-M3-C btc]
> >> change [WC-(I-M2-B)+C btc]
> >>
> >> Here we've drawn these transactions as single transactions, but they a=
re
> >> actually multiple transactions where the outputs add up some value (e.=
g.
> >> add up to I in Alice's transactions.)
> >>
> >> =3D=3D=3D Table of balances before and after a successful CoinSwap =3D=
=3D=3D
> >>
> >> If a CoinSwap is successful then all the multisig outputs in the fundi=
ng
> >> transactions will become controlled unilaterally by one party. We can
> >> calculate how the balances of each party change.
> >>
> >> Party | Before | After
> >> --------|--------|-------------------------------------------
> >> Alice | WA | WA-M1-I + (I-M2-B)-M3-C =3D WA-M1-M2-M3-B-C
> >> Bob | WB | WB-I+B + I =3D WB+B
> >> Charlie | WC | WC-(I-M2-B)+C + I-M2-B =3D WC+C
> >>
> >> After a successful coinswap, we see Alice's balance goes down by the
> >> miner fees and the coinswap fees. Bob's and Charlie's balance goes up =
by
> >> their coinswap fees.
> >>
> >> =3D=3D Contract transaction definitions =3D=3D
> >>
> >> Contract transactions are those which may spend from the 2-of-2 multis=
ig
> >> outputs, they transfer the coins into a contract where the coins can b=
e
> >> spent either by waiting for a timeout or providing a hash preimage
> >> value. Ideally contract transactions will never be broadcast but their
> >> existence keeps all parties honest.
> >>
> >> M~ is miner fees, which we treat as a random variable, and ultimately
> >> set by whichever pre-signed RBF tx get mined. When we talk about _the_
> >> contract tx, we actually mean perhaps 20-30 transactions which only
> >> differ by the miner fee and have RBF enabled, so they can be broadcast=
ed
> >> in sequence to get the contract transaction mined regardless of the
> >> demand for block space.
> >>
> >> (Alice+timelock_A OR Bob+hash) =3D Is an output which can be spent
> >> either with Alice's private key
> >> after waiting for a relative
> >> timelock_A, or by Bob's private key b=
y
> >> revealing a hash preimage value
> >>
> >> Alice contract tx:
> >> multisig (Alice+Bob) ---> (Alice+timelock_A OR Bob+hash)
> >> [I btc] [I-M~ btc]
> >> Bob contract tx:
> >> multisig (Bob+Charlie) ---> (Bob+timelock_B OR Charlie+hash)
> >> [I-M2-B btc] [I-M2-B-M~ btc]
> >> Charlie contract tx:
> >> multisig (Charlie+Alice) ---> (Charlie+timelock_C OR Alice+hash)
> >> [(I-M2-B)-M3-C btc] [(I-M2-B)-M3-C-M~ btc]
> >>
> >>
> >> =3D=3D=3D Table of balances before/after CoinSwap using contracts tran=
sactions
> >> =3D=3D=3D
> >>
> >> In this case the parties had to get their money back by broadcasting a=
nd
> >> mining the contract transactions and waiting for timeouts.
> >>
> >> Party | Before | After
> >> --------|--------|--------------------------------------------
> >> Alice | WA | WA-M1-I + I-M~ =3D WA-M1-M~
> >> Bob | WB | WB-I+B + I-M2-B-M~ =3D WB-M2-M~
> >> Charlie | WC | WC-(I-M2-B)+C + (I-M2-B)-M3-C-M~ =3D WC-M3-M~
> >>
> >> In the timeout failure case, every party pays for their own miner fees=
.
> >> And nobody earns or spends any coinswap fees. So even for a market mak=
er
> >> its possible for their wallet balance to go down sometimes, although a=
s
> >> we shall see there are anti-DOS features which make this unlikely to
> >> happen often.
> >>
> >> A possible attack by a malicious Alice is that she chooses M1 to be ve=
ry
> >> low (e.g. 1 sat/vbyte) and sets M2 and M3 to be very high (e.g. 1000
> >> sat/vb) and then intentionally aborts, forcing the makers to lose much
> >> more money in miner fees than the attacker. The attack can be used to
> >> waste away Bob's and Charlie's coins on miner fees at little cost to t=
he
> >> malicious taker Alice. So to defend against this attack Bob and Charli=
e
> >> must refuse to sign a contract transaction if the corresponding fundin=
g
> >> transaction pays miner fees greater than Alice's funding transaction.
> >>
> >>
> >> There can also be a failure case where each party gets their money usi=
ng
> >> hash preimage values instead of timeouts. Note that each party has to
> >> sweep the output before the timeout expires, so that will cost an
> >> additional miner fee M~.
> >>
> >> Party | Before | After
> >> --------|--------|----------------------------------------------------=
--
> >> Alice | WA | WA-M1-I + (I-M2-B)-M3-C-M~ - M~ =3D WA-M1-M2-M3-B-C=
-2M~
> >> Bob | WB | WB-I+B + I-M~ - M~ =3D WB+B-2M~
> >> Charlie | WC | WC-(I-M2-B)+C + I-M2-B-M~ - M~ =3D WC+C-2M~
> >>
> >> In this situation the makers Bob and Charlie earn their CoinSwap fees,
> >> but they pay an additional miner fee twice. Alice pays for all the
> >> funding transaction miner fees, and the CoinSwap fees, and two
> >> additional miner fees. And she had her privacy damaged because the
> >> entire world saw on the blockchain the contract script.
> >>
> >> Using the timelock path is like a refund, everyone's coin just comes
> >> back to them. Using the preimage is like the CoinSwap transaction
> >> happened, with the coins being sent ahead one hop. Again note that if
> >> the preimage is used then coinswap fees are paid.
> >>
> >> =3D=3D=3D Staggered timelocks =3D=3D=3D
> >>
> >> The timelocks are staggered so that if Alice uses the preimage to take
> >> coins then the right people will also learn the preimage and have enou=
gh
> >> time to be able to get their coins back too. Alice starts with knowled=
ge
> >> of the hash preimage so she must have a longest timelock.
> >>
> >> =3D=3D EC tweak to reduce one round trip =3D=3D
> >>
> >> When two parties are agreeing on a 2-of-2 multisig address, they need =
to
> >> agree on their public keys. We can avoid one round trip by using the E=
C
> >> tweak trick.
> >>
> >> When Alice, the taker, downloads the entire offer book for the liquidi=
ty
> >> market, the offers will also contain a EC public key. Alice can tweak
> >> this to generate a brand new public key for which the maker knows the
> >> private key. This public key will be one of the keys in the 2-of-2
> >> multisig. This feature removes one round trip from the protocol.
> >>
> >> q =3D EC privkey generated by maker
> >> Q =3D q.G =3D EC pubkey published by maker
> >>
> >> p =3D nonce generated by taker
> >> P =3D p.G =3D nonce point calculated by taker
> >>
> >> R =3D Q + P =3D pubkey used in bitcoin transaction
> >> =3D (q + p).G
> >>
> >> Taker sends unsigned transaction which pays to multisig using pubkey Q=
,
> >> and also sends nonce p. The maker can use nonce p to calculate (q + p)
> >> which is the private key of pubkey R.
> >>
> >> Taker doesnt know the privkey because they are unable to find q becaus=
e
> >> of the ECDLP.
> >>
> >> Any eavesdropper can see the nonce p and easily calculate the point R
> >> too but Tor communication is encrypted so this isnt a concern.
