Return-Path: Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 40CA9C016F for ; Mon, 11 May 2020 17:50:39 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 35E6388167 for ; Mon, 11 May 2020 17:50:39 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id swmEl0rCEbbg for ; Mon, 11 May 2020 17:50:36 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-ej1-f46.google.com (mail-ej1-f46.google.com [209.85.218.46]) by hemlock.osuosl.org (Postfix) with ESMTPS id 1F3D888012 for ; Mon, 11 May 2020 17:50:36 +0000 (UTC) Received: by mail-ej1-f46.google.com with SMTP id se13so1997544ejb.9 for ; Mon, 11 May 2020 10:50:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Fe1yqUeXayV+8YEJuDD+zyumtbY1abztHDb+p0IxZdo=; b=NaDNFZMH1VPH99rfnrj5NAssyKsSdkNjPpO1Ktl0OThC2WB17l1RhdHgXOi2mS/QTm xCX8rhafwO53kC57Kn6JN5eV1ukL0DnBonXj6senxW+Jd904JoFi7VLeUaMHdsWPr923 ku+Ym+x68iebKJorGfrAztUMmrRnC8BtkqIFFmjCjchdnQu2mY7i341Q8refI7sDQ7pH 4vTPaBH8A42xir7+GIHowkl0Oc9CuVTsXoI7u2pJ/n6PGrZPK1UamUWz+U21p+3HjGNu 4krkNWfBMqTPyN8+MgZA2JRE90U3nLsRIrItfa7h6ZhnnO+S5OTfb49akcPTQSrz59DR 59eA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Fe1yqUeXayV+8YEJuDD+zyumtbY1abztHDb+p0IxZdo=; b=dAseChKPRK7DPSgSSRxHc+XY4DP0c97amJcXqTTfT1rxqJe9aiw7OQHBVfRrKmoxmJ 47ZCAhdCZbQYKVRQSlQQ/1xPDSxzLlugM1mCT6ruVj/mYIoyS2DKyirexaXkhiCU5jzP QY5WkPBpwD5ZJnLen6lOxnLYLaHlAVn+/WR55s7PW9zAKvOnQBREw80tER5i/8IWBy1o AuOiF80k4twu93jndr/yLqBT8grAroYPCwUK0PMUDYN1vvgeO7KkoteoG/zniiJ7+6FP xRqfSY5ENIbT8daob4a6MOBLc9qa/ccb13y+WL9unQTMXWSfZE5g6X8cZFaOK9rbZsB+ /UZA== X-Gm-Message-State: AGi0PubtPJjWGGw86+UQYn4u+cGZX6+Z+sVm7xmDFksOTdrdYhOQIVDz oxqQYN1FRgSHaWLuWOHIfCdQRpagf3DFAYJE9dz1Jag2 X-Google-Smtp-Source: APiQypIj8hedlISad0UrIInK4oQxnoBd23tA0LO82e+bl/z5N4w2j45lkTK43RLIpih1HIzy+jwvhmVeWDPnnRd9vBo= X-Received: by 2002:a17:906:17c5:: with SMTP id u5mr14462023eje.275.1589219434204; Mon, 11 May 2020 10:50:34 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ruben Somsen Date: Mon, 11 May 2020 19:50:21 +0200 Message-ID: To: ZmnSCPxj Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Mon, 11 May 2020 17:50:46 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] SAS: Succinct Atomic Swap X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 May 2020 17:50:39 -0000 Hi ZmnSCPxj, Thanks for your feedback :) >CoinSwap for privacy is practically a "cross" chain atomic swap with the s= ame chain and token for both sides of the swap I agree, I didn't mean to imply that was new, only that this protocol makes it more efficient. >"Instead, Bob simply hands secretBob to Alice" is basically the same as pr= ivate key turnover Thanks for the link. I will add it to the links at the bottom of the write-up, as I agree it's related. Do note there are a few key differences: - The swap is set up in an "asymmetric" way with only timelocks on one side, so on the other side the swap *never* expires - The timelocks are set up in such a way that the swap does not expire unless Alice starts the relative timelock countdown (the revoke transaction) - This relative timelock setup comes practically for free, because the asymmetry naturally requires that kind of setup >The "OR Alice in +1 day" branch can be implemented, at least on Bitcoin an= d similar blockchains, by signing a specific `nSequence` "OR Alice in +1 day" is "refund transaction #1" from the diagram. If I'm not mistaken, the change you are suggesting is exactly how "refund transaction #2" is constructed. Note that #1 and #2 serve the same purpose. Strictly speaking, #1 is not needed at all, but it's there to give Alice the option to back out of the swap in two transactions as opposed to three. >It strikes me that the relative locktime is unnecessary on the output of t= his refund tx I believe I addressed this in the FAQ section (the question about absolute timelocks). An absolute timelock is possible, but you then need to make absolutely sure that the revoke transaction confirms in time, otherwise the protocol can fail (namely after Bob has received a copy of the success transaction and just waits and does nothing). You also lose the ability to keep the channel open indefinitely. >having a variety of different versions of the transactions with different = feerates could be used That's a good point. >As long as the one resolving a particular side of the swap is the one that= ocmpletes the signature (which I believe holds true for all branches?) Unfortunately this does not hold for the revoke transaction. It would be a bit awkward if Alice had a high fee copy after the protocol completes. She could send it to the blockchain and essentially Bob would be paying for it. I'm not as concerned about the other transactions, because those could all be bumped with CPFP if needed, but having different feerates would be nice. And a general comment about privacy: it seems inevitable that some information will be leaked if the protocol does not complete cooperatively. As long as the cooperative case is not traceable, that seems about as good as it can get. That's my view, at least. I'd be curious to hear if you see that differently. Cheers, Ruben On Mon, May 11, 2020 at 6:45 PM ZmnSCPxj wrote: > > Good morning Ruben, > > CoinSwap for privacy is practically a "cross" chain atomic swap with the = same chain and token for both sides of the swap, see also this set of ideas= : https://github.com/AdamISZ/CoinSwapCS/issues/53 > > "Instead, Bob simply hands secretBob to Alice" is basically the same as p= rivate key turnover, as best as I can understand it, and gives significant = advantages, also described in passing here: https://lists.linuxfoundation.o= rg/pipermail/bitcoin-dev/2020-May/017816.html > > Overall, this looks very much like a working CoinSwap as well. > > The Refund tx does not need anything more than a 2-of-2 script. > The "OR Alice in +1 day" branch can be implemented, at least on Bitcoin a= nd similar blockchains, by signing a specific `nSequence`, or if the chain = forking predates BIP68, by using absolute locktimes and signing a specific = `nLockTime`, with the destination being just "Alice". > This should help privacy, as now all `scriptPubKey`s will be 2-of-2 (or P= 2PKH with 2p-ECDSA). > > (It strikes me that the relative locktime is unnecessary on the output of= this refund tx --- as long as both participants agree on either Alice or B= ob having a longer locktime, you can just use the locktime on the refund tx= directly as backout; see the topic "`nLockTime`-protected Backouts" on the= CoinSwapCS issue link) > > If you are willing to accept protocol complexity, having a variety of dif= ferent versions of the transactions with different feerates could be used r= ather than the Decker-Russell-Osuntokun "eltoo" bring-your-own-fees method. > In terms of privacy this is better as you would not be using anything oth= er than the most boring `SIGHASH_ALL` signing flag, whereas the Decker-Russ= ell-Osuntokun will be identifiable onchain (and thus possibly flag the tran= saction as "of interest" to surveillors) due to use of `SIGHASH_ANYPREVOUT`= . > As long as the one resolving a particular side of the swap is the one tha= t ocmpletes the signature (which I believe holds true for all branches?) th= en it would select the version of the transaction with the best feerate, wh= ich it effectively pays out to what it recovers. > > > Regards, > ZmnSCPxj > > > > Works today with single signer ECDSA adaptor signatures[0], or with > > Schnorr + MuSig. > > > > Diagram here: > > https://gist.github.com/RubenSomsen/8853a66a64825716f51b409be528355f#fi= le-succinctatomicswap-svg > > > > Advantages: > > > > - Requires merely two on-chain transactions for successful completion= , > > as opposed to four > > > > - Scriptless, and one of the chains doesn't need to support timelocks > > - Can be used for efficient privacy swaps, e.g. Payswap[1] > > > > Disadvantages: > > > > - Access to money is contingent on remembering secrets (backup comple= xity) > > - Online/watchtower requirement for the timelock supporting chain (no= t > > needed with 3 tx protocol) > > > > Protocol steps: > > > > 0.) Alice & Bob pre-sign the following transactions, with exception= of > > the signatures in [brackets]: > > > > - success_tx (money to Bob): [sigSuccessAlice] + [sigSuccessBob] > > - revoke_tx (timelock): sigRevokeAlice + sigRevokeBob, which must the= n > > be spent by: > > -- refund_tx (relative timelock, refund to Alice): [sigRefundAlice] > > > > > > - {sigRefundBob} > > -- timeout_tx (longer relative timelock, money to Bob): > > sigTimeoutAlice + [sigTimeoutBob] > > > > {sigRefundBob} is an adaptor signature, which requires secretAlice = to complete > > > > 1.) Alice proceeds to lock up 1 BTC with Bob, using keyAlice & keyB= ob as pubkeys > > > > If protocol is aborted after step 1: > > > > > > - Alice publishes the revoke_tx, followed by the refund_tx & > > sigRefundBob, to get her BTC back > > > > - If Alice neglects to publish the refund_tx in time, Bob will claim > > the BTC with the timeout_tx > > > > 2.) Bob locks up altcoins with Alice, using secretAlice & secretBob= as pubkeys > > > > If protocol is aborted after step 2: > > > > - Once Alice publishes sigRefundBob, Bob learns secretAlice and > > regains control over the altcoins > > > > 3.) Protocol completion: > > > > - Alice hands adaptor signature {sigSuccessAlice} to Bob, which > > requires secretBob to complete > > > > - Bob could now claim the BTC via the success_tx, reveal secretBob, > > and thus give Alice control over the altcoins (=3D 3 tx protocol) > > > > - Instead, Bob simply hands secretBob to Alice > > - Likewise, Alice hands keyAlice to Bob to forego her claim on the re= fund_tx > > - Bob continues to monitor the chain, because he'll have to respond i= f > > Alice ever publishes the revoke_tx > > > > More graceful protocol failure: > > > > If the protocol aborts after step 1, Alice would have been forced t= o > > make three transactions in total, while Bob has made none. We can > > reduce that to two by introducing a second refund_tx with timelock > > that can be published ahead of the revoke_tx and directly spends fr= om > > the funding transaction. Publishing this transaction would also rev= eal > > secretAlice to Bob via an adaptor signature. In the 3 tx protocol, > > this output can go directly to Alice. In the 2 tx protocol with > > online/watchtower requirement, this output needs a script: spendabl= e > > by Alice + Bob right away OR by Alice after a relative timelock. It= is > > important to note that this transaction must NOT be published durin= g > > step 3. Once Bob can complete the success_tx, the revoke_tx is need= ed > > to invalidate the success_tx prior to revealing secretAlice. > > > > FAQ: > > > > - Why not allow Alice to still claim the altcoins if she accidentally > > lets Bob publish the timeout_tx? > > > > Alice could send the revoke_tx at the same time, revealing both > > secrets and causing likely losses. This can be solved by adding yet > > another transaction, but it wouldn't be efficient and wouldn't > > motivate Alice to behave. > > > > - Is it possible to implement this protocol on chains which only > > support absolute timelocks? > > > > Yes, but then Bob must spend his swapped coins before the timelock > > expires (or use the 3 tx protocol). Be aware that the revoke_tx MUS= T > > confirm before the timeout_tx becomes valid, which may become a > > problem if fees suddenly rise. The refund_tx can also not be allowe= d > > to CPFP the timeout_tx, as they must confirm independently in order= to > > invalidate the success_tx first. > > > > - Can't Alice just publish the revoke_tx after protocol completion? > > > > Yes, she'd first have to move the altcoins (to invalidate > > secretAlice), and could then try to claim the BTC by publishing the > > revoke_tx, forcing Bob to react on-chain before the refund_tx becom= es > > valid. The eltoo[2] method of paying for fees (requires > > sighash_anyprevout) or a second CPFP-able output may be an improvem= ent > > here (and also mitigates fee rising issues), but note that this als= o > > increases the required amount of tx data if the protocol doesn't > > complete successfully. > > > > - Can this be made to work with hash locks? > > > > Yes, by making the altcoins spendable via sigAlice + preimageBob OR > > sigBob + preimageAlice, and ensuring the contracts on the BTC side > > reveal either pre-image. Do note that this is not scriptless and wi= ll > > thus increase the transaction size. > > > > Open question: > > > > Perhaps it's possible to perform an atomic swap in and out of > > Lightning with only a single on-chain transaction. This would requi= re > > some kind of secondary set of HTLCs, allowing the sender to cancel = a > > Lightning payment by revealing a secret after a certain period of > > time. > > > > -- Ruben Somsen > > > > Thanks to Lloyd Fournier for feedback and review. > > > > If you find any further errors, I will endeavor to fix them here: > > https://gist.github.com/RubenSomsen/8853a66a64825716f51b409be528355= f > > > > Related work: > > > > Tier Nolan Atomic Swap: > > https://bitcointalk.org/index.php?topic=3D193281.msg2224949#msg2224= 949 > > Monero Atomic Swap: > > https://github.com/h4sh3d/xmr-btc-atomic-swap/blob/master/README.md > > > > [0] https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-= November/002316.html > > > > [1] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-Ja= nuary/017595.html > > > > [2] https://blockstream.com/eltoo.pdf > > > > > > bitcoin-dev mailing list > > bitcoin-dev@lists.linuxfoundation.org > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > >