Return-Path: Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 6FD0DC016E for ; Tue, 2 Jun 2020 22:24:24 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 5819086A34 for ; Tue, 2 Jun 2020 22:24:24 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sYksm42w8BCg for ; Tue, 2 Jun 2020 22:24:23 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) by fraxinus.osuosl.org (Postfix) with ESMTPS id ADEED86A33 for ; Tue, 2 Jun 2020 22:24:23 +0000 (UTC) Received: from capuchin.riseup.net (capuchin-pn.riseup.net [10.0.1.176]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 49c65z314JzFgjT for ; Tue, 2 Jun 2020 15:24:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1591136663; bh=1wTVqqUzBz9kOWOkyWvXHQA2LiyjVYoDX3TVkraSVx4=; h=Subject:To:References:From:Date:In-Reply-To:From; b=Xtg73exN8Bk7QDcv9CX/dPgUJLdlYtPZvqnEZamq3/N81ItAAaSFwxMi+Bj3WlsRH OWm2+nHBQnd+WCK6xi7swF5K8RZxHKmfQUe9I7D8f1Rq7HNLFruIpbDzwssyJ58e9N 0Kmyvs75xY8WBvblDD8F7SPMjnlpKP2VyDslhZGo= X-Riseup-User-ID: FFFC4B1B3F527F72E3D251E9345EE619A370380D88B341A0DF138E0784B6AF8C Received: from [127.0.0.1] (localhost [127.0.0.1]) by capuchin.riseup.net (Postfix) with ESMTPSA id 49c65z04VGz8tbd for ; Tue, 2 Jun 2020 15:24:22 -0700 (PDT) To: bitcoin-dev@lists.linuxfoundation.org References: <82d90d57-ad07-fc7d-4aca-2b227ac2068d@riseup.net> From: Chris Belcher Autocrypt: addr=belcher@riseup.net; prefer-encrypt=mutual; keydata= xsFNBFPk74oBEACzBLjd+Z5z7eimqPuObFTaJCTXP7fgZjgVwt+q94VQ2wM0ctk/Ft9w2A92 f14T7PiHaVDjHxrcW+6sw2VI2f60T8Tjf+b4701hIybluWL8DntG9BW19bZLmjAj7zkgektl YNDUrlYcQq2OEHm/MGk6Ajt2RA56aRKqoz22e+4ZA89gDgamxUAadul7AETSsgqOEUDI0FKR FODzoH65w1ien/DLkG1f76jd0XA6AxrESJVO0JzvkTnJGElBcA37rYaMmDi4DhG2MY4u63VE 8h6DyUXcRhmTZIAj+r+Ht+KMDiuiyQcKywCzzF/7Ui7YxqeAgjm5aPDU2E8X9Qd7cqHQzFM7 ZCqc9P6ENAk5a0JjHw0d0knApboSvkIJUB0j1xDIS0HaRlfHM4TPdOoDgnaXb7BvDfE+0zSz WkvAns9oJV6uWdnz5kllVCjgB/FXO4plyFCHhXikXjm1XuQyL8xV88OqgDFXwVhKrDL9Pknu sTchYm3BS2b5Xq1HQqToT3I2gRGTtDzZVZV0izCefJaDp1mf49k2cokDEfw9MroEj4A0Wfht 0J64pzlBYn/9zor5cZp/EAblLRDK6HKhSZArIiDR1RC7a6s7oTzmfn0suhKDdTzkbTAnDsPi Dokl58xoxz+JdYKjzVh98lpcvMPlbZ+LwIsgbdH4KZj7mVOsJwARAQABzR9DaHJpcyBCZWxj aGVyIDxmYWxzZUBlbWFpbC5jb20+wsF+BBMBAgAoBQJT5O+KAhsDBQkSzAMABgsJCAcDAgYV CAIJCgsEFgIDAQIeAQIXgAAKCRDvc06md/MRKS8jD/9P9fSYSIVjltL9brAMfIu7wJn0H0lX TbcuCM2uQitJ3BNxI3c7aq5dEby27u5Ud54otncDJuRPQVDKs6H7t1rInitgJ1MTQ9/aQGFA btKcgtVIMFbeClzTTfWr4W7fE45NI7E9EANgk5JfmWh3U+KINYLF5RtqynYocrsP6zOV+G9A HCpBemd9TN60CoMLMyMzTHEW1oQffaVAXY8DgthEYO/odWYIod7VTmEm0zU1aSysPqMwPWNm 8XIl0f8SfKQyZlAU8e1eCFVCenkE44FKC5qQNYc2UxexEYtfCWChTGc4oHKxIyYmTCCefsQF LvgwtvlNHRXHSDKSPSNcRcpl8DFpNEKrmMlkJ8Mx+YR05CydlTQ0bI3FBohJC+UHrjD5I3hA wJUC1o+yVSOEd+zN3cG1EECIwkEQSmBgG5t/le2RdzfXOdpf9ku2/zoBpq00R54JxUKlfRM7 OPTv7X+1AKHkxOySdCZwGgvdh2Whuqs4kTvtco00gCFM9fBd5oi1RJuHtxHsj8+/XU15UItb jeo96CIlM5YUeoRLPT5mxZYWgYAARFeSFReNq/Tuwq9d8EokUrtAyrPayznliy53UJfWDVzl 925c0Cz0HWaP2fWj+uFcj/8K0bhptuWJQy0Poht1z3aJC1UjEgr1Xz8I7jeSJmIlA9plcJw2 k4dhWc7BTQRT5O+KARAAyFxAM28EQwLctr0CrQhYWZfMKzAhCw+EyrUJ+/e4uiAQ4OyXifRr ZV6kLRul3WbTB1kpA6wgCShO0N3vw8fFG2Cs6QphVagEH8yfQUroaVxgADYOTLHMOb7INS8r KI/uRNmE6bXTX27oaqCEXLMycqYlufad7hr42S/T8zNh5m2vl6T/1Poj2/ormViKwAxM+8qf xd8FNI4UKmq2zZE9mZ5PiSIX0qRgM0yCvxV39ex/nhxzouTBvv4Lb1ntplR/bMLrHxsCzhyM KDgcX7ApGm+y6YEsOvzw9rRCRuJpE4lth8ShgjTtNTHfklBD6Ztymc7q7bdPWpKOEvO5lDQ6 q8+KfENv862cOLlWLk7YR2+mHZ1PXGhWC7ggwEkfGJoXo0x8X+zgUKe2+9Jj4yEhfL0IbFYC z2J5d+cWVIBktI3xqkwLUZWuAbE3vgYA4h8ztR6l18NTPkiAvpNQEaL4ZRnAx22WdsQ8GlEW dyKZBWbLUdNcMmPfGi5FCw2nNvCyN6ktv5mTZE12EqgvpzYcuUGQPIMV9KTlSPum3NLDq8QI 6grbG8iNNpEBxmCQOKz2/BuYApU2hwt2E44fL8e6CRK3ridcRdqpueg75my6KkOqm8nSiMEc /pVIHwdJ9/quiuRaeC/tZWlYPIwDWgb8ZE/g66z35WAguMQ+EwfvgAUAEQEAAcLBZQQYAQIA DwUCU+TvigIbDAUJEswDAAAKCRDvc06md/MRKaZwD/9OI3o3gVmst/mGx6hVQry++ht8dFWN IiASPBvD3E5EWbqWi6mmqSIOS6CxjU0PncxTBPCXtzxo/WzuHGQg/xtNeQ0T8b2lBScZAw93 qm1IcHXLUe5w/Tap6YaDmSYCIZAdtbHzYfPW4JK7cmvcjvF8jhTFOBEOFVQkTi19G7caVot0 +wL1e2DRHDXAe5CinEpaLBlwHeEu/5j6wc3erohUZlK9IbAclj4iZTQbaq3EyqUXl59dBOON xmL5edJxzVishIYQGIyA9WP1SylXt+kO82NEqZG2OxdXAlzjuJ8C2pAG+nbLtDo4hcsiN/MA aX9/JB7MXclT5ioerF4yNgKEdfq7LmynsTUd8w/Ilyp7AD+BWoujyO94i8h9eKvjf9PvSwxQ uAjRpxne7ZJD8vCsMNXBHSbeEK2LiwStHL/w473viXpDD53J6OLxX6a5RummR+rixbMH7dgK MJQ7FlyDphm3or6CSkGEir1KA0y1vqQNFtHhguFapAWMDKaJjQQNgvZUmOo6hbZqmvUF1OWc d6GA6j3WOUe3fDJXfbq6P9Jmxq64op887dYKsg7xjQq/7KM7wyRcqXXcbBdgvNtVDP+EnzBN HyYY/3ms4YIHE5JHxQ9LV4yPcWkYTvb1XpNIFVbrSXAeyGHVNT+SO6olFovbWIC3Az9yesaM 1aSoTg== Message-ID: Date: Tue, 2 Jun 2020 23:24:19 +0100 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Subject: Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jun 2020 22:24:24 -0000 Hello ZmnSCPxj, On 31/05/2020 03:30, ZmnSCPxj via bitcoin-dev wrote: > Good morning Ruben and Chris, > I am not in fact convinced that PayJoin-with-CoinSwap adds *that* much privacy. > > These transactions: > > +---+ +---+ > Alice ---| |--| |--- Bob > Alice ---| | | | > Bob ---| | +---+ > +---+ > > Are not really much different in coin ownership analysis from these: > > +---+ +---+ > Alice ---| |----| |--- Bob > Alice ---| | +--| | > +---+ | +---+ > Bob ---------+ The main benefit of PayJoin-with-CoinSwap is it breaks the common-input-ownership heuristic, which is a major widely used heuristic. It would be a big win if that heuristic could be broken. PayJoin-with-CoinSwap would be useful if Alice is trying to recover some privacy which was previously degraded, for example if she is spending from a reused address or from an address linked to her identity. If she does a PayJoin with the reused address then some other economic entity would have his activity linked with Alice's. Just the fact that PayJoin-with-CoinSwap exists would improve privacy for people who don't use it, for example if someone buys bitcoin from an exchange that knows their identity and then co-spends it with other coins they obtained another way. The fact that PayJoin exists means an adversary cannot assume for sure that this user really owns that other address which was co-spent. This doesn't apply for regular CoinSwap, which only ever breaks the transaction graph heuristic, so in our example the destination the coins are sent *to* would be uncertain, but that the co-spent inputs are owned by the same person would be certain in a world where PayJoin didn't exist. > It also removes the need for Bob to reveal additional UTXOs to Alice during the swap protocol; yes PoDLE mitigates the privacy probing attack that Alice can mount on Bob, but it is helpful to remember this is "only" a mitigation. Opening up the possibility of spying for free is a real downside for PayJoin-with-CoinSwap. Using decoy UTXOs as described in my design document, rather than PoDLE, seems like a better way of resisting these attacks. This is because at the cost of a little bit more bandwidth and CPU its possible to make the probability of an attacker successfully guessing the maker's real UTXOs to be as low as you want. > But S6 has the mild advantage that all the funding transactions paying to 2-of-2s *can* appear on the same block, whereas chaining swaps will have a particular order of when the transactions appear onchain, which might be used to derive the order of swaps. On the other hand, funds claiming in S6 is also ordered in time, so someone paying attention to the mempool could guess as well the order of swaps. I think this is wrong, and that it's possible for the funding transactions of chained/routed swaps to all be in the same block as well. In CoinSwap it's possible to get DOS'd without the other side spending money if you broadcast your funding transaction first and the other side simply disappears. You'd get your money back but you have to waste time and spend miner fees. The other side didn't spend money to do this, not even miner fees. From the point of view of us as a maker in the route, we know we won't get DOS'd like this for free if we only broadcast our funding transaction once we've seen the other side's funding transaction being broadcast first. This should work as long as the two transactions have a similar fee rate. There might be an attack involving hash power: If the other side has a small amount of hash power and mines only their funding transaction in a manner similar to a finney attack, then our funding transaction should get mined very soon afterwards by another miner and the protocol will continue as normal. If the other side has knowledge of the preimage and uses it to do CPFP and take the money, then we can learn that preimage and do our own CPFP to get our money back too. So in a routed coinswap setup it should be possible for Alice the taker to broadcast her funding transaction first, which will lead to all the makers broadcasting their funding transactions as well once they see the other side has broadcast first. Then it would be possible for all those funding transactions to be confirmed in the same block. I hope I haven't missed anything, because if this doesn't work and each maker must wait for confirmations, then the UX of routed CoinSwap would degrade: a CoinSwap route of 5 makers would require at least 5 blocks to be mined. Of course this setup can leak the ordering of the routes because the funding transaction would appear in the mempool in that order, but this could be beaten if some Alices choose to intentionally spread out the funding transaction broadcasts among multiple blocks for privacy reasons. An interesting tangent could be to see if it's possible to make private key handover work with S6. A nice side-effect of private key handover is that the transfer of possession of the coins happens off-chain, so then paying attention to the mempool won't help an adversary much. Regards, Chris Belcher