> >>
> >> None of the makers in the route know each other's Q values, so Alice t=
he
> >> taker will generate a nonce p on their behalf and send it over. I
> >> believe this cant be used for any kind of attack, because the signing
> >> maker will always check that the nonce results in the public key
> >> included in the transaction they're signing, and they'll never sign a
> >> transaction not in their interests.
> >>
> >>
> >> =3D=3D Protocol =3D=3D
> >>
> >> This section is the most important part of this document.
> >>
> >> Definitions:
> >> fund =3D all funding txes (remember in this multi-tx protocol there ca=
n be
> >> multiple txes which together make up the funding)
> >> A htlc =3D all htlc contract txes (fully signed) belonging to party A
> >> A unsign htcl =3D all unsigned htlc contract txes belonging to party A
> >> including the nonce point p used to calculate the
> >> maker's pubkey.
> >> p =3D nonce point p used in the tweak EC protocol for calculating the
> >> maker's pubkey
> >> A htlc B/2 =3D Bob's signature for the 2of2 multisig of the Alice htlc
> >> contract tx
> >> privA(A+B) =3D private key generated by Alice in the output
> >> multisig (Alice+Bob)
> >>
> >>
> >> | Alice | Bob | Charlie |
> >> |=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D|=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D|=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D|
> >> 0. A unsign htlc ----> | |
> >> 1. <---- A htlc B/2 | |
> >> 2. ***** BROADCAST AND MINE ALICE FUNDING TXES ****** |
> >> 3. A fund+htlc+p ----> | |
> >> 4. | B unsign htlc ----> |
> >> 5. | <---- B htlc C/2 |
> >> 6. ******* BROADCAST AND MINE BOB FUNDING TXES ******* |
> >> 7. | B fund+htlc+p ----> |
> >> 8. <---------------------- C unsign htlc |
> >> 9. C htlc A/2 ----------------------> |
> >> A. ***** BROADCAST AND MINE CHARLIE FUNDING TXES ***** |
> >> B. <---------------------- C fund+htlc+p |
> >> C. hash preimage ----------------------> |
> >> D. hash preimage ----> | |
> >> E. privA(A+B) ----> | |
> >> F. | privB(B+C) ----> |
> >> G. <---------------------- privC(C+A) |
> >>
> >> =3D=3D Protocol notes =3D=3D
> >> 0-2 are the steps which setup Alice's funding tx and her contract tx f=
or
> >> possible refund
> >> 4-5 same as 0-2 but for Bob
> >> 8-9 same as 0-2 but for Charlie
> >> 3,7 is proof to the next party that the previous party has already
> >> committed miner fees to getting a transaction mined, and therefore
> >> this isnt a DOS attack. The step also reveals the fully-signed
> >> contract transaction which the party can use to get their money ba=
ck
> >> with a preimage.
> >> C-G is revealing the hash preimage to all, and handing over the privat=
e
> >> keys
> >>
> >>
> >> =3D=3D Analysis of aborts =3D=3D
> >>
> >> We will now discuss aborts, which happen when one party halts the
> >> protocol and doesnt continue. Perhaps they had a power cut, their
> >> internet broke, or they're a malicious attacker wanting to waste time
> >> and money. The other party may try to reestablish a connection for som=
e
> >> time, but eventually must give up.
> >>
> >> Number refers to the step number where the abort happened
> >> e.g. step 1 means that the party aborted instead of the action happeni=
ng
> >> on protocol step 1.
> >>
> >> The party name refers to what that party does
> >> e.g. Party1: aborts, Party2/Party3: does a thing in reaction
> >>
> >> 0. Alice: aborts. Bob/Charlie: do nothing, they havent lost any time o=
r
> >> money
> >> 1. Bob: aborts. Alice: lost no time or money, try with another Bob.
> >> Charlie: do nothing
> >> 2-3. same as 0.
> >> 4. Bob: aborts. Charlie: do nothing. Alice: broadcasts her contract tx
> >> and waits for the timeout, loses time and money on miner fees, she'=
ll
> >> never coinswap with Bob's fidelity bond again.
> >> 5. Charlie: aborts. Alice/Bob: lose nothing, find another Charlie to
> >> coinswap with.
> >> 6. same as 4.
> >> 7. similar to 4 but Alice MIGHT not blacklist Bob's fidelity bond,
> >> because Bob will also have to broadcast his contract tx and will al=
so
> >> lose time and money.
> >> 8. Charlie: aborts. Bob: broadcast his contract transaction and wait f=
or
> >> the timeout to get his money back, also broadcast Alice's contract
> >> transaction in retaliation. Alice: waits for the timeout on her htl=
c
> >> tx that Bob broadcasted, will never do a coinswap with Charlie's
> >> fidelity bond again.
> >> 9. Alice: aborts. Charlie: do nothing, no money or time lost. Bob:
> >> broadcast bob contract tx and wait for timeout to get money back,
> >> comforted by the knowledge that when Alice comes back online she'll
> >> have to do the same thing and waste the same amount of time and
> >> money.
> >> A-B. same as 8.
> >> C-E. Alice: aborts. Bob/Charlie: all broadcast their contract txes and
> >> wait for the timeout to get their money back, or if Charlie knows
> >> the preimage he uses it to get the money immediately, which Bob c=
an
> >> read from the blockchain and also use.
> >> F. Bob: aborts. Alice: broadcast Charlie htlc tx and use preimage to g=
et
> >> money immediately, Alice blacklists Bob's fidelity bond. Charlie:
> >> broadcast Bob htlc and use preimage to get money immediately.
> >> G. Charlie: aborts. Alice: broadcast Charlie htlc and use preimage to
> >> get money immediately, Alice blacklists Charlie's fidelity bond. Bo=
b:
> >> does nothing, already has his privkey.
> >>
> >> =3D=3D=3D=3D Retaliation as DOS-resistance =3D=3D=3D=3D
> >>
> >> In some situations (e.g. step 8.) if one maker in the coinswap route i=
s
> >> the victim of a DOS they will retaliate by DOSing the previous maker i=
n
> >> the route. This may seem unnecessary and unfair (after all why waste
> >> even more time and block space) but is actually the best way to resist
> >> DOS because it produces a concrete cost every time a DOS happens.
> >>
> >>
> >> =3D=3D Analysis of deviations =3D=3D
> >>
> >> This section discusses what happens if one party deviates from the
> >> protocol by doing something else, for example broadcasting a htlc
> >> contract tx when they shouldnt have.
> >>
> >> The party name refers to what that party does, followed by other party=
's
> >> reactions to it.
> >> e.g. Party1: does a thing, Party2/Party3: does a thing in reaction
> >>
> >> If multiple deviations are possible in a step then they are numbered
> >> e.g. A1 A2 A2 etc
> >>
> >>
> >> 0-2. Alice/Bob/Charlie: nothing else is possible except following the
> >> protocol or aborting
> >> 3. Alice: broadcasts one or more of the A htlc txes. Bob/Charlie/Denni=
s:
> >> do nothing, they havent lost any time or money.
> >> 4-6. Bob/Charlie: nothing else is possible except following the protoc=
ol
> >> or aborting.
> >> 7. Bob: broadcasts one or more of the B htlc txes, Alice: broadcasts a=
ll
> >> her own A htlc txes and waits for the timeout to get her money back=
.
