1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
|
Return-Path: <rsomsen@gmail.com>
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
by lists.linuxfoundation.org (Postfix) with ESMTP id 64B83C016F
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 13 May 2020 09:57:25 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by silver.osuosl.org (Postfix) with ESMTP id 0970B2038F
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 13 May 2020 09:57:25 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id VleS5LA9wCAK
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 13 May 2020 09:57:22 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-ed1-f68.google.com (mail-ed1-f68.google.com
[209.85.208.68])
by silver.osuosl.org (Postfix) with ESMTPS id 33B892036D
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 13 May 2020 09:57:22 +0000 (UTC)
Received: by mail-ed1-f68.google.com with SMTP id s10so13727892edy.9
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 13 May 2020 02:57:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=WdzjVTkXH7rZLPTbtrFg3ekDB8oDyIRsOfOqV5sxjIw=;
b=Ov9uPS6giTLmtBfKvizQKLlo1t+2qHemC5OiEBldTa2DxIh8Zsb5IK6Mwc1jJKduLZ
ISxL4zHO2MqgFYGw4d0uwBvRX72E0bhJbz0DNn9RMW36Az/KVoXk0gwswDsarIYXoAiZ
bz/SeOa5h2kuJ4u/fMtCsy7EVl7/rtxybvAHYuFj9Y8LixCwoeQEG7WvZ8G1ip0VD3p5
btD624gdEeZEHUWIi/ffMuU6BwZFkI25ZdTNbM3z3HV6JbHavls0l4mZ8/rxNG1Oil4V
4d1vDCpEIN75+dtlBA/s861FPHh7QnGHcwsOBo+hgNja5IBk3Yc8ypZ7s2c4cmIJKXH/
dvfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=WdzjVTkXH7rZLPTbtrFg3ekDB8oDyIRsOfOqV5sxjIw=;
b=BSjduyzY+/Io0omTPPHAL0ATaY1xWOt3jhBryU0rUCtBeK8AxY3kTqpXUtjj+4XYJc
mHefUUE4BNq48OFqrjwbGK6Rrl0Olyho5agQcqWJpYjnYARJKG30a8dyd87JG2OGIZCm
Z6sASy/I515ueKvjc3LsQq6P2XjB32oDKBXgb9nLWVRS9qiysP8XQU/LeZclctdUbJRW
wL4xXR8x1na9SrrbshQlzxP49dW7PvSdW43PDrKJnbU/Upbe7kaNqyTm1el4H1Hc1TJB
+NJ4d8xktv/Y/TBtbk57GLW2GYH57eky2hdSswc3MulFqQgX3EV6mlRihQIQqvznIIeQ
v2kg==
X-Gm-Message-State: AGi0PuYHn9NUQo/X0K53YUmzGHj+W9Rh2KaoAw0N5LHlaVE4x4PulAfo
NgWim/Wbw/QE3qOeWo/oldjrqqBl+7wsimSXlP7KR57k
X-Google-Smtp-Source: APiQypIryN2AR6RHxq5DUV6Sv7KPKHDejkPkn1sbSCyWsZLwNVjobOAuIwYN0hMOG38JhRlXIeTETgdguB/ITYz3jy4=
X-Received: by 2002:a50:9b58:: with SMTP id a24mr15021847edj.256.1589363840095;
Wed, 13 May 2020 02:57:20 -0700 (PDT)
MIME-Version: 1.0
References: <CAPv7TjZGBbf6f1y49HLFD2eNiP5d4e+=dFGqiMFs6jaeYyH-NQ@mail.gmail.com>
<CAH5Bsr1d57pzmNgakt=Q2M+Ey+PL9jUVUPeJ_aFj0L0TBAHzKw@mail.gmail.com>
<CAH5Bsr1paP8dmo_z6VoEHYvB_SpD4Piw91LeLJBMgFph7Qrtfg@mail.gmail.com>
<CAPv7TjYqC73zRQq2yQy9RpeHUUexjSS23uU9VwJvvoRr50p2vA@mail.gmail.com>
<Mpqd20ZM9-93dIIhe1yS4QEGKmzT-uuBrAn1e4omDbA1YJvXrEmZ3IZeoz90s5AHVLAdYwF0PhxgMZwqDdHxQ0UQw2eEEytngEXSsXeLM14=@protonmail.com>
<CAPv7TjbfuV1YvgTS4pjr_56R_-=spb9DzPwqP1HFCBOZpSOq8Q@mail.gmail.com>
<2-ZZw_6q-EBo5DmIK5PtzWCE9zd9FdNtYuhFf84FKxRHwmL7g7kA9YvYB9iqFFkGy_xoXARzRW8hiZa-ZcLPWeZ60PNMQc9yMdZLnTsp1yo=@protonmail.com>
In-Reply-To: <2-ZZw_6q-EBo5DmIK5PtzWCE9zd9FdNtYuhFf84FKxRHwmL7g7kA9YvYB9iqFFkGy_xoXARzRW8hiZa-ZcLPWeZ60PNMQc9yMdZLnTsp1yo=@protonmail.com>
From: Ruben Somsen <rsomsen@gmail.com>
Date: Wed, 13 May 2020 11:57:05 +0200
Message-ID: <CAPv7TjZAv_tVn=Wxf3LpfMmAzj8+mWiLr+7HMjjNArD7ThKO_A@mail.gmail.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="0000000000001b9a7f05a5849bad"
X-Mailman-Approved-At: Wed, 13 May 2020 09:59:30 +0000
Subject: Re: [bitcoin-dev] SAS: Succinct Atomic Swap
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2020 09:57:25 -0000
--0000000000001b9a7f05a5849bad
Content-Type: text/plain; charset="UTF-8"
Hi Chris,
Thanks for taking a look :)
>it also improves privacy because the coins could stay unspend for a long
time, potentially indefinitely
Excellent point. The pre-swap setup transactions would still be subject to
timing/amount analysis, but it's clearly a lot less problematic than the
traditional 4 tx swap. And Payswap may be able to mitigate the amount
analysis.
>Using relative timelocks and private key handover for old-style coinswaps
would give us the same two-transaction effect
I agree, Lloyd pointed out the same thing. One thing to add is that such a
setup would result in four on-chain transactions if the protocol is
aborted, due to the need to invalidate the refund transaction.
>the idea of private key handover was mentioned as early as 2016 in the
original Lightning Network paper
Interesting! Thanks for pointing that out.
Cheers,
Ruben
On Wed, May 13, 2020 at 10:39 AM ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
> Good morning Ruben,
>
> > >If the shortened refund transaction exists (labeled "refund transaction
> #1" in the SVG) then the same issue still occurs
> >
> > Yes, but there is one crucial difference: at that point in the protocol
> (Bob has the success transaction and then stops cooperating) Alice and Bob
> both had the opportunity not to take that path. Bob could have sent the
> success transaction, and Alice could have waited and sent the revoke
> transaction. They would essentially be "colluding" to fail.
>
> Okay, so the concern is basically, that Bob misses the deadline, then
> Alice feels obligated to reclaim the funds.
> In your proposal, the tx competition is between the secret-revealing
> success TX and the non-secret-revealing revoke tx.
> Whereas in my counterproposal, under the same conditions, the tx
> competition is between the secret-revealing success tx and the
> secret-revealing backout tx, and both transactions becoming visible on P2P
> network means potentially both Alice and Bob know all the secrets on the
> LTC side and end up competing over it, RBFing each other until the entire
> fund goes to miners.
>
>
> > >Without the refund#1 in your proposal, Bob refusing cooperation after
> Alice puts the BTC into lock for 3 days and 2 further onchain transactions
> >
> > I'm not sure if I correctly understood what you're saying, but it's as
> follows:
> >
> > Refund #1 can only safely be used before the signed success tx is given
> to Bob. The cost to Alice at this point if Bob aborts is two on-chain
> transactions while Bob hasn't put anything on-chain yet.
> >
> > Refund #2 needs to be used after Bob receives the signed success tx. The
> cost to Alice is now three transactions, but Bob also went-on-chain by this
> point, so causing this wasn't costless to Bob and is thus a similar failure
> mode.
>
> I think it is not accurate that Bob is already on-chain before Alice can
> be forced to use 3 transactions to fail.
>
> The revoke tx signatures are shared at step 0 of your protocol description.
> Thus Bob has a copy of the revoke tx that is valid once Alice signs and
> confirms the funding transaction.
> Bob can thus give a copy of the revoke tx with signature directly to its
> favorite miner, forcing Alice to take 3 transactions to back out of the
> swap.
>
> Since Bob gave the tx directly to its favorite miner (TANSTAAGM: "There
> ain't no such thing as a global mempool"), Alice will only know about this
> event when the revoke tx is confirmed once, at which point it is very
> difficult to reverse, even if Alice has a refund#1 tx prepared.
>
> Bob can do this before step 2 in your protocol description, meaning before
> Bob locks up any funds, so Bob can do this for free, and will even use
> funds going back to Alice to pay for confirmation of the revoke tx.
> Because Bob can do this for free, there is no disincentive for trolling
> Bobs to exist whose sole life goal is to just grief possible Alices.
