Previous blog posts (here, here) covered the idea of atomic swap, how to make it private/unlinkable (at least under cooperation), and how to get a much better version after the advent of Schnorr signatures (the "scriptless script" primitive of Poelstra).
In this blog post I want to show one of a number of possible variations. It is "hybrid" only in a loose sense: there are a lot of previously existent ideas that I've here mixed together to form this particular set of properties.
The TLDR is: an atomic swap (one blockchain or cross-chain) with *no* linkage between the transactions, even if one party chooses to be uncooperative, and not dependent on the two chains using the same signature algorithm.
Before starting, it's worthy of note that I may be slightly abusing the term "unlinkable" here; the swap described is not unlinkable by the participants, but only by third party observers. Achieving the former is possible: see Tumblebit (linked below), but also a recent proposal by Jonas Nick, which uses Schnorr blind signatures.
To go into the details, we first need some background for context:
For the purposes of this discussion, it's quite useful to start (assuming you're already au fait with what an atomic swap basically is, and/or have read the above two blog posts) by noting what the limitations and problems are with doing atomic swaps (not shared by all variants). They are:
You'll note I've been talking about "atomic swaps", but that the subtitle heading refers to "multi-transaction contracts". These concerns all apply to Lightning network which in its "network" part currently uses HTLC hops (with HTLC being the basic atomic swap) and in its "Lightning" part uses the Poon-Dryja bidirectional channel construct, which also uses timing control as a crucial element of its security promises.
I hope it's clear why some combination of bullet point 2 (XBI) and most critically bullet point 3, above, (security assumptions about the blockchain itself) are a very big issue for all of these constructions. If you're planning to CoinSwap your life savings (or Lightning-swap/route through channels), you'd better be sure your internet is working, your blockchain access is viable, and (far fetched, but..) the miners aren't out to get you. To be fair, the Lightning people are working on watchtowers, but that's an amelioration, not a solution, to this inherent problem.
Lastly, in this section, I want to point out a small nuance which will become important in my next blog post: these concerns don't apply to a certain class of multi-transaction contracts which are connected (i.e. a tree structure with a single root). But that's another topic and not relevant here.
Unfortunately the new flavour of swap I'm going to propose only addresses points 4 and 5 in the above, so not points 2 and 3 which I've just argued are the most important. So I think this idea is interesting but not exactly amazing :)
In thinking about how to try to solve some of these issues, I remembered in particular the mechanics of Tumblebit (my blog post, original paper), and also the general idea of Greg Maxwell called Zero Knowledge Contingent Payments from 2011.
In recent discussion Olaoluwa Osuntokun also pointed me at this paper from 2015/2016 by University of Warsaw researchers Banasik, Dziembowski and Malinowski, which actually is discussing a lot of closely related ideas: how can we effect something like zero knowledge contingent payment using cut and choose, but it also discusses ways of creating single ECDSA pubkeys through 2PC and the Paillier encryption system. It also uses a number of other elements which I decided weren't needed for my goal as described here.
Tumblebit involves two cut-and-choose protocols, with a blinding step between them to prevent the server learning a linkage. But the root idea of the first protocol, called the "Puzzle Promise Protocol", struck me as quite generic: I will give you an encryption of a signature and a hash of its decryption key. If you can learn the hash preimage, you can learn the signature and spend the coin (basically). This cut and choose is a very generic kind of interactive zero knowledge proof, although it has a quirk - to gain reasonable security, you need a whole set of valid signatures, not just one; in the Bitcoin transaction scenario, however, that doesn't matter, because the entire point of the blockchain is to prevent double-spending.
(Of course, the ZKCP construction is basically doing the same thing, just more generically/powerfully, and doesn't require provision of multiple puzzle solutions simultaneously, and importantly, it's non-interactive: you can encrypt a solution to a puzzle and prove in zero knowledge using systems like zkSNARKs that your solution is valid and then sell the preimage of the decryption key, as above. These more powerful proving systems, though, have bigger computational requirements, see the first example ZKCP, in which 20s was recorded as the proving time; note this has almost certainly improved, although Sudoku is kind of a toy example. Also, I believe the example shown there was proven to have invalid assumptions, specifically that the payer can be trusted to generate the CRS, but it turned out that this broke the witness indistinguishability property that guaranteed the zero knowledgeness property of the proof; see this paper for details and fixes. But - tangent over! ))
So what if we do such a cut-and-choose, and then have the hash preimage revealed in a separate, disconnected transaction? There are two advantages of doing things this way: (1) no linkage is possible because the hash preimage is only revealed in one transaction (and only in the non-cooperative case), and (2) the exact signature algorithm of the first payment (the one whose sig is encrypted) is irrelevant. This might mean, for example, that doing a swap between Bitcoin and a blockchain which uses a different elliptic curve for its signatures (e.g. curve25519) and/or a different signature scheme (edDSA, which is a variant of Schnorr, for example, or perhaps less well known things like hash-based signatures).