> >> Charlie: do nothing
> >> 8. Charlie: nothing else is possible except following the protocol or
> >> aborting.
> >> 9. Alice: broadcasts one or more of the A htlc txes. Bob: broadcasts a=
ll
> >> his own A htlc txes and waits for the timeout.
> >> A. same as 8.
> >> B. Charlie: broadcasts one or more of the C htlc txes, Alice/Bob:
> >> broadcasts all their own htlc txes and waits for the timeout to get
> >> their money back.
> >> C-E1. Alice: broadcasts all of C htlc txes and uses her knowledge of t=
he
> >> preimage hash to take the money immediately. Charlie: broadcasts
> >> all of B htlc txes and reading the hash value from the blockchai=
n,
> >> uses it to take the money from B htlc immediately. Bob: broadcas=
ts
> >> all of A htlc txes, and reading hash from the blockchain, uses i=
t
> >> to take the money from A htlc immediately.
> >> C-E2. Alice: broadcast her own A htlc txes, and after a timeout take t=
he
> >> money. Bob: broadcast his own B htlc txes and after the timeout
> >> take their money. Charlie: broadcast his own C htlc txes and aft=
er
> >> the timeout take their money.
> >> F1. Bob: broadcast one or more of A htcl txes and use the hash preimag=
e
> >> to get the money immediately. He already knows both privkeys of th=
e
> >> multisig so this is pointless and just damages privacy and wastes
> >> miner fees. Alice: blacklist Bob's fidelity bond.
> >> F2. Bob: broadcast one or more of the C htlc txes. Charlie: use preima=
ge
> >> to get his money immediately. Bob's actions were pointless. Alice:
> >> cant tell whether Bob or Charlie actually broadcasted, so blacklis=
t
> >> both fidelity bonds.
> >> G1. Charlie: broadcast one or more of B htcl txes and use the hash
> >> preimage to get the money immediately. He already knows both
> >> privkeys of the multisig so this is pointless and just damages
> >> privacy and wastes miner fees. Alice: cant tell whether Bob or
> >> Charlie actually broadcasted, so blacklist both fidelity bonds.
> >> G2. Charlie: broadcast one or more of the A htlc txes. Alice: broadcas=
t
> >> the remaining A htlc txes and use preimage to get her money
> >> immediately. Charlies's actions were pointless. Alice: blacklist
> >> Charlie's fidelity bond.
> >>
> >> The multisig outputs of the funding transactions can stay unspent
> >> indefinitely. However the parties must always be watching the network
> >> and ready to respond with their own sweep using a preimage. This is
> >> because the other party still possesses a fully-signed contract tx. Th=
e
> >> parties respond in the same way as in steps C-E1, F2 and G2. Alice's
> >> reaction of blacklisting both fidelity bonds might not be the right wa=
y,
> >> because one maker could use it to get another one blacklisted (as well
> >> as themselves).
> >>
> >>
> >> =3D=3D Conclusion =3D=3D
> >>
> >> This document describes the first version of the protocol which
> >> implements multi-transaction Coinswap, routed Coinswap, fidelity bonds=
,
> >> a liquidity market and private key handover. I describe the protocol a=
nd
> >> also analyze aborts of the protocols and deviations from the protocol.
> >>
> >> _______________________________________________
> >> bitcoin-dev mailing list
> >> bitcoin-dev@lists.linuxfoundation.org
> >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >>
> >
>
--000000000000e5791005ae869b27
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Hi Chris,<br><br>I forgot to underscore that contract tran=
saction output must be grieved by at least a CSV of 1. Otherwise, a malicio=
us counterparty can occupy with garbage both the timelock-or-preimage outpu=
t and its own anchor output thus blocking you to use the bumping capability=
of your own anchor ouput.<br><br>A part of this, I think it works.<br><br>=
> Another possible fix for both vulnerabilities is to separate the<br>&g=
t; timelock and hashlock cases into two separate transactions as described<=
br>> by ZmnSCPxj in a recent email to this list. This comes at the cost =
of<br>> breaking private key handover allowing coins to remain unspent i=
ndefinitely.<br><br>This works too assuming these second-stage transactions=
aren't malleable at all (e.g SIGASH_SINGLE). Other ways you can increa=
se their feerate/absolute fee and you're back to the initial situation.=
<br><br>Beyond note also that anchors-on-second-stage are more risky here, =
as otherwise your counterparty can again attach a low-feerate child. In cas=
e of concurrent broadcast (assuming you haven't achieved to claim the o=
utput before timelock expiration due to network outage/mempool-congestion) =
you might not see your counterparty version. I.e, your local mempool has th=
e timelock tx and the rest of the network the hashlock and your CPFP bump w=
on't propagate as being an orphan.<br><br>So you're left with a RBF=
-range, which is mostly okay minus a theoretical concern : a party guessing=
the odds to lose the balance are high can broadcast/send out-of-band the h=
ighest-fee bound to miners thus incentivizing them to censor a honest, low-=
fee=C2=A0 preimage tx. A "nothing-at-stake-for-genuinely-evil-counterp=
arty" issue.<br><br>> Another possible fix for the second attack, i=
s to encumber the output<br>> with a `1 OP_CSV` which stops that output =
being spent while unconfirmed.<br>> This seems to be the simplest way if=
your aim is to only fix the second<br>> attack.<br><br>Yes you don'=
t package fee malleability so an honest party can always unilaterally bump =
the feerate and override concurrent bids.<br><br><br>That said, I would lea=
n towards anchors and thus unileratel fee bumping. Feerate interactivity am=
ong a multi-party protocol should be seen as an oracle to leak the full-nod=
e of a participant. By sending a range of conflicting transactions with dif=
ferent feerates to a set of network mempools I could theoretically observe =
variations in the protocol feerate announced.<br><br>I would recommend you =
to have a look on this paper, if it's not done yet : <a href=3D"https:/=
/arxiv.org/pdf/2007.00764.pdf">https://arxiv.org/pdf/2007.00764.pdf</a>, th=
e first one analyzing privacy holistically across Bitcoin layers.<br><br>Ch=
eers,<br><br>Antoine<br></div><br><div class=3D"gmail_quote"><div dir=3D"lt=
r" class=3D"gmail_attr">Le=C2=A0sam. 29 ao=C3=BBt 2020 =C3=A0=C2=A018:03, C=
hris Belcher <<a href=3D"mailto:belcher@riseup.net">belcher@riseup.net</=
a>> a =C3=A9crit=C2=A0:<br></div><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding=
-left:1ex">Hello Antoine,<br>
<br>
Thanks for the very useful insights.<br>
<br>
It seems having just one contract transaction which includes anchor<br>
outputs in the style already used by Lightning is one way to fix both<br>
these vulnerabilities.<br>
<br>
For the first attack, the other side cannot burn the entire balance<br>
because they only have access to the small amount of satoshi of the<br>
anchor output, and to add miner fees they must add their own inputs. So<br>
they'd burn their own coins to miner fees, not the coins in the contrac=
t.<br>
<br>
For the second attack, the other side cannot do transaction pinning<br>
because there is only one contract transaction, and all the protections<br>
already developed for use with Lightning apply here as well, such as<br>
CPFP carve out.<br>
<br>
<br>
Another possible fix for both vulnerabilities is to separate the<br>
timelock and hashlock cases into two separate transactions as described<br>
by ZmnSCPxj in a recent email to this list. This comes at the cost of<br>
breaking private key handover allowing coins to remain unspent indefinitely=
.<br>
<br>
Another possible fix for the second attack, is to encumber the output<br>
with a `1 OP_CSV` which stops that output being spent while unconfirmed.<br=
>
This seems to be the simplest way if your aim is to only fix the second<br>
attack.<br>
<br>
<br>
These are all the possible fixes I can think of.<br>
<br>
Regards<br>
Chris<br>
<br>
On 24/08/2020 20:30, Antoine Riard wrote:<br>
> Hello Chris,<br>
> <br>
> I think you might have vulnerability issues with the current design.<b=
r>
> <br>
> With regards to the fee model for contract transactions, AFAICT timely=
<br>
> confirmation is a fund safety matter for an intermediate hop. Between =
the<br>
> offchain preimage reveal phase and the offchain private key handover p=
hase,<br>
> the next hop can broadcast your outgoing contract transactions, thus<b=
r>
> forcing you to claim quickly backward as you can't assume previous=
hop will<br>
> honestly cooperate to achieve the private key handover. This means tha=
t<br>
> your range of pre-signed RBF-transactions must theoretically have for =
fee<br>
> upper bound the maximum of the contested balance, as game-theory side,=
it's<br>
> rational to you to burn your balance instead of letting your counterpa=
rty<br>
> claim it after timelock expiration, in face of mempool congestion. Whe=
re<br>
> the issue dwells is that this fee is pre-committed and not cancelled w=
hen<br>
> the balance change of ownership by the outgoing hop learning the preim=
age<br>
> of the haslock output. Thus the previous hop is free to broadcast the<=
br>
> highest-fee RBF-transactions and burn your balance, as for him, his ba=
lance<br>
> is now encoded in the output of the contract transactions on the previ=
ous<br>
> link, for which he knows the preimage.<br>
> <br>
> Note, I think this is independent of picking up either relative or abs=
olute<br>
> timelocks as what matters is the block delta between two links. Of cou=
rse<br>
> you can increase this delta to be week-lengthy and thus decrease the n=
eed<br>
> for a compelling fee but a) you may force quickly close with contract<=
br>
> transactions if the private key handover doesn't happen soon, you =
don't<br>
> want to be caught by surprise by congestion so you would close far beh=
ind<br>
> delta period expiration like half of it, and b) you increase the time-=
value<br>
> of makers funds in case of faulty hop, thus logically increasing the m=
aker<br>
> fee and making the cost of the system higher in average. I guess a bet=
ter<br>
> solution would be to use dual-anchor outputs has spec'ed out by Li=
ghtning,<br>
> it lets the party who has a balance at stake unilaterally increase fee=
rate<br>
> with a CPFP. The CPFP is obviously a higher blockchain cost but a) it&=
#39;s a<br>
> safety mechanism for a worst-case scenario, 99% of the time they won&#=
39;t be<br>
> committed, b) you might use this CPFP to aggregate change outputs or o=
ther<br>
> opportunistically side-usage.<br>
> <br>
> With regards to the preimage release phase, I think you might have a<b=
r>
> pinning scenario. The victim would be an intermediate hop, targeted by=
a<br>
> malicious taker. The preimage isn't revealed offchain to this vict=
im hop. A<br>
> low-feerate version of the outgoing contract transaction is broadcast =
and<br>
> not going to confirm, assuming a bit of congestion. As preimage is kno=
wn,<br>
> the malicious taker can directly attach a high-fee, low-feerate child<=
br>
> transaction and thus prevent any replacement of the pinned parent by a=
<br>
> honest broadcast of a high-fee RBF-transaction under BIP 125 rules. At=
the<br>
> same time, the malicious taker broadcasts the contract tx on the previ=
ous<br>
> link and gets it confirmed. At relative timelock expiration, malicious=
<br>
> taker claims back the funds. When the pinned transaction spending the<=
br>
> outgoing link gets evicted (either by replacing child by a higher feer=
ate<br>
> or waiting for mempool expiration after 2 weeks), taker gets it confir=
med<br>
> this time and claims output through hashlock. Given the relative timel=
ock<br>
> blocking the victim, there is not even a race.<br>
> <br>
> I guess restraining the contract transaction to one and only one versi=
on<br>
> would overcome this attack. A honest intermediate hop, as soon as seei=
ng a<br>
> relative timelock triggered backward would immediately broadcast the<b=
r>
> outgoing link contract tx or if it's already in network mempools b=
roadcast<br>
> a higher-feerate child. As you don't have valid multiple contract<=
br>
> transactions, an attacker can't obstruct you to propagate the corr=
ect<br>
> child, as you are not blind about the parent txid.<br>
> <br>
> Lastly, one downside of using relative timelocks, in case of one downs=
tream<br>
> link failure, it forces every other upstream hops to go onchain to pro=
tect<br>
> against this kind of pinning scenario. And this would be a privacy<br>
> breakdown, as a maker would be able to provoke one, thus constraining =
every<br>
> upstream hops to go onchain with the same hash and revealing the CoinS=
wap<br>
> route.<br>
> <br>
> Let me know if I reviewed the correct transactions circuit model or<br=
>
> misunderstood associated semantic. I might be completely wrong, coming=
from<br>
> a LN perspective.<br>
> <br>
> Cheers,<br>
> Antoine<br>
> <br>
> Le mar. 11 ao=C3=BBt 2020 =C3=A0 13:06, Chris Belcher via bitcoin-dev =
<<br>
> <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_bl=
ank">bitcoin-dev@lists.linuxfoundation.org</a>> a =C3=A9crit :<br>
> <br>
>> I'm currently working on implementing CoinSwap (see my other e=
mail<br>
>> "Design for a CoinSwap implementation for massively improving=
Bitcoin<br>
>> privacy and fungibility").<br>
>><br>
>> CoinSwaps are special because they look just like regular bitcoin<=
br>
>> transactions, so they improve the privacy even for people who do n=
ot use<br>
>> them. Once CoinSwap is deployed, anyone attempting surveillance of=
<br>
>> bitcoin transactions will be forced to ask themselves the question=
: how<br>
>> do we know this transaction wasn't a CoinSwap?<br>
>><br>
>> This email contains a detailed design of the first protocol versio=
n. It<br>
>> makes use of the building blocks of multi-transaction CoinSwaps, r=
outed<br>
>> CoinSwaps, liquidity market, private key handover, and fidelity bo=
nds.<br>
>> It does not include PayJoin-with-CoinSwap, but that's in the p=
lan to be<br>
>> added later.<br>
>><br>
>> =3D=3D Routed CoinSwap =3D=3D<br>
>><br>
>> Diagram of CoinSwaps in the route:<br>
>><br>
>>=C2=A0 =C2=A0 =C2=A0Alice =3D=3D=3D=3D> Bob =3D=3D=3D=3D> Cha=
rlie =3D=3D=3D=3D> Alice<br>
>><br>
>> Where (=3D=3D=3D=3D>) means one CoinSwap. Alice gives coins to =
Bob, who gives<br>
>> coins to Charlie, who gives coins to Alice. Alice is the market ta=
ker<br>
>> and she starts with the hash preimage. She chooses the CoinSwap am=
ount<br>
>> and chooses who the makers will be.<br>
>><br>
>> This design has one market taker and two market makers in its rout=
e, but<br>
>> it can easily be extended to any number of makers.<br>
>><br>
>> =3D=3D Multiple transactions =3D=3D<br>
>><br>
>> Each single CoinSwap is made up of multiple transactions to avoid =
amount<br>
>> correlation<br>
>><br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(a0 BTC) --->=C2=A0 =C2=
=A0 =C2=A0(b0 BTC) --->=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(c0 BTC) --->=
;<br>
>>=C2=A0 =C2=A0 =C2=A0Alice (a1 BTC) ---> Bob (b1 BTC) ---> Cha=
rlie (c1 BTC) ---> Alice<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(a2 BTC) --->=C2=A0 =C2=
=A0 =C2=A0(b2 BTC) --->=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(c2 BTC) --->=
;<br>
>><br>
>> The arrow (--->) represent funding transactions. The money gets=
paid to<br>
>> a 2-of-2 multisig but after the CoinSwap protocol and private key<=
br>
>> handover is done they will be controlled by the next party in the =
route.<br>
>><br>
>> This example has 6 regular-sized transactions which use approximat=
ely<br>
>> the same amount of block space as a single JoinMarket coinjoin wit=
h 6<br>
>> parties (1 taker, 5 makers). Yet the privacy provided by this one<=
br>
>> CoinSwap would be far far greater. It would not have to be repeate=
d in<br>
>> the way that Equal-Output CoinJoins must be.<br>
>><br>
>> =3D=3D Direct connections to Alice =3D=3D=3D<br>
>><br>
>> Only Alice, the taker, knows the entire route, Bob and Charlie jus=
t know<br>
>> their previous and next transactions. Bob and Charlie do not have =
direct<br>
>> connections with each other, only with Alice.<br>
>><br>
>> Diagram of Tor connections:<br>
>><br>
>>=C2=A0 =C2=A0 =C2=A0Bob=C2=A0 =C2=A0 =C2=A0 Charlie<br>
>>=C2=A0 =C2=A0 =C2=A0 |=C2=A0 =C2=A0 =C2=A0 =C2=A0/<br>
>>=C2=A0 =C2=A0 =C2=A0 |=C2=A0 =C2=A0 =C2=A0 /<br>
>>=C2=A0 =C2=A0 =C2=A0 |=C2=A0 =C2=A0 =C2=A0/<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0Alice<br>
>><br>
>> When Bob and Charlie communicate, they are actually sending and<br=
>
>> receiving messages via Alice who relays them to Charlie or Bob. Th=
is<br>
>> helps hide whether the previous or next counterparty in a CoinSwap=
route<br>
>> is a maker or taker.<br>
>><br>
>> This doesn't have security issues even in the final steps wher=
e private<br>
>> keys are handed over, because those private keys are always for 2-=
of-2<br>
>> multisig and so on their own are never enough to steal money.<br>
>><br>
>><br>
>> =3D=3D=3D Miner fees =3D=3D=3D<br>
>><br>
>> Makers have no incentive to pay any miner fees. They only do<br>
>> transactions which earn them an income and are willing to wait a v=
ery<br>
>> long time for that to happen. By contrast takers want to create<br=
>
>> transactions far more urgently. In JoinMarket we coded a protocol =
where<br>
>> the maker could contribute to miner fees, but the market price off=
ered<br>
>> of that trended towards zero. So the reality is that takers will p=
ay all<br>
>> the miner fees. Also because makers don't know the taker's=
time<br>
>> preference they don't know how much they should pay in miner f=
ees.<br>
>><br>
>> The taker will have to set limits on how large the maker's tra=
nsactions<br>
>> are, otherwise makers could abuse this by having the taker consoli=
date<br>
>> maker's UTXOs for free.<br>
>><br>
>> =3D=3D Funding transaction definitions =3D=3D<br>
>><br>
>> Funding transactions are those which pay into the 2-of-2 multisig<=
br>
>> addresses.<br>
>><br>
>> Definitions:<br>
>> I =3D initial coinswap amount sent by Alice =3D a0 + a1 + a2<br>
>> (WA, WB, WC) =3D Total value of UTXOs being spent by Alice, Bob, C=
harlie<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 respectivel=
y. Could be called "wallet Alice", "wallet<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Bob", =
etc<br>
>> (B, C) =3D Coinswap fees paid by Alice and earned by Bob and Charl=
ie.<br>
>> (M1, M2, M3) =3D Miner fees of the first, second, third, etc sets =
of<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 funding tra=
nsactions. Alice will choose what these are<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 since she&#=
39;s paying.<br>
>> multisig(A+B) =3D A 2of2 multisig output with private keys held by=
A and B<br>
>><br>
>> The value in square parentheses refers to the bitcoin amount.<br>
>><br>
>> Alice funding txes<br>
>>=C2=A0 =C2=A0[WA btc] ---> multisig (Alice+Bob) [I btc]<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0chang=
e [WA-M1-I btc]<br>
>> Bob funding txes<br>
>>=C2=A0 =C2=A0[WB btc] ---> multisig (Bob+Charlie) [I-M2-B btc]<b=
r>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0chang=
e [WB-I+B btc]<br>
>> Charlie funding txes<br>
>>=C2=A0 =C2=A0[WC btc] ---> multisig (Charlie+Alice) [(I-M2-B)-M3=
-C btc]<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0chang=
e [WC-(I-M2-B)+C btc]<br>
>><br>
>> Here we've drawn these transactions as single transactions, bu=
t they are<br>
>> actually multiple transactions where the outputs add up some value=
(e.g.<br>
>> add up to I in Alice's transactions.)<br>
>><br>
>> =3D=3D=3D Table of balances before and after a successful CoinSwap=
=3D=3D=3D<br>
>><br>
>> If a CoinSwap is successful then all the multisig outputs in the f=
unding<br>
>> transactions will become controlled unilaterally by one party. We =
can<br>
>> calculate how the balances of each party change.<br>
>><br>
>> Party=C2=A0 =C2=A0| Before | After<br>
>> --------|--------|-------------------------------------------<br>
>> Alice=C2=A0 =C2=A0| WA=C2=A0 =C2=A0 =C2=A0| WA-M1-I + (I-M2-B)-M3-=
C=C2=A0 =3D WA-M1-M2-M3-B-C<br>
>> Bob=C2=A0 =C2=A0 =C2=A0| WB=C2=A0 =C2=A0 =C2=A0| WB-I+B + I=C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=3D WB+B<br>
>> Charlie | WC=C2=A0 =C2=A0 =C2=A0| WC-(I-M2-B)+C + I-M2-B=C2=A0 =C2=
=A0=3D WC+C<br>
>><br>
>> After a successful coinswap, we see Alice's balance goes down =
by the<br>
>> miner fees and the coinswap fees. Bob's and Charlie's bala=
nce goes up by<br>
>> their coinswap fees.<br>
>><br>
>> =3D=3D Contract transaction definitions =3D=3D<br>
>><br>
>> Contract transactions are those which may spend from the 2-of-2 mu=
ltisig<br>
>> outputs, they transfer the coins into a contract where the coins c=
an be<br>
>> spent either by waiting for a timeout or providing a hash preimage=
<br>
>> value. Ideally contract transactions will never be broadcast but t=
heir<br>
>> existence keeps all parties honest.<br>
>><br>
>> M~ is miner fees, which we treat as a random variable, and ultimat=
ely<br>
>> set by whichever pre-signed RBF tx get mined. When we talk about _=
the_<br>
>> contract tx, we actually mean perhaps 20-30 transactions which onl=
y<br>
>> differ by the miner fee and have RBF enabled, so they can be broad=
casted<br>
>> in sequence to get the contract transaction mined regardless of th=
e<br>
>> demand for block space.<br>
>><br>
>> (Alice+timelock_A OR Bob+hash) =3D Is an output which can be spent=
<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 either with Alice'=
s private key<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 after waiting for a re=
lative<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 timelock_A, or by Bob&=
#39;s private key by<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 revealing a hash preim=
age value<br>
>><br>
>> Alice contract tx:<br>
>>=C2=A0 =C2=A0 =C2=A0multisig (Alice+Bob) ---> (Alice+timelock_A =
OR Bob+hash)<br>
>>=C2=A0 =C2=A0 =C2=A0[I btc]=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0[I-M~ btc]<br>
>> Bob contract tx:<br>
>>=C2=A0 =C2=A0 =C2=A0multisig (Bob+Charlie) ---> (Bob+timelock_B =
OR Charlie+hash)<br>
>>=C2=A0 =C2=A0 =C2=A0[I-M2-B btc]=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 [I-M2-B-M~ btc]<br>
>> Charlie contract tx:<br>
>>=C2=A0 =C2=A0 =C2=A0multisig (Charlie+Alice)=C2=A0 ---> (Charlie=
+timelock_C OR Alice+hash)<br>
>>=C2=A0 =C2=A0 =C2=A0[(I-M2-B)-M3-C btc]=C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 [(I-M2-B)-M3-C-M~ btc]<br>
>><br>
>><br>
>> =3D=3D=3D Table of balances before/after CoinSwap using contracts =
transactions<br>
>> =3D=3D=3D<br>
>><br>
>> In this case the parties had to get their money back by broadcasti=
ng and<br>
>> mining the contract transactions and waiting for timeouts.<br>
>><br>
>> Party=C2=A0 =C2=A0| Before | After<br>
>> --------|--------|--------------------------------------------<br>
>> Alice=C2=A0 =C2=A0| WA=C2=A0 =C2=A0 =C2=A0| WA-M1-I + I-M~=C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=3D WA-M1-M~<=
br>
>> Bob=C2=A0 =C2=A0 =C2=A0| WB=C2=A0 =C2=A0 =C2=A0| WB-I+B + I-M2-B-M=
~=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=3D WB-M2-M~<br>
>> Charlie | WC=C2=A0 =C2=A0 =C2=A0| WC-(I-M2-B)+C + (I-M2-B)-M3-C-M~=
=3D WC-M3-M~<br>
>><br>
>> In the timeout failure case, every party pays for their own miner =
fees.<br>
>> And nobody earns or spends any coinswap fees. So even for a market=
maker<br>
>> its possible for their wallet balance to go down sometimes, althou=
gh as<br>
>> we shall see there are anti-DOS features which make this unlikely =
to<br>
>> happen often.<br>
>><br>
>> A possible attack by a malicious Alice is that she chooses M1 to b=
e very<br>
>> low (e.g. 1 sat/vbyte) and sets M2 and M3 to be very high (e.g. 10=
00<br>
>> sat/vb) and then intentionally aborts, forcing the makers to lose =
much<br>
>> more money in miner fees than the attacker. The attack can be used=
to<br>
>> waste away Bob's and Charlie's coins on miner fees at litt=
le cost to the<br>
>> malicious taker Alice. So to defend against this attack Bob and Ch=
arlie<br>
>> must refuse to sign a contract transaction if the corresponding fu=
nding<br>
>> transaction pays miner fees greater than Alice's funding trans=
action.<br>
>><br>
>><br>
>> There can also be a failure case where each party gets their money=
using<br>
>> hash preimage values instead of timeouts. Note that each party has=
to<br>
>> sweep the output before the timeout expires, so that will cost an<=
br>
>> additional miner fee M~.<br>
>><br>
>> Party=C2=A0 =C2=A0| Before | After<br>
>> --------|--------|------------------------------------------------=
------<br>
>> Alice=C2=A0 =C2=A0| WA=C2=A0 =C2=A0 =C2=A0| WA-M1-I + (I-M2-B)-M3-=
C-M~ - M~ =3D WA-M1-M2-M3-B-C-2M~<br>
>> Bob=C2=A0 =C2=A0 =C2=A0| WB=C2=A0 =C2=A0 =C2=A0| WB-I+B + I-M~ - M=
~=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =3D WB+B-2M~<br>
>> Charlie | WC=C2=A0 =C2=A0 =C2=A0| WC-(I-M2-B)+C + I-M2-B-M~ - M~=
=C2=A0 =3D WC+C-2M~<br>
>><br>
>> In this situation the makers Bob and Charlie earn their CoinSwap f=
ees,<br>
>> but they pay an additional miner fee twice. Alice pays for all the=
<br>
>> funding transaction miner fees, and the CoinSwap fees, and two<br>
>> additional miner fees. And she had her privacy damaged because the=
<br>
>> entire world saw on the blockchain the contract script.<br>
>><br>
>> Using the timelock path is like a refund, everyone's coin just=
comes<br>
>> back to them. Using the preimage is like the CoinSwap transaction<=
br>
>> happened, with the coins being sent ahead one hop. Again note that=
if<br>
>> the preimage is used then coinswap fees are paid.<br>
>><br>
>> =3D=3D=3D Staggered timelocks =3D=3D=3D<br>
>><br>
>> The timelocks are staggered so that if Alice uses the preimage to =
take<br>
>> coins then the right people will also learn the preimage and have =
enough<br>
>> time to be able to get their coins back too. Alice starts with kno=
wledge<br>
>> of the hash preimage so she must have a longest timelock.<br>
>><br>
>> =3D=3D EC tweak to reduce one round trip =3D=3D<br>
>><br>
>> When two parties are agreeing on a 2-of-2 multisig address, they n=
eed to<br>
>> agree on their public keys. We can avoid one round trip by using t=
he EC<br>
>> tweak trick.<br>
>><br>
>> When Alice, the taker, downloads the entire offer book for the liq=
uidity<br>
>> market, the offers will also contain a EC public key. Alice can tw=
eak<br>
>> this to generate a brand new public key for which the maker knows =
the<br>
>> private key. This public key will be one of the keys in the 2-of-2=
<br>
>> multisig. This feature removes one round trip from the protocol.<b=
r>
>><br>
>>=C2=A0 =C2=A0 =C2=A0q =3D EC privkey generated by maker<br>
>>=C2=A0 =C2=A0 =C2=A0Q =3D q.G =3D EC pubkey published by maker<br>
>><br>
>>=C2=A0 =C2=A0 =C2=A0p =3D nonce generated by taker<br>
>>=C2=A0 =C2=A0 =C2=A0P =3D p.G =3D nonce point calculated by taker<b=
r>
>><br>
>>=C2=A0 =C2=A0 =C2=A0R =3D Q + P =3D pubkey used in bitcoin transact=
ion<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0=3D (q + p).G<br>
>><br>
>> Taker sends unsigned transaction which pays to multisig using pubk=
ey Q,<br>
>> and also sends nonce p. The maker can use nonce p to calculate (q =
+ p)<br>
>> which is the private key of pubkey R.<br>
>><br>
>> Taker doesnt know the privkey because they are unable to find q be=
cause<br>
>> of the ECDLP.<br>
>><br>
>> Any eavesdropper can see the nonce p and easily calculate the poin=
t R<br>
>> too but Tor communication is encrypted so this isnt a concern.<br>
>><br>
>> None of the makers in the route know each other's Q values, so=
Alice the<br>
>> taker will generate a nonce p on their behalf and send it over. I<=
br>
>> believe this cant be used for any kind of attack, because the sign=
ing<br>
>> maker will always check that the nonce results in the public key<b=
r>
>> included in the transaction they're signing, and they'll n=
ever sign a<br>
>> transaction not in their interests.<br>
>><br>
>><br>
>> =3D=3D Protocol =3D=3D<br>
>><br>
>> This section is the most important part of this document.<br>
>><br>
>> Definitions:<br>
>> fund =3D all funding txes (remember in this multi-tx protocol ther=
e can be<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 multiple txes which together make up th=
e funding)<br>
>> A htlc =3D all htlc contract txes (fully signed) belonging to part=
y A<br>
>> A unsign htcl =3D all unsigned htlc contract txes belonging to par=
ty A<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0inclu=
ding the nonce point p used to calculate the<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0maker=
's pubkey.<br>
>> p =3D nonce point p used in the tweak EC protocol for calculating =
the<br>
>>=C2=A0 =C2=A0 =C2=A0maker's pubkey<br>
>> A htlc B/2 =3D Bob's signature for the 2of2 multisig of the Al=
ice htlc<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 contract tx<br>
>> privA(A+B) =3D private key generated by Alice in the output<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 multisig (Alice+Bo=
b)<br>
>><br>
>><br>
>>=C2=A0 | Alice=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0| Bob=C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0| Charlie=C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0|<br>
>>=C2=A0 |=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D|=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D|=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D|<br>
>> 0. A unsign htlc ---->=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0|=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0|<br>
>> 1.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<---- =
A htlc B/2=C2=A0 =C2=A0 |=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0|<br>
>> 2. ***** BROADCAST AND MINE ALICE FUNDING TXES ******=C2=A0 |<br>
>> 3. A fund+htlc+p ---->=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0|=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0|<br>
>> 4.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0| =
B unsign htlc ---->=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0|<br>
>> 5.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0|=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<---- B htlc C/2=
=C2=A0 =C2=A0 |<br>
>> 6. ******* BROADCAST AND MINE BOB FUNDING TXES ******* |<br>
>> 7.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0| =
B fund+htlc+p ---->=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0|<br>
>> 8.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<-----=
----------------- C unsign htlc |<br>
>> 9.=C2=A0 =C2=A0 C htlc A/2 ---------------------->=C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0|<br>
>> A. ***** BROADCAST AND MINE CHARLIE FUNDING TXES ***** |<br>
>> B.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<-----=
----------------- C fund+htlc+p |<br>
>> C. hash preimage ---------------------->=C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0|<br>
>> D. hash preimage ---->=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0|=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0|<br>
>> E.=C2=A0 =C2=A0 privA(A+B) ---->=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0|=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0|<br>
>> F.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0|=
=C2=A0 =C2=A0 privB(B+C) ---->=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0|<br>
>> G.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<-----=
----------------- privC(C+A)=C2=A0 =C2=A0 |<br>
>><br>
>> =3D=3D Protocol notes =3D=3D<br>
>> 0-2 are the steps which setup Alice's funding tx and her contr=
act tx for<br>
>>=C2=A0 =C2=A0 =C2=A0possible refund<br>
>> 4-5 same as 0-2 but for Bob<br>
>> 8-9 same as 0-2 but for Charlie<br>
>> 3,7 is proof to the next party that the previous party has already=
<br>
>>=C2=A0 =C2=A0 =C2=A0committed miner fees to getting a transaction m=
ined, and therefore<br>
>>=C2=A0 =C2=A0 =C2=A0this isnt a DOS attack. The step also reveals t=
he fully-signed<br>
>>=C2=A0 =C2=A0 =C2=A0contract transaction which the party can use to=
get their money back<br>
>>=C2=A0 =C2=A0 =C2=A0with a preimage.<br>
>> C-G is revealing the hash preimage to all, and handing over the pr=
ivate<br>
>>=C2=A0 =C2=A0 =C2=A0keys<br>
>><br>
>><br>
>> =3D=3D Analysis of aborts =3D=3D<br>
>><br>
>> We will now discuss aborts, which happen when one party halts the<=
br>
>> protocol and doesnt continue. Perhaps they had a power cut, their<=
br>
>> internet broke, or they're a malicious attacker wanting to was=
te time<br>
>> and money. The other party may try to reestablish a connection for=
some<br>
>> time, but eventually must give up.<br>
>><br>
>> Number refers to the step number where the abort happened<br>
>> e.g. step 1 means that the party aborted instead of the action hap=
pening<br>
>> on protocol step 1.<br>
>><br>
>> The party name refers to what that party does<br>
>> e.g. Party1: aborts, Party2/Party3: does a thing in reaction<br>
>><br>
>> 0. Alice: aborts. Bob/Charlie: do nothing, they havent lost any ti=
me or<br>
>>=C2=A0 =C2=A0 money<br>
>> 1. Bob: aborts. Alice: lost no time or money, try with another Bob=
.<br>
>>=C2=A0 =C2=A0 Charlie: do nothing<br>
>> 2-3. same as 0.<br>
>> 4. Bob: aborts. Charlie: do nothing. Alice: broadcasts her contrac=
t tx<br>
>>=C2=A0 =C2=A0 and waits for the timeout, loses time and money on mi=
ner fees, she'll<br>
>>=C2=A0 =C2=A0 never coinswap with Bob's fidelity bond again.<br=
>
>> 5. Charlie: aborts. Alice/Bob: lose nothing, find another Charlie =
to<br>
>>=C2=A0 =C2=A0 coinswap with.<br>
>> 6. same as 4.<br>
>> 7. similar to 4 but Alice MIGHT not blacklist Bob's fidelity b=
ond,<br>
>>=C2=A0 =C2=A0 because Bob will also have to broadcast his contract =
tx and will also<br>
>>=C2=A0 =C2=A0 lose time and money.<br>
>> 8. Charlie: aborts. Bob: broadcast his contract transaction and wa=
it for<br>
>>=C2=A0 =C2=A0 the timeout to get his money back, also broadcast Ali=
ce's contract<br>
>>=C2=A0 =C2=A0 transaction in retaliation. Alice: waits for the time=
out on her htlc<br>
>>=C2=A0 =C2=A0 tx that Bob broadcasted, will never do a coinswap wit=
h Charlie's<br>
>>=C2=A0 =C2=A0 fidelity bond again.<br>
>> 9. Alice: aborts. Charlie: do nothing, no money or time lost. Bob:=
<br>
>>=C2=A0 =C2=A0 broadcast bob contract tx and wait for timeout to get=
money back,<br>
>>=C2=A0 =C2=A0 comforted by the knowledge that when Alice comes back=
online she'll<br>
>>=C2=A0 =C2=A0 have to do the same thing and waste the same amount o=
f time and<br>
>>=C2=A0 =C2=A0 money.<br>
>> A-B. same as 8.<br>
>> C-E. Alice: aborts. Bob/Charlie: all broadcast their contract txes=
and<br>
>>=C2=A0 =C2=A0 =C2=A0 wait for the timeout to get their money back, =
or if Charlie knows<br>
>>=C2=A0 =C2=A0 =C2=A0 the preimage he uses it to get the money immed=
iately, which Bob can<br>
>>=C2=A0 =C2=A0 =C2=A0 read from the blockchain and also use.<br>
>> F. Bob: aborts. Alice: broadcast Charlie htlc tx and use preimage =
to get<br>
>>=C2=A0 =C2=A0 money immediately, Alice blacklists Bob's fidelit=
y bond. Charlie:<br>
>>=C2=A0 =C2=A0 broadcast Bob htlc and use preimage to get money imme=
diately.<br>
>> G. Charlie: aborts. Alice: broadcast Charlie htlc and use preimage=
to<br>
>>=C2=A0 =C2=A0 get money immediately, Alice blacklists Charlie's=
fidelity bond. Bob:<br>
>>=C2=A0 =C2=A0 does nothing, already has his privkey.<br>
>><br>
>> =3D=3D=3D=3D Retaliation as DOS-resistance =3D=3D=3D=3D<br>
>><br>
>> In some situations (e.g. step 8.) if one maker in the coinswap rou=
te is<br>
>> the victim of a DOS they will retaliate by DOSing the previous mak=
er in<br>
>> the route. This may seem unnecessary and unfair (after all why was=
te<br>
>> even more time and block space) but is actually the best way to re=
sist<br>
>> DOS because it produces a concrete cost every time a DOS happens.<=
br>
>><br>
>><br>
>> =3D=3D Analysis of deviations =3D=3D<br>
>><br>
>> This section discusses what happens if one party deviates from the=
<br>
>> protocol by doing something else, for example broadcasting a htlc<=
br>
>> contract tx when they shouldnt have.<br>
>><br>
>> The party name refers to what that party does, followed by other p=
arty's<br>
>> reactions to it.<br>
>> e.g. Party1: does a thing, Party2/Party3: does a thing in reaction=
<br>
>><br>
>> If multiple deviations are possible in a step then they are number=
ed<br>
>> e.g. A1 A2 A2 etc<br>
>><br>
>><br>
>> 0-2. Alice/Bob/Charlie: nothing else is possible except following =
the<br>
>>=C2=A0 =C2=A0 =C2=A0 protocol or aborting<br>
>> 3. Alice: broadcasts one or more of the A htlc txes. Bob/Charlie/D=
ennis:<br>
>>=C2=A0 =C2=A0 do nothing, they havent lost any time or money.<br>
>> 4-6. Bob/Charlie: nothing else is possible except following the pr=
otocol<br>
>>=C2=A0 =C2=A0 =C2=A0 or aborting.<br>
>> 7. Bob: broadcasts one or more of the B htlc txes, Alice: broadcas=
ts all<br>
>>=C2=A0 =C2=A0 her own A htlc txes and waits for the timeout to get =
her money back.<br>
>>=C2=A0 =C2=A0 Charlie: do nothing<br>
>> 8. Charlie: nothing else is possible except following the protocol=
or<br>
>>=C2=A0 =C2=A0 aborting.<br>
>> 9. Alice: broadcasts one or more of the A htlc txes. Bob: broadcas=
ts all<br>
>>=C2=A0 =C2=A0 his own A htlc txes and waits for the timeout.<br>
>> A. same as 8.<br>
>> B. Charlie: broadcasts one or more of the C htlc txes, Alice/Bob:<=
br>
>>=C2=A0 =C2=A0 broadcasts all their own htlc txes and waits for the =
timeout to get<br>
>>=C2=A0 =C2=A0 their money back.<br>
>> C-E1. Alice: broadcasts all of C htlc txes and uses her knowledge =
of the<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0preimage hash to take the money immediat=
ely. Charlie: broadcasts<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0all of B htlc txes and reading the hash =
value from the blockchain,<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0uses it to take the money from B htlc im=
mediately. Bob: broadcasts<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0all of A htlc txes, and reading hash fro=
m the blockchain, uses it<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0to take the money from A htlc immediatel=
y.<br>
>> C-E2. Alice: broadcast her own A htlc txes, and after a timeout ta=
ke the<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0money. Bob: broadcast his own B htlc txe=
s and after the timeout<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0take their money. Charlie: broadcast his=
own C htlc txes and after<br>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0the timeout take their money.<br>
>> F1. Bob: broadcast one or more of A htcl txes and use the hash pre=
image<br>
>>=C2=A0 =C2=A0 =C2=A0to get the money immediately. He already knows =
both privkeys of the<br>
>>=C2=A0 =C2=A0 =C2=A0multisig so this is pointless and just damages =
privacy and wastes<br>
>>=C2=A0 =C2=A0 =C2=A0miner fees. Alice: blacklist Bob's fidelity=
bond.<br>
>> F2. Bob: broadcast one or more of the C htlc txes. Charlie: use pr=
eimage<br>
>>=C2=A0 =C2=A0 =C2=A0to get his money immediately. Bob's actions=
were pointless. Alice:<br>
>>=C2=A0 =C2=A0 =C2=A0cant tell whether Bob or Charlie actually broad=
casted, so blacklist<br>
>>=C2=A0 =C2=A0 =C2=A0both fidelity bonds.<br>
>> G1. Charlie: broadcast one or more of B htcl txes and use the hash=
<br>
>>=C2=A0 =C2=A0 =C2=A0preimage to get the money immediately. He alrea=
dy knows both<br>
>>=C2=A0 =C2=A0 =C2=A0privkeys of the multisig so this is pointless a=
nd just damages<br>
>>=C2=A0 =C2=A0 =C2=A0privacy and wastes miner fees. Alice: cant tell=
whether Bob or<br>
>>=C2=A0 =C2=A0 =C2=A0Charlie actually broadcasted, so blacklist both=
fidelity bonds.<br>
>> G2. Charlie: broadcast one or more of the A htlc txes. Alice: broa=
dcast<br>
>>=C2=A0 =C2=A0 =C2=A0the remaining A htlc txes and use preimage to g=
et her money<br>
>>=C2=A0 =C2=A0 =C2=A0immediately. Charlies's actions were pointl=
ess. Alice: blacklist<br>
>>=C2=A0 =C2=A0 =C2=A0Charlie's fidelity bond.<br>
>><br>
>> The multisig outputs of the funding transactions can stay unspent<=
br>
>> indefinitely. However the parties must always be watching the netw=
ork<br>
>> and ready to respond with their own sweep using a preimage. This i=
s<br>
>> because the other party still possesses a fully-signed contract tx=
. The<br>
>> parties respond in the same way as in steps C-E1, F2 and G2. Alice=
's<br>
>> reaction of blacklisting both fidelity bonds might not be the righ=
t way,<br>
>> because one maker could use it to get another one blacklisted (as =
well<br>
>> as themselves).<br>
>><br>
>><br>
>> =3D=3D Conclusion =3D=3D<br>
>><br>
>> This document describes the first version of the protocol which<br=
>
>> implements multi-transaction Coinswap, routed Coinswap, fidelity b=
onds,<br>
>> a liquidity market and private key handover. I describe the protoc=
ol and<br>
>> also analyze aborts of the protocols and deviations from the proto=
col.<br>
>><br>
>> _______________________________________________<br>
>> bitcoin-dev mailing list<br>
>> <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D=
"_blank">bitcoin-dev@lists.linuxfoundation.org</a><br>
>> <a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitc=
oin-dev" rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation=
.org/mailman/listinfo/bitcoin-dev</a><br>
>><br>
> <br>
</blockquote></div>
--000000000000e5791005ae869b27--
|