>
> This can be slightly mitigated by adding two CPFP outputs (one for each
> participant) and using the minimum relayable feerate for the revoke tx so
> that Bob is forced to bring its own fees in order to incentivize miners.
> This is similar to the "bring your own fees" currently proposed for
> Lightning, but note the recent hand-wringing about the various problems
> this adds to mempools and CPFP and RBF rules and etc etc:
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-April/017757.html
>
> We could use `SIGHASH_SINGLE | SIGHASH_ANYONECANPAY` as well for a
> bring-your-own-fees, but that is not `SIGHASH_ALL` and thus marks the
> transaction graph as special.
> And forcing bring-your-own-fees means neither Alice nor Bob can swap all
> their funds in a single operation, they have to keep a reserve.
>
>
> Bob cannot safely perform step 2 before getting both signatures for the
> revoke tx, as without Bob having access to the rveoke tx, if Bob locks up
> LTC, Alice can stop responding and lock both their funds indefinitely with
> Bob not having any way to recover its funds, which a rich Alice can use to
> completely lock out an impoverished Bob.
> But if Bob is given both signatures for the revoke tx before step 2, then
> Bob can send the revoke tx to its favorite miner, forcing Alice to take 3
> transactions to back out, before Bob locks any funds in LTC side.
>
> >
> > I also agree with your observation that alternatively Bob can just spend
> before the timelock expires.
>
> This seems to be the safest alternative; in my context, where Bob is a
> CoinSwap server/maker, Bob can wait a short while for new clients/takers,
> and if no new clients arrive, spend.
> Bob can run multiple servers, each of which are given the completed
> success transaction, and the servers can check that if the timeout is near,
> to spam the Bitcoin P2P network with the completed success transactions.
> (these servers need not even run fullnodes, they could just periodically
> poll a number of blockchain explorers and electrum servers, and when the
> blockheight approaches, attempt broadcast; if the "main" server that
> accepts clients/takers has already spent the TXO the broadcast of the
> completed success tx is simply rejected by the Bitcoin P2P network; if the
> timeout is based on sidereal time then the backup servers only need to be
> running NTP)
>
>
>
> Regards,
> ZmnSCPxj
>
--0000000000001b9a7f05a5849bad
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Hi Chris,<div><br></div><div>Thanks for taking a look :)<b=
r><div><br></div><div>>it also improves privacy because the coins could =
stay unspend for a long time, potentially indefinitely<br></div><div><br></=
div><div>Excellent point. The pre-swap setup transactions would still be su=
bject to timing/amount analysis, but it's clearly a lot less problemati=
c than the traditional 4 tx swap. And Payswap may be able to mitigate the a=
mount analysis.</div><div><br></div><div>>Using relative timelocks and p=
rivate key handover for old-style coinswaps would give us the same two-tran=
saction effect</div></div><div><br></div><div>I agree, Lloyd pointed out th=
e same thing. One thing to add is that such a setup would result in four on=
-chain transactions if the protocol is aborted, due to the need to invalida=
te the refund transaction.</div><div><br></div><div>>the idea of private=
key handover was mentioned as early as 2016 in the original Lightning Netw=
ork paper</div><div><br></div><div>Interesting! Thanks for pointing that ou=
t.</div><div><br></div><div>Cheers,</div><div>Ruben</div></div><br><div cla=
ss=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Wed, May 13, 20=
20 at 10:39 AM ZmnSCPxj <<a href=3D"mailto:ZmnSCPxj@protonmail.com">ZmnS=
CPxj@protonmail.com</a>> wrote:<br></div><blockquote class=3D"gmail_quot=
e" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204)=
;padding-left:1ex">Good morning Ruben,<br>
<br>
> >If the shortened refund transaction exists (labeled "refund t=
ransaction #1" in the SVG) then the same issue still occurs=C2=A0<br>
><br>
> Yes, but there is one crucial difference: at that point in the protoco=
l (Bob has the success transaction and then stops cooperating) Alice and Bo=
b both had the opportunity not to take that path. Bob could have sent the s=
uccess transaction, and Alice could have waited and sent the revoke transac=
tion. They would essentially be "colluding" to fail.<br>
<br>
Okay, so the concern is basically, that Bob misses the deadline, then Alice=
feels obligated to reclaim the funds.<br>
In your proposal, the tx competition is between the secret-revealing succes=
s TX and the non-secret-revealing revoke tx.<br>
Whereas in my counterproposal, under the same conditions, the tx competitio=
