Date: Fri, 09 Sep 2022 21:05:07 +0000
To: alicexbt <alicexbt@protonmail.com>,
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
From: woltx <woltx@protonmail.com>
Reply-To: woltx <woltx@protonmail.com>
Message-ID: <N_V7H1P2laUdee_YZE16Y4jNPGO0qBBebW1hdeRucs832Iu5ekvNlb3BDTjZG9lgnRjOm5ts7PDeyAvUAXlGdijIty2hIIXk0bEIn-RC-kQ=@protonmail.com>
In-Reply-To: <GDi7LdVsoIcf4DyylHYn9L24lNn6cE47Vo7DWE4GNmkHi-OePqMkqrx5VYisPG28nv4ih4763vKSS_Yul1BvxjXQn4Sr4zF62kQpL_5nzYY=@protonmail.com>
References: <GDi7LdVsoIcf4DyylHYn9L24lNn6cE47Vo7DWE4GNmkHi-OePqMkqrx5VYisPG28nv4ih4763vKSS_Yul1BvxjXQn4Sr4zF62kQpL_5nzYY=@protonmail.com>
Feedback-ID: 48616983:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [bitcoin-dev] joinstr: coinjoin implementation using nostr
Precedence: list

Hi /dev/fd0,

I've been reviewing joinstr, and if I understand the code correctly, the cr=
yptographic scheme mentioned as an alternative to blind signatures isn't im=
plemented yet, is it? Currently, it seems that anyone can submit unrelated =
inputs and outputs.

Perhaps PR #24058 (https://github.com/bitcoin/bitcoin/pull/24058) (basic su=
pport BIP-322) can improve this scheme as it implements proof of ownership.=
=20

Instead of clients sending descriptors to the relay and then verifying them=
 using `scantxoutset`, it can send `txid:out` with a message signed with th=
e address, verify using `verifymessage` and then use `gettxout` to retrieve=
 the value. That way, only the owner can send the UTXO.

I've done some tests connected to a node with BIP322 enabled:

# to send
input_txt: str =3D json.dumps(input)
result =3D core.signmessage(wallet, input['address'], input_txt)
input['signature'] =3D result['result']
nostr_interface.publish_input(input)

# to receive
def validate_input(input: dict[str, int, str, str]) -> bool:
    # ...
    result =3D core.verifymessage(address=3Dinput['address'], message=3Djso=
n.dumps(message), signature=3Dinput['signature'])
    return result['error'] =3D=3D None and result['result'] =3D=3D True





------- Original Message -------
On Saturday, August 20th, 2022 at 1:52 PM, alicexbt via bitcoin-dev <bitcoi=
n-dev@lists.linuxfoundation.org> wrote:


> Hi Max,
>=20
> There a few DoS vectors that need to be fixed. Its just a proof of concep=
t that I wanted to share with everyone to get feedback which could be impro=
ved over time. There is also a warning at the bottom of README to not use t=
his on mainnet as it might have bugs.
>=20
> I will continue the development with coinjoin transactions on signet for =
a few weeks until there is a stable release with no bugs.
>=20
> I have a few ideas in mind for various relay types that might be used con=
currently to prevent numerous problems. Custom relays are supported by Nost=
r. Examples include paying a fee to register for a round, subscribing with =
a time limit, or using invite-only relays. I will run a free and open nostr=
 relay for this project and try to fix the Dos issues before a mainnet vers=
ion is released for python script(for nerds) and android app (for all users=
).
>=20
> Related links:
>=20
> https://github.com/fiatjaf/relayer
> https://github.com/fiatjaf/expensive-relay
> https://github.com/fiatjaf/relayer/tree/master/whitelisted
>=20
> /dev/fd0
>=20
>=20
> Sent with Proton Mail secure email.
>=20
>=20
> ------- Original Message -------
> On Saturday, August 20th, 2022 at 10:04 AM, Max Hillebrand max@towardslib=
erty.com wrote:
>=20
>=20
>=20
> > Great to see an implementation of the idea.
> >=20
> > Maybe I misunderstand, but isn't there a vulnerability of denial of ser=
vice here?
> >=20
> > A user who registers one input will receive the round secret identifier=
, and this is all the information required for output registration. However=
, that malicious user can now register multiple outputs, providing the same=
 secret, and nobody can link the malicious outputs to any specific input. T=
herefor there cannot be a blame round where the malicious input is removed,=
 and thus there can be a ongoing free denial of service attack without attr=
ibution or defense.
> >=20
> > Skol
> > Max
> >=20
> > On August 20, 2022 10:20:00 AM GMT+02:00, alicexbt via bitcoin-dev bitc=
oin-dev@lists.linuxfoundation.org wrote:
> >=20
> > > Hi Bitcoin Developers,
> > >=20
> > > I have written a python script as proof of concept for the coinjoin i=
mplementation using nostr. I used a lot of Python scripts created by others=
 in school, so it feels nice to offer something that could be useful to oth=
ers.
> > >=20
> > > The implementation uses Bitcoin Core wallet and RPCs: `listunspent`, =
`getnewaddress`, `scantxoutset`, `createpsbt`, `combinepsbt`, `finalizepsbt=
` and `sendrawtransaction`. It requires python-nostr library because nostr =
is used for coordination between peers. Nostr is a decentralized network ba=
sed on cryptographic keypairs. It is not peer-to-peer however simple and sc=
alable.
> > >=20
> > > Every step is published as an event using a nostr relay and 5 peers c=
oordinate to create, sign and broadcast a coinjoin transaction. I need to w=
rite a NIP that would be an alternative to blind signatures. Relay will sha=
re a random secret with clients for one round which should be present in ou=
tput registration request although never gets published. If someone tries t=
o register an output without registering any inputs, request would not have=
 the number initially shared with inputs so request would get rejected or p=
ublished as unverified. Relay would not be able to link inputs and outputs =
as the number is same for all inputs in a round and they get registered at =
different times with new keys and IP address. Clients can use multiple rela=
ys at the same time to avoid trusting one relay. This would result in diffe=
rent shared secret number but same process. If a relay tries to cheat, user=
s will not sign the transaction and avoid using it in future.
> > >=20
> > > Usage:
> > >=20
> > > 1)Run `python coinjoin.py` and enter descriptor for one of the inputs=