The next 3 subsections will discuss the steps in what has just been outlined very briefly. We'll revisit our friends Alice and Bob; we'll assume Bob's 1 coin resides on the BTC blockchain and we'll say Alice's 1 Alice-coin is on the Alice-chain (not specifying which blockchain it is, and magically assuming that 1 Alice coin = 1 BTC).
This is by now a design pattern. To start doing contracts, you have to have both parties put their coins into shared control, which effectively means 2 of 2 multisig outputs. Before doing so, however, to prevent deadlock/MAD scenarios, you pre-sign backout transactions (or backout script paths) to return coins to the original owner in case of disappearance of the other party. There is a small twist here though: only Alice puts coins into "escrow" this way, before the cut-and-choose described next; but that's OK because it reveals no information to Bob on its own.
You'll note that we have tacitly assumed that Alice-chain supports 2 of 2 multisig in some or other form, and nLockTime or something directly equivalent.
This is a brief refresher that is basically identical to what was called the "Puzzle Promise protocol" in Tumblebit (for links see above). Since it's the core idea here, it's worth going over the steps:
This process requires a bit of interactivity of course; but it's not XBI and it's not crazy large (with fast network connections, this basically 2 rounds of interactivity could be effectively immediate, which may (although it's a stretch) be considered an advantage over a non-interactive protocol like zkSNARKs which may take an appreciable amount of resources/time.
Bob now prepares a transaction paying from 2-2-AB-2 (i.e. using as input the txid of TX2) to an output whose scriptPubKey is roughly:
IF HASH H(k_i) EQV ALICEPUB CHECKSIG
ELSE L2 CHECKLOCKTIMEVERIFY DROP BOBPUB CHECKSIG ENDIF
where i is just one of the 42 real-hash indices at random, and of course ALICEPUB, BOBPUB are just pre-specified ephemeral keys belonging to Alice, Bob. The transaction pays 1 coin (here BTC; remember we assume Bob is transacting on the BTC chain).
Both Alice and Bob now sign this transaction, and Bob broadcasts TX2. After it confirms, Alice can now be sure that at any time before L2 she can sign and broadcast this new transaction, and then spend out of it, receiving her coin in the scriptSig/witness of that second transaction, as intended, and perforce revealing to Bob the decryption key \(k_i\) which he in turn knows by the cut and choose argument that he can use to decrypt a signature on a payout of 1 Alice-coin from 2-2-AB-1. The atomicity is precisely here.
If she spends into it (the TX2->custom redeem script transaction) but doesn't spend out of it, Bob retrieves his 1 coin and of course cannot claim the Alice-coin.
As we have seen before in CoinSwap protocols, it makes sense to, at this point, create an "overlay" output. If Alice is cooperating and trying to create the best privacy, she will, instead of signing/broadcasting the first transaction described in the previous paragraph, send the decryption key directly to Bob over the private channel. Then Bob and Alice can cooperatively create a new payout from 2-2-AB-2 to Alice's chosen output destination, paying the 1 BTC coin. Bob takes no risk doing this once he has the decryption key allowing him to claim his 1 Alice-coin, and Alice takes no risk since if Bob refuses to cooperate in this last step, she can always sign/broadcast the transaction to the custom redeem script above (note it is locked to her pubkey), and spend out of it before the locktime expires. These steps of reasoning are ~ the same as in the blog post "CoinSwaps".
As was mentioned at the beginning, this is not a very interesting alternative to existing atomic swap constructions, but I wanted to write it out for a few reasons:
Author 1
Bitcoin 7
Adam Gibson (13)
Comments
There are currently no comments
New Comment