n is between the secret-revealing success tx and the secret-revealing backo=
ut tx, and both transactions becoming visible on P2P network means potentia=
lly both Alice and Bob know all the secrets on the LTC side and end up comp=
eting over it, RBFing each other until the entire fund goes to miners.<br>
<br>
<br>
> >Without the refund#1 in your proposal, Bob refusing cooperation af=
ter Alice puts the BTC into lock for 3 days and 2 further onchain transacti=
ons<br>
><br>
> I'm not sure if I correctly understood what you're saying, but=
it's as follows:<br>
><br>
> Refund #1 can only safely be used before the signed success tx is give=
n to Bob. The cost to Alice at this point if Bob aborts is two on-chain tra=
nsactions while Bob hasn't put anything on-chain yet.<br>
><br>
> Refund #2 needs to be used after Bob receives the signed success tx. T=
he cost to Alice is now three transactions, but Bob also went-on-chain by t=
his point, so causing this wasn't costless to Bob and is thus a similar=
failure mode.<br>
<br>
I think it is not accurate that Bob is already on-chain before Alice can be=
forced to use 3 transactions to fail.<br>
<br>
The revoke tx signatures are shared at step 0 of your protocol description.=
<br>
Thus Bob has a copy of the revoke tx that is valid once Alice signs and con=
firms the funding transaction.<br>
Bob can thus give a copy of the revoke tx with signature directly to its fa=
vorite miner, forcing Alice to take 3 transactions to back out of the swap.=
<br>
<br>
Since Bob gave the tx directly to its favorite miner (TANSTAAGM: "Ther=
e ain't no such thing as a global mempool"), Alice will only know =
about this event when the revoke tx is confirmed once, at which point it is=
very difficult to reverse, even if Alice has a refund#1 tx prepared.<br>
<br>
Bob can do this before step 2 in your protocol description, meaning before =
Bob locks up any funds, so Bob can do this for free, and will even use fund=
s going back to Alice to pay for confirmation of the revoke tx.<br>
Because Bob can do this for free, there is no disincentive for trolling Bob=
s to exist whose sole life goal is to just grief possible Alices.<br>
<br>
This can be slightly mitigated by adding two CPFP outputs (one for each par=
ticipant) and using the minimum relayable feerate for the revoke tx so that=
Bob is forced to bring its own fees in order to incentivize miners.<br>
This is similar to the "bring your own fees" currently proposed f=
or Lightning, but note the recent hand-wringing about the various problems =
this adds to mempools and CPFP and RBF rules and etc etc: <a href=3D"https:=
//lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-April/017757.html" r=
el=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/piper=
mail/bitcoin-dev/2020-April/017757.html</a><br>
<br>
We could use `SIGHASH_SINGLE | SIGHASH_ANYONECANPAY` as well for a bring-yo=
ur-own-fees, but that is not `SIGHASH_ALL` and thus marks the transaction g=
raph as special.<br>
And forcing bring-your-own-fees means neither Alice nor Bob can swap all th=
eir funds in a single operation, they have to keep a reserve.<br>
<br>
<br>
Bob cannot safely perform step 2 before getting both signatures for the rev=
oke tx, as without Bob having access to the rveoke tx, if Bob locks up LTC,=
Alice can stop responding and lock both their funds indefinitely with Bob =
not having any way to recover its funds, which a rich Alice can use to comp=
letely lock out an impoverished Bob.<br>
But if Bob is given both signatures for the revoke tx before step 2, then B=
ob can send the revoke tx to its favorite miner, forcing Alice to take 3 tr=
ansactions to back out, before Bob locks any funds in LTC side.<br>
<br>
><br>
> I also agree with your observation that alternatively Bob can just spe=
nd before the timelock expires.<br>
<br>
This seems to be the safest alternative; in my context, where Bob is a Coin=
Swap server/maker, Bob can wait a short while for new clients/takers, and i=
f no new clients arrive, spend.<br>
Bob can run multiple servers, each of which are given the completed success=
transaction, and the servers can check that if the timeout is near, to spa=
m the Bitcoin P2P network with the completed success transactions.<br>
(these servers need not even run fullnodes, they could just periodically po=
ll a number of blockchain explorers and electrum servers, and when the bloc=
kheight approaches, attempt broadcast; if the "main" server that =
accepts clients/takers has already spent the TXO the broadcast of the compl=
eted success tx is simply rejected by the Bitcoin P2P network; if the timeo=
ut is based on sidereal time then the backup servers only need to be runnin=
g NTP)<br>
<br>
<br>
<br>
Regards,<br>
ZmnSCPxj<br>
</blockquote></div>
--0000000000001b9a7f05a5849bad--
|