.
> > > 2)Script will check inputs for this round in every 30 seconds and reg=
ister a new adddress for output once 5 inputs are registered.
> > > 3)Similar check happens every 30 seconds for outputs. Last peer shoul=
d create a PSBT.
> > > 4)Unsigned PSBT will be printed and signed by wallet with `walletproc=
esspsbt` RPC.
> > > 5)Script will check signed PSBTs and last peer to sign should finaliz=
e coinjoin transaction once 5 signed PSBTs are received.
> > > 6)Coinjoin transaction will be broadcasted and txid will printed.
> > >=20
> > > Example:
> > >=20
> > > ```
> > > List of utxos in wallet:
> > >=20
> > > wpkh([53830dca/84'/1'/0'/0/0]02449be5fb74725255eeeb50eba930fa87705f21=
e99d13cd710cf2c1f21153c808)#x2hyyeg5
> > >=20
> > > Enter descriptor for the input registration: wpkh([53830dca/84'/1'/0'=
/0/0]02449be5fb74725255eeeb50eba930fa87705f21e99d13cd710cf2c1f21153c808)#x2=
hyyeg5
> > >=20
> > > event id: bcbbe62d75d99fed73f1e50ac58a38d1840b658951893e63c0322b378d7=
d56f0
> > >=20
> > >=20
> > > tb1qhxrp4zl54ul0twtyz0gury5399q7z0kvqqrl6m registered for output
> > >=20
> > > event id: 9449c9065bef356d21507a98f88b028b17fc1c49eb195c8d4420604fcaa=
ef041
> > >=20
> > > Unsigned PSBT: cHNidP8BAP1yAQIAAAAFtMaoJYcXvOG5L3Yaz3YyS7gIt4h5/zzOrR=
RS3hrVvwoAAAAAAP////+o83geaSm4L76KToIUl5MiZqLAUbIDJLq6DWrjP/3b8AEAAAAA/////=
zEF3CXIvVHpIa7No1s1yg+KtyOfXTRSyWnOdXMfzcDwAQAAAAD/////wMa4XAgnU+39Ien+KG9r=
Ytv8bLMNYakmZyY/QFfwLRcAAAAAAP/////5M42ID6uLmQTb2tnFHnN7UMpnDD25uN8ZX7A+GNS=
M3QEAAAAA/////wV4xwEAAAAAABYAFLmGGov0rz71uWQT0cGSkSlB4T7MeMcBAAAAAAAWABSc0/=
FM6Hdbdxh10IJkYOklVFWqjnjHAQAAAAAAFgAUPSZKe/w6PT6qIF+WhL4wHaFymjd4xwEAAAAAA=
BYAFMx0rxYlpPWB3NFry4Ctk2eVi/UNeMcBAAAAAAAWABSzc4xK0VTfvjK0MHXrAUFLYgYnOgAA=
AAAAAAAAAAAAAAAAAA=3D=3D
> > >=20
> > > event id: 976744b38fa9343fb79e1b5215512ead6ee08e5890d79a201fc5b872f6d=
e4eba
> > >=20
> > > Signed PSBT: cHNidP8BAP1yAQIAAAAFtMaoJYcXvOG5L3Yaz3YyS7gIt4h5/zzOrRRS=
3hrVvwoAAAAAAP////+o83geaSm4L76KToIUl5MiZqLAUbIDJLq6DWrjP/3b8AEAAAAA/////zE=
F3CXIvVHpIa7No1s1yg+KtyOfXTRSyWnOdXMfzcDwAQAAAAD/////wMa4XAgnU+39Ien+KG9rYt=
v8bLMNYakmZyY/QFfwLRcAAAAAAP/////5M42ID6uLmQTb2tnFHnN7UMpnDD25uN8ZX7A+GNSM3=
QEAAAAA/////wV4xwEAAAAAABYAFLmGGov0rz71uWQT0cGSkSlB4T7MeMcBAAAAAAAWABSc0/FM=
6Hdbdxh10IJkYOklVFWqjnjHAQAAAAAAFgAUPSZKe/w6PT6qIF+WhL4wHaFymjd4xwEAAAAAABY=
AFMx0rxYlpPWB3NFry4Ctk2eVi/UNeMcBAAAAAAAWABSzc4xK0VTfvjK0MHXrAUFLYgYnOgAAAA=
AAAQBxAgAAAAG+qpMXZCy6tBuUlgo8JD0GVXKp60FkhwDeg2sF1fkFkwMAAAAA/f///wLo9wEAA=
AAAABYAFFfLA5xarC/w/SxeMDQ5tuXrYJLUWwMAAAAAAAAWABRfPf//hwMjHB4OKj87cU19XOSh=
7yOWAQABAR/o9wEAAAAAABYAFFfLA5xarC/w/SxeMDQ5tuXrYJLUAQhrAkcwRAIgOIhLoC5348U=
8YkEr4GU1K4yWskIOEXgW4Wsk/W2cR7ICIEJXqtOuDJ5CkwrSuwJLWtzab4dslbN3KuL/pyooMn=
OCASECRJvl+3RyUlXu61DrqTD6h3BfIemdE81xDPLB8hFTyAgAAAAAACICA77Cnd6o3kr0yc+91=
eabpOn5igs/MUMbudNYSS6oyMWMGFODDcpUAACAAQAAgAAAAIAAAAAAFAAAAAAAAAAA
> > >=20
> > > event id: 5846b6e6902f3c5a43496d7d9785ed62444aa74963f03c33d637d8b09ee=
7a139
> > >=20
> > > Coinjoin tx: 75e490b10b15a6a0422f25ff66ad98ef70390c8fecaac02712705dce=
8cc3564b
> > >=20
> > > event id: 9b5d4bf279b59e2b6e539e683fba83da72dce2b640360aa95db1b1400be=
93190
> > > ```
> > >=20
> > > There are lot of things that could be improved and a few suggestions =
are in the gist that described the idea. I would love read to any opinions =
about this experiment and will start working on creating an Android app for=
 joinstr next week.
> > >=20
> > > Credits:
> > >=20
> > > - fiatjaf (Nostr)
> > > - Andrew Chow (PSBT)
> > > - Jeff Thibault (python-nostr)
> > > - Existing coinjoin implmentations
> > >=20
> > > /dev/fd0
> > >=20
> > > Sent with Proton Mail secure email.
> > >=20
> > > bitcoin-dev mailing list
> > > bitcoin-dev@lists.linuxfoundation.org
> > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>=20
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev