Return-Path: Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 246B3C0051 for ; Thu, 20 Aug 2020 15:29:13 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id F2F9E20460 for ; Thu, 20 Aug 2020 15:29:12 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TMcka9vXKZLF for ; Thu, 20 Aug 2020 15:29:10 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by silver.osuosl.org (Postfix) with ESMTPS id A80582045E for ; Thu, 20 Aug 2020 15:29:09 +0000 (UTC) Received: by mail-wm1-f45.google.com with SMTP id k8so1965378wma.2 for ; Thu, 20 Aug 2020 08:29:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suredbits-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qqHJmu3jBEet2GsB3QS2HCIX7TCnxGo7e6iSYynGR/M=; b=R5H0W7zYNtwVhaZJaroJ7MveRYEtcy+yWTAMUKn4bK+bAMvL9570wCHlMZwskVZo8g fokdXM7Rb3PXUFbwZHvZnOHT557cSWqTZz5d//AmpqDUfD9qtFaCjspUG9wbcSSOmD6G OmgBPQM/70toX9dCzN+4bhnoa3uu9RcfGExz3oOQ/Vu9Sw9/djUjjH/a7xupij/T9z3I ZqGlhB5w2ZL4vf8HtGxTG72Sb1j5zhVk7ym6YH5b/zp9p7AmbIEsTu9iGQNcm1IjAYvQ ryKAhKOPctusY4R2Eo8BzT+3YEBxEXrOzAF/rA6VZLsmdL0zHORxMryzHOvbHIaZPjWw XNrw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qqHJmu3jBEet2GsB3QS2HCIX7TCnxGo7e6iSYynGR/M=; b=scdsu7GUHRgYCepVSw/uN6j4PgDcGwdGUFiSlEWcUJx7a9Wl1lkCj25x39tR/rT7Bv V6NceV2HDAmLxKPAsiolWZRXKVa0MXJaPMdbF+nWpTnTdrZhYcI2ibkq2y1T7N1EpZ/9 HAbaP/ur756e/KFX4PkuJUbS4Fd1mACBXKLSdqaSl/AzD7rvXfbcrswjOlQwJgQtxQ5r nHkMsJaIOnXqDiSWA4eKw4gmYn1X6uPPd3eN+C+1NxQXjE2IyYyagpTARzU04ndxHuXS 0ZGoxF2DPtshIpRyOzdj2FSfr1Z63XkPixSYHgGblE2hDHbKiV34bWfwScDsPVInDHqz ZWqA== X-Gm-Message-State: AOAM532mCZDQKzZmSoTfFWetcCcruvMZWLKZ0kbKenL93ryR2uuXMrFe d2ODMI1EuQ+L7oNpouITVFWCXfuopeeuNJ42KlIwCg== X-Google-Smtp-Source: ABdhPJwzTViTCwdi/sLn7udf+Acd+UT1i4VuiAJU+CrhOSfsm8j7xpc3cEccPdWxormOiqtfdprYMDtSFYDFQPUB4OM= X-Received: by 2002:a7b:c257:: with SMTP id b23mr3880579wmj.164.1597937347963; Thu, 20 Aug 2020 08:29:07 -0700 (PDT) MIME-Version: 1.0 References: <813e51a1-4252-08c0-d42d-5cef32f684bc@riseup.net> In-Reply-To: From: Nadav Kohen Date: Thu, 20 Aug 2020 10:28:56 -0500 Message-ID: To: ZmnSCPxj , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="000000000000ffc30f05ad50c7b6" X-Mailman-Approved-At: Thu, 20 Aug 2020 15:37:18 +0000 Subject: Re: [bitcoin-dev] Detailed protocol design for routed multi-transaction CoinSwap X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2020 15:29:13 -0000 --000000000000ffc30f05ad50c7b6 Content-Type: text/plain; charset="UTF-8" Hey Chris and all, Looking good :) I have one major concern though > q = EC privkey generated by maker > Q = q.G = EC pubkey published by maker > > p = nonce generated by taker > P = p.G = nonce point calculated by taker > > R = Q + P = pubkey used in bitcoin transaction > = (q + p).G If I'm understanding this correctly (which I'm not sure I ame), it seems like the plan is to put R on-chain as the key to an output? As stated this is completely insecure as Q is known in advance so the taker can always choose a nonce p but then claim that their nonce point is p.G - Q so that the key that goes on-chain is (p.G - Q + Q) = p.G allowing them to steal the funds. If the plan is not to use full-fledged 2-ECDSA (which I think is actually necessary as I still don't understand how the HTLC signatures are generated) you have to, at the very least, force the taker to provide a Zero Knowledge Proof of Knowledge (ZKPoK) of the discrete log to the point they advertise as their nonce point to avoid this. Alternatively, I think you can use the following key as is done in MuSig: R = H(Q || P || Q)*Q + H(Q || P || P)*P But I still don't see how signatures can be generated for HTLCs from this key. Of course all of this complexity more or less goes away once we have Schnorr signatures and can use MuSig with adaptor signatures. Best, Nadav On Thu, Aug 20, 2020 at 6:17 AM ZmnSCPxj via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > Good morning Chris, > > Great to see this! > > Mostly minor comments. > > > > > > > == Direct connections to Alice === > > > > Only Alice, the taker, knows the entire route, Bob and Charlie just know > > their previous and next transactions. Bob and Charlie do not have direct > > connections with each other, only with Alice. > > > > Diagram of Tor connections: > > > > Bob Charlie > > | / > > | / > > | / > > Alice > > > > When Bob and Charlie communicate, they are actually sending and > > receiving messages via Alice who relays them to Charlie or Bob. This > > helps hide whether the previous or next counterparty in a CoinSwap route > > is a maker or taker. > > > > This doesn't have security issues even in the final steps where private > > keys are handed over, because those private keys are always for 2-of-2 > > multisig and so on their own are never enough to steal money. > > This has a massive advantage over CoinJoin. > > In CoinJoin, since all participants sign a single transaction, every > participant knows the total number of participants. > Thus, in CoinJoin, it is fairly useless to have just one taker and one > maker, the maker knows exactly which output belongs to the taker. > Even if all communications were done via the single paying taker, the > maker(s) are shown the final transaction and thus can easily know how many > participants there are (by counting the number of equal-valued outputs). > > With CoinSwap, in principle no maker has to know how many other makers are > in the swap. > > Thus it would still be useful to make a single-maker CoinSwap, as that > would be difficult, for the maker, to diferentiate from a multi-maker > CoinSwap. > > There are still a few potential leaks though: > > * If paying through a CoinSwap, the cheapest option for the taker would be > to send out a single large UTXO (single-output txes) to the first maker, > and then demand the final payment and any change as two separate swaps from > the final maker. > * Intermediate makers are likely to not have exact amounts, thus is > unlikely to create a single-output tx when forwarding. > * Thus, the first maker could identify the taker. > * The makers can try timing the communications lag with the taker. > The general assumption would be that more makers == more delay in taker > responses. > > > > > > > === Miner fees === > > > > Makers have no incentive to pay any miner fees. They only do > > transactions which earn them an income and are willing to wait a very > > long time for that to happen. By contrast takers want to create > > transactions far more urgently. In JoinMarket we coded a protocol where > > the maker could contribute to miner fees, but the market price offered > > of that trended towards zero. So the reality is that takers will pay all > > the miner fees. Also because makers don't know the taker's time > > preference they don't know how much they should pay in miner fees. > > > > The taker will have to set limits on how large the maker's transactions > > are, otherwise makers could abuse this by having the taker consolidate > > maker's UTXOs for free. > > Why not have the taker pay for the *first* maker-spent UTXO and have > additional maker-spent UTXOs paid for by the maker? > i.e. the taker indicates "swap me 1 BTC in 3 bags of 0.3, 0.3, and 0.4 > BTC", and pays for one UTXO spent for each "bag" (thus pays for 3 UTXOs). > > Disagreements on feerate can be resolved by having the taker set the > feerate, i.e. "the customer is always right". > Thus if the maker *has to* spend two UTXOs to make up the 0.4 BTC bag, it > pays for the mining fees for that extra UTXO. > The maker can always reject the swap attempt if it *has to* spend multiple > UTXOs and would lose money doing so if the taker demands a too-high feerate. > > > > == Contract transaction definitions == > > > > Contract transactions are those which may spend from the 2-of-2 multisig > > outputs, they transfer the coins into a contract where the coins can be > > spent either by waiting for a timeout or providing a hash preimage > > value. Ideally contract transactions will never be broadcast but their > > existence keeps all parties honest. > > > > M~ is miner fees, which we treat as a random variable, and ultimately > > set by whichever pre-signed RBF tx get mined. When we talk about the > > contract tx, we actually mean perhaps 20-30 transactions which only > > differ by the miner fee and have RBF enabled, so they can be broadcasted > > in sequence to get the contract transaction mined regardless of the > > demand for block space. > > The highest-fee version could have, in addition, CPFP-anchor outputs, like > those being proposed in Lightning, so even if onchain fees rise above the > largest fee reservation, it is possible to add even more fees. > > Or not. > Hmm. > > > Another thought: later you describe that miner fees are paid by Alice by > forwarding those fees as well, how does that work when there are multiple > versions of the contract transaction? > > > > > (Alice+timelock_A OR Bob+hash) = Is an output which can be spent > > either with Alice's private key > > after waiting for a relative > > timelock_A, or by Bob's private key by > > revealing a hash preimage value > > The rationale for relative timelocks is that it makes private key turnover > slightly more useable by ensuring that, after private key turnover, it is > possible to wait indefinitely to spend the UTXO it received. > This is in contrast with absolute timelocks, where after private key > turnover, it is required to spend received UTXO before the absolute timeout. > > The dangers are: > > * Until it receives the private key, if either of the incoming or outgoing > contract transactions are confirmed, every swap participant (taker or > maker) should also broadcast the other contract transaction, and resolve by > onchain transactions (with loss of privacy). > * After receiving the private key, if the incoming contract transaction is > confirmed, it should spend the resulting contract output. > * It is possible to steal from a participant if that participant goes > offline longer than the timeout. > This may imply that there may have to be some minimum timeout that > makers indicate in their advertisements. > * The taker can detect if the first maker is offline, then if it is > offline, try a contract transaction broadcast, if it confirms, the taker > can wait for the timeout; if it times out, the taker can clawback the > transaction. > * This appears to be riskless for the taker. > * Against a similar attack, Lightning requires channel reserves, which > means the first hop never gains control of the entire value, which is a > basic requirement for private key turnover. > * On the other hand, the taker has the largest timeout before it can > clawback the funds, so it would wait for a long time, and at any time in > between the first maker can come online and spend using the hashlock branch. > * But the taker can just try on the hope it works; it has nothing to > lose. > * This attack seems to be possible only for the taker to mount. > Other makers on the route cannot know who the other makers are, > without cooperation of the taker, who is the only one who knows all the > makers. > * On the other hand, the last maker in the route has an outgoing HTLC > with the smallest timelock, so it is the least-risk and therefore a maker > who notices its outgoing HTLC has a low timeout might want to just do this > anyway even if it is unsure if the taker is offline. > * Participants might want to spend from the UTXO to a new address after > private key turnover anyway. > Makers could spend using a low-fee RBF-enabled tx, and when another > request comes in for another swap, try to build a new funding tx with a > higher-fee bump. > > > > A possible attack by a malicious Alice is that she chooses M1 to be very > > low (e.g. 1 sat/vbyte) and sets M2 and M3 to be very high (e.g. 1000 > > sat/vb) and then intentionally aborts, forcing the makers to lose much > > more money in miner fees than the attacker. The attack can be used to > > waste away Bob's and Charlie's coins on miner fees at little cost to the > > malicious taker Alice. So to defend against this attack Bob and Charlie > > must refuse to sign a contract transaction if the corresponding funding > > transaction pays miner fees greater than Alice's funding transaction. > > Sorry, I do not follow the logic for this...? > > > The timelocks are staggered so that if Alice uses the preimage to take > > coins then the right people will also learn the preimage and have enough > > time to be able to get their coins back too. Alice starts with knowledge > > of the hash preimage so she must have a longest timelock. > > More precisely: > > * The HTLC outgoing from Alice has the longest timelock. > * The HTLC incoming into Alice has the shortest timelock. > > For the makers, they only need to ensure that the incoming timelock is > much larger than the outgoing timelock. > > > > > > == EC tweak to reduce one round trip == > > > > When two parties are agreeing on a 2-of-2 multisig address, they need to > > agree on their public keys. We can avoid one round trip by using the EC > > tweak trick. > > > > When Alice, the taker, downloads the entire offer book for the liquidity > > market, the offers will also contain a EC public key. Alice can tweak > > this to generate a brand new public key for which the maker knows the > > private key. This public key will be one of the keys in the 2-of-2 > > multisig. This feature removes one round trip from the protocol. > > > > q = EC privkey generated by maker > > Q = q.G = EC pubkey published by maker > > > > p = nonce generated by taker > > P = p.G = nonce point calculated by taker > > > > R = Q + P = pubkey used in bitcoin transaction > > = (q + p).G > > Whoa whoa whoa whoa. > > All this time I was thinking you were going to use 2p-ECDSA for all > 2-of-2s. > In which case, the private key generated by the taker would be sufficient > tweak to blind this. > > In 2p-ECDSA, for two participants M = m * G; T = t * G, the total key is m > * t * G = m * T = t * M. > > Are you going to use `2 2 OP_CHECKMULTISIG` instead of 2p-ECDSA? > Note that you cannot usefully hide among Lightning mutual closes, because > of the reserve; Lightning mutual closes are very very likely to be spent in > a 1-input (that spends from a 2-of-2 P2WSH), 2-output (that pays to two > P2WPKHs) tx. > > > > > == Protocol == > > > ---8<------ > > The protocol looks correct to me. > > LOL. > > Give me a little more time to check it in detail hahaha. > > > > > ==== Retaliation as DOS-resistance ==== > > > > In some situations (e.g. step 8.) if one maker in the coinswap route > is > > the victim of a DOS they will retaliate by DOSing the previous maker > in > > the route. This may seem unnecessary and unfair (after all why waste > > even more time and block space) but is actually the best way to > resist > > DOS because it produces a concrete cost every time a DOS happens. > > I agree. > > > > > == Analysis of deviations == > > > > This section discusses what happens if one party deviates from the > > protocol by doing something else, for example broadcasting a htlc > > contract tx when they shouldnt have. > > > > The party name refers to what that party does, followed by other > party's > > reactions to it. > > e.g. Party1: does a thing, Party2/Party3: does a thing in reaction > > > > If multiple deviations are possible in a step then they are numbered > > e.g. A1 A2 A2 etc > > > > 0-2. Alice/Bob/Charlie: nothing else is possible except following the > > protocol or aborting > > > > 8. Alice: broadcasts one or more of the A htlc txes. Bob/Charlie/Dennis: > > do nothing, they havent lost any time or money. > > 4-6. Bob/Charlie: nothing else is possible except following the > protocol > > or aborting. > > > > 9. Bob: broadcasts one or more of the B htlc txes, Alice: broadcasts all > > her own A htlc txes and waits for the timeout to get her money back. > > Charlie: do nothing > > > > 10. Charlie: nothing else is possible except following the protocol or > > aborting. > > > > 11. Alice: broadcasts one or more of the A htlc txes. Bob: broadcasts > all > > his own A htlc txes and waits for the timeout. > > A. same as 8. > > B. Charlie: broadcasts one or more of the C htlc txes, Alice/Bob: > > broadcasts all their own htlc txes and waits for the timeout to get > > their money back. > > C-E1. Alice: broadcasts all of C htlc txes and uses her knowledge of > the > > preimage hash to take the money immediately. Charlie: broadcasts > > all of B htlc txes and reading the hash value from the blockchain, > > uses it to take the money from B htlc immediately. Bob: broadcasts > > all of A htlc txes, and reading hash from the blockchain, uses it > > to take the money from A htlc immediately. > > C-E2. Alice: broadcast her own A htlc txes, and after a timeout take > the > > money. Bob: broadcast his own B htlc txes and after the timeout > > take their money. Charlie: broadcast his own C htlc txes and after > > the timeout take their money. > > F1. Bob: broadcast one or more of A htcl txes and use the hash > preimage > > to get the money immediately. He already knows both privkeys of the > > multisig so this is pointless and just damages privacy and wastes > > miner fees. Alice: blacklist Bob's fidelity bond. > > F2. Bob: broadcast one or more of the C htlc txes. Charlie: use > preimage > > to get his money immediately. Bob's actions were pointless. Alice: > > cant tell whether Bob or Charlie actually broadcasted, so blacklist > > both fidelity bonds. > > G1. Charlie: broadcast one or more of B htcl txes and use the hash > > preimage to get the money immediately. He already knows both > > privkeys of the multisig so this is pointless and just damages > > privacy and wastes miner fees. Alice: cant tell whether Bob or > > Charlie actually broadcasted, so blacklist both fidelity bonds. > > G2. Charlie: broadcast one or more of the A htlc txes. Alice: > broadcast > > the remaining A htlc txes and use preimage to get her money > > immediately. Charlies's actions were pointless. Alice: blacklist > > Charlie's fidelity bond. > > > > The multisig outputs of the funding transactions can stay unspent > > indefinitely. However the parties must always be watching the network > > and ready to respond with their own sweep using a preimage. This is > > because the other party still possesses a fully-signed contract tx. > The > > parties respond in the same way as in steps C-E1, F2 and G2. Alice's > > reaction of blacklisting both fidelity bonds might not be the right > way, > > because one maker could use it to get another one blacklisted (as > well > > as themselves). > > Looks OK, though note that a participant might try to do so (as pointed > out above) in the hope that the next participant is offline. > > Thank you very much for your writeup! > > Regards, > ZmnSCPxj > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --000000000000ffc30f05ad50c7b6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hey Chris and all,

Looking good :) I ha= ve one major concern though

>=C2=A0 =C2=A0 q =3D = EC privkey generated by maker
>=C2=A0 =C2=A0 Q =3D q.G =3D EC pubke= y published by maker
>
>=C2=A0 =C2=A0 p =3D nonce generated by = taker
>=C2=A0 =C2=A0 P =3D p.G =3D nonce point calculated by taker>
>=C2=A0 =C2=A0 R =3D Q + P =3D pubkey used in bitcoin transacti= on
>=C2=A0 =C2=A0 =C2=A0 =3D (q + p).G

If I'm = understanding this correctly (which I'm not sure I ame), it seems like = the plan is to put R on-chain as the key to an output? As stated this is co= mpletely=C2=A0insecure as Q is known in advance so the taker can always cho= ose a nonce p but then claim that their nonce point is p.G - Q so that the = key that goes on-chain is (p.G - Q=C2=A0+ Q) =3D p.G allowing them to steal= the funds. If the plan is not to use full-fledged=C2=A02-ECDSA (which I th= ink is actually necessary as I still don't understand how the HTLC sign= atures are generated) you have to, at the very least, force the taker to pr= ovide a Zero Knowledge Proof of Knowledge (ZKPoK) of the discrete log to th= e point they advertise=C2=A0as their nonce point to avoid this. Alternative= ly, I think you can use the following key as is done in MuSig:
<= div>
R =3D H(Q || P || Q)*Q=C2=A0+ H(Q || P || P)*P

But I still don't see how signatures can be generated f= or HTLCs from this key.

Of course all of this comp= lexity more or less goes away once we have Schnorr signatures and can use M= uSig with adaptor signatures.

Best,
Nada= v

On Thu, Aug 20, 2020 at 6:17 AM ZmnSCPxj via bitcoin-dev <bitcoin-dev@lists.linuxfo= undation.org> wrote:
Good morning Chris,

Great to see this!

Mostly minor comments.



>
> =3D=3D Direct connections to Alice =3D=3D=3D
>
> Only Alice, the taker, knows the entire route, Bob and Charlie just kn= ow
> their previous and next transactions. Bob and Charlie do not have dire= ct
> connections with each other, only with Alice.
>
> Diagram of Tor connections:
>
> Bob Charlie
> | /
> | /
> | /
> Alice
>
> When Bob and Charlie communicate, they are actually sending and
> receiving messages via Alice who relays them to Charlie or Bob. This > helps hide whether the previous or next counterparty in a CoinSwap rou= te
> is a maker or taker.
>
> This doesn't have security issues even in the final steps where pr= ivate
> keys are handed over, because those private keys are always for 2-of-2=
> multisig and so on their own are never enough to steal money.

This has a massive advantage over CoinJoin.

In CoinJoin, since all participants sign a single transaction, every partic= ipant knows the total number of participants.
Thus, in CoinJoin, it is fairly useless to have just one taker and one make= r, the maker knows exactly which output belongs to the taker.
Even if all communications were done via the single paying taker, the maker= (s) are shown the final transaction and thus can easily know how many parti= cipants there are (by counting the number of equal-valued outputs).

With CoinSwap, in principle no maker has to know how many other makers are = in the swap.

Thus it would still be useful to make a single-maker CoinSwap, as that woul= d be difficult, for the maker, to diferentiate from a multi-maker CoinSwap.=

There are still a few potential leaks though:

* If paying through a CoinSwap, the cheapest option for the taker would be = to send out a single large UTXO (single-output txes) to the first maker, an= d then demand the final payment and any change as two separate swaps from t= he final maker.
=C2=A0 * Intermediate makers are likely to not have exact amounts, thus is = unlikely to create a single-output tx when forwarding.
=C2=A0 * Thus, the first maker could identify the taker.
* The makers can try timing the communications lag with the taker.
=C2=A0 The general assumption would be that more makers =3D=3D more delay i= n taker responses.



>
> =3D=3D=3D Miner fees =3D=3D=3D
>
> Makers have no incentive to pay any miner fees. They only do
> transactions which earn them an income and are willing to wait a very<= br> > long time for that to happen. By contrast takers want to create
> transactions far more urgently. In JoinMarket we coded a protocol wher= e
> the maker could contribute to miner fees, but the market price offered=
> of that trended towards zero. So the reality is that takers will pay a= ll
> the miner fees. Also because makers don't know the taker's tim= e
> preference they don't know how much they should pay in miner fees.=
>
> The taker will have to set limits on how large the maker's transac= tions
> are, otherwise makers could abuse this by having the taker consolidate=
> maker's UTXOs for free.

Why not have the taker pay for the *first* maker-spent UTXO and have additi= onal maker-spent UTXOs paid for by the maker?
i.e. the taker indicates "swap me 1 BTC in 3 bags of 0.3, 0.3, and 0.4= BTC", and pays for one UTXO spent for each "bag" (thus pays= for 3 UTXOs).

Disagreements on feerate can be resolved by having the taker set the feerat= e, i.e. "the customer is always right".
Thus if the maker *has to* spend two UTXOs to make up the 0.4 BTC bag, it p= ays for the mining fees for that extra UTXO.
The maker can always reject the swap attempt if it *has to* spend multiple = UTXOs and would lose money doing so if the taker demands a too-high feerate= .


> =3D=3D Contract transaction definitions =3D=3D
>
> Contract transactions are those which may spend from the 2-of-2 multis= ig
> outputs, they transfer the coins into a contract where the coins can b= e
> spent either by waiting for a timeout or providing a hash preimage
> value. Ideally contract transactions will never be broadcast but their=
> existence keeps all parties honest.
>
> M~ is miner fees, which we treat as a random variable, and ultimately<= br> > set by whichever pre-signed RBF tx get mined. When we talk about the > contract tx, we actually mean perhaps 20-30 transactions which only > differ by the miner fee and have RBF enabled, so they can be broadcast= ed
> in sequence to get the contract transaction mined regardless of the > demand for block space.

The highest-fee version could have, in addition, CPFP-anchor outputs, like = those being proposed in Lightning, so even if onchain fees rise above the l= argest fee reservation, it is possible to add even more fees.

Or not.
Hmm.


Another thought: later you describe that miner fees are paid by Alice by fo= rwarding those fees as well, how does that work when there are multiple ver= sions of the contract transaction?

>
> (Alice+timelock_A OR Bob+hash) =3D Is an output which can be spent
> either with Alice's private key
> after waiting for a relative
> timelock_A, or by Bob's private key by
> revealing a hash preimage value

The rationale for relative timelocks is that it makes private key turnover = slightly more useable by ensuring that, after private key turnover, it is p= ossible to wait indefinitely to spend the UTXO it received.
This is in contrast with absolute timelocks, where after private key turnov= er, it is required to spend received UTXO before the absolute timeout.

The dangers are:

* Until it receives the private key, if either of the incoming or outgoing = contract transactions are confirmed, every swap participant (taker or maker= ) should also broadcast the other contract transaction, and resolve by onch= ain transactions (with loss of privacy).
* After receiving the private key, if the incoming contract transaction is = confirmed, it should spend the resulting contract output.
* It is possible to steal from a participant if that participant goes offli= ne longer than the timeout.
=C2=A0 This may imply that there may have to be some minimum timeout that m= akers indicate in their advertisements.
=C2=A0 * The taker can detect if the first maker is offline, then if it is = offline, try a contract transaction broadcast, if it confirms, the taker ca= n wait for the timeout; if it times out, the taker can clawback the transac= tion.
=C2=A0 =C2=A0 * This appears to be riskless for the taker.
=C2=A0 =C2=A0 * Against a similar attack, Lightning requires channel reserv= es, which means the first hop never gains control of the entire value, whic= h is a basic requirement for private key turnover.
=C2=A0 * On the other hand, the taker has the largest timeout before it can= clawback the funds, so it would wait for a long time, and at any time in b= etween the first maker can come online and spend using the hashlock branch.=
=C2=A0 =C2=A0 * But the taker can just try on the hope it works; it has not= hing to lose.
=C2=A0 * This attack seems to be possible only for the taker to mount.
=C2=A0 =C2=A0 Other makers on the route cannot know who the other makers ar= e, without cooperation of the taker, who is the only one who knows all the = makers.
=C2=A0 =C2=A0 * On the other hand, the last maker in the route has an outgo= ing HTLC with the smallest timelock, so it is the least-risk and therefore = a maker who notices its outgoing HTLC has a low timeout might want to just = do this anyway even if it is unsure if the taker is offline.
=C2=A0 * Participants might want to spend from the UTXO to a new address af= ter private key turnover anyway.
=C2=A0 =C2=A0 Makers could spend using a low-fee RBF-enabled tx, and when a= nother request comes in for another swap, try to build a new funding tx wit= h a higher-fee bump.


> A possible attack by a malicious Alice is that she chooses M1 to be ve= ry
> low (e.g. 1 sat/vbyte) and sets M2 and M3 to be very high (e.g. 1000 > sat/vb) and then intentionally aborts, forcing the makers to lose much=
> more money in miner fees than the attacker. The attack can be used to<= br> > waste away Bob's and Charlie's coins on miner fees at little c= ost to the
> malicious taker Alice. So to defend against this attack Bob and Charli= e
> must refuse to sign a contract transaction if the corresponding fundin= g
> transaction pays miner fees greater than Alice's funding transacti= on.

Sorry, I do not follow the logic for this...?

> The timelocks are staggered so that if Alice uses the preimage to take=
> coins then the right people will also learn the preimage and have enou= gh
> time to be able to get their coins back too. Alice starts with knowled= ge
> of the hash preimage so she must have a longest timelock.

More precisely:

* The HTLC outgoing from Alice has the longest timelock.
* The HTLC incoming into Alice has the shortest timelock.

For the makers, they only need to ensure that the incoming timelock is much= larger than the outgoing timelock.


>
> =3D=3D EC tweak to reduce one round trip =3D=3D
>
> When two parties are agreeing on a 2-of-2 multisig address, they need = to
> agree on their public keys. We can avoid one round trip by using the E= C
> tweak trick.
>
> When Alice, the taker, downloads the entire offer book for the liquidi= ty
> market, the offers will also contain a EC public key. Alice can tweak<= br> > this to generate a brand new public key for which the maker knows the<= br> > private key. This public key will be one of the keys in the 2-of-2
> multisig. This feature removes one round trip from the protocol.
>
> q =3D EC privkey generated by maker
> Q =3D q.G =3D EC pubkey published by maker
>
> p =3D nonce generated by taker
> P =3D p.G =3D nonce point calculated by taker
>
> R =3D Q + P =3D pubkey used in bitcoin transaction
> =3D (q + p).G

Whoa whoa whoa whoa.

All this time I was thinking you were going to use 2p-ECDSA for all 2-of-2s= .
In which case, the private key generated by the taker would be sufficient t= weak to blind this.

In 2p-ECDSA, for two participants M =3D m * G; T =3D t * G, the total key i= s m * t * G =3D m * T =3D t * M.

Are you going to use `2 <T> <Q+P> 2 OP_CHECKMULTISIG` instead o= f 2p-ECDSA?
Note that you cannot usefully hide among Lightning mutual closes, because o= f the reserve; Lightning mutual closes are very very likely to be spent in = a 1-input (that spends from a 2-of-2 P2WSH), 2-output (that pays to two P2W= PKHs) tx.

>
> =3D=3D Protocol =3D=3D

> ---8<------

The protocol looks correct to me.

LOL.

Give me a little more time to check it in detail hahaha.



>=C2=A0 =C2=A0 =C2=A0=3D=3D=3D=3D Retaliation as DOS-resistance =3D=3D= =3D=3D
>
>=C2=A0 =C2=A0 =C2=A0In some situations (e.g. step 8.) if one maker in t= he coinswap route is
>=C2=A0 =C2=A0 =C2=A0the victim of a DOS they will retaliate by DOSing t= he previous maker in
>=C2=A0 =C2=A0 =C2=A0the route. This may seem unnecessary and unfair (af= ter all why waste
>=C2=A0 =C2=A0 =C2=A0even more time and block space) but is actually the= best way to resist
>=C2=A0 =C2=A0 =C2=A0DOS because it produces a concrete cost every time = a DOS happens.

I agree.

>
>=C2=A0 =C2=A0 =C2=A0=3D=3D Analysis of deviations =3D=3D
>
>=C2=A0 =C2=A0 =C2=A0This section discusses what happens if one party de= viates from the
>=C2=A0 =C2=A0 =C2=A0protocol by doing something else, for example broad= casting a htlc
>=C2=A0 =C2=A0 =C2=A0contract tx when they shouldnt have.
>
>=C2=A0 =C2=A0 =C2=A0The party name refers to what that party does, foll= owed by other party's
>=C2=A0 =C2=A0 =C2=A0reactions to it.
>=C2=A0 =C2=A0 =C2=A0e.g. Party1: does a thing, Party2/Party3: does a th= ing in reaction
>
>=C2=A0 =C2=A0 =C2=A0If multiple deviations are possible in a step then = they are numbered
>=C2=A0 =C2=A0 =C2=A0e.g. A1 A2 A2 etc
>
>=C2=A0 =C2=A0 =C2=A00-2. Alice/Bob/Charlie: nothing else is possible ex= cept following the
>=C2=A0 =C2=A0 =C2=A0protocol or aborting
>
> 8.=C2=A0 Alice: broadcasts one or more of the A htlc txes. Bob/Charlie= /Dennis:
>=C2=A0 =C2=A0 =C2=A0do nothing, they havent lost any time or money.
>=C2=A0 =C2=A0 =C2=A04-6. Bob/Charlie: nothing else is possible except f= ollowing the protocol
>=C2=A0 =C2=A0 =C2=A0or aborting.
>
> 9.=C2=A0 Bob: broadcasts one or more of the B htlc txes, Alice: broadc= asts all
>=C2=A0 =C2=A0 =C2=A0her own A htlc txes and waits for the timeout to ge= t her money back.
>=C2=A0 =C2=A0 =C2=A0Charlie: do nothing
>
> 10.=C2=A0 Charlie: nothing else is possible except following the proto= col or
>=C2=A0 =C2=A0 =C2=A0aborting.
>
> 11.=C2=A0 Alice: broadcasts one or more of the A htlc txes. Bob: broad= casts all
>=C2=A0 =C2=A0 =C2=A0his own A htlc txes and waits for the timeout.
>=C2=A0 =C2=A0 =C2=A0A. same as 8.
>=C2=A0 =C2=A0 =C2=A0B. Charlie: broadcasts one or more of the C htlc tx= es, Alice/Bob:
>=C2=A0 =C2=A0 =C2=A0broadcasts all their own htlc txes and waits for th= e timeout to get
>=C2=A0 =C2=A0 =C2=A0their money back.
>=C2=A0 =C2=A0 =C2=A0C-E1. Alice: broadcasts all of C htlc txes and uses= her knowledge of the
>=C2=A0 =C2=A0 =C2=A0preimage hash to take the money immediately. Charli= e: broadcasts
>=C2=A0 =C2=A0 =C2=A0all of B htlc txes and reading the hash value from = the blockchain,
>=C2=A0 =C2=A0 =C2=A0uses it to take the money from B htlc immediately. = Bob: broadcasts
>=C2=A0 =C2=A0 =C2=A0all of A htlc txes, and reading hash from the block= chain, uses it
>=C2=A0 =C2=A0 =C2=A0to take the money from A htlc immediately.
>=C2=A0 =C2=A0 =C2=A0C-E2. Alice: broadcast her own A htlc txes, and aft= er a timeout take the
>=C2=A0 =C2=A0 =C2=A0money. Bob: broadcast his own B htlc txes and after= the timeout
>=C2=A0 =C2=A0 =C2=A0take their money. Charlie: broadcast his own C htlc= txes and after
>=C2=A0 =C2=A0 =C2=A0the timeout take their money.
>=C2=A0 =C2=A0 =C2=A0F1. Bob: broadcast one or more of A htcl txes and u= se the hash preimage
>=C2=A0 =C2=A0 =C2=A0to get the money immediately. He already knows both= privkeys of the
>=C2=A0 =C2=A0 =C2=A0multisig so this is pointless and just damages priv= acy and wastes
>=C2=A0 =C2=A0 =C2=A0miner fees. Alice: blacklist Bob's fidelity bon= d.
>=C2=A0 =C2=A0 =C2=A0F2. Bob: broadcast one or more of the C htlc txes. = Charlie: use preimage
>=C2=A0 =C2=A0 =C2=A0to get his money immediately. Bob's actions wer= e pointless. Alice:
>=C2=A0 =C2=A0 =C2=A0cant tell whether Bob or Charlie actually broadcast= ed, so blacklist
>=C2=A0 =C2=A0 =C2=A0both fidelity bonds.
>=C2=A0 =C2=A0 =C2=A0G1. Charlie: broadcast one or more of B htcl txes a= nd use the hash
>=C2=A0 =C2=A0 =C2=A0preimage to get the money immediately. He already k= nows both
>=C2=A0 =C2=A0 =C2=A0privkeys of the multisig so this is pointless and j= ust damages
>=C2=A0 =C2=A0 =C2=A0privacy and wastes miner fees. Alice: cant tell whe= ther Bob or
>=C2=A0 =C2=A0 =C2=A0Charlie actually broadcasted, so blacklist both fid= elity bonds.
>=C2=A0 =C2=A0 =C2=A0G2. Charlie: broadcast one or more of the A htlc tx= es. Alice: broadcast
>=C2=A0 =C2=A0 =C2=A0the remaining A htlc txes and use preimage to get h= er money
>=C2=A0 =C2=A0 =C2=A0immediately. Charlies's actions were pointless.= Alice: blacklist
>=C2=A0 =C2=A0 =C2=A0Charlie's fidelity bond.
>
>=C2=A0 =C2=A0 =C2=A0The multisig outputs of the funding transactions ca= n stay unspent
>=C2=A0 =C2=A0 =C2=A0indefinitely. However the parties must always be wa= tching the network
>=C2=A0 =C2=A0 =C2=A0and ready to respond with their own sweep using a p= reimage. This is
>=C2=A0 =C2=A0 =C2=A0because the other party still possesses a fully-sig= ned contract tx. The
>=C2=A0 =C2=A0 =C2=A0parties respond in the same way as in steps C-E1, F= 2 and G2. Alice's
>=C2=A0 =C2=A0 =C2=A0reaction of blacklisting both fidelity bonds might = not be the right way,
>=C2=A0 =C2=A0 =C2=A0because one maker could use it to get another one b= lacklisted (as well
>=C2=A0 =C2=A0 =C2=A0as themselves).

Looks OK, though note that a participant might try to do so (as pointed out= above) in the hope that the next participant is offline.

Thank you very much for your writeup!

Regards,
ZmnSCPxj
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--000000000000ffc30f05ad50c7b6--