Return-Path: Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 64B83C016F for ; Wed, 13 May 2020 09:57:25 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 0970B2038F for ; Wed, 13 May 2020 09:57:25 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VleS5LA9wCAK for ; Wed, 13 May 2020 09:57:22 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-ed1-f68.google.com (mail-ed1-f68.google.com [209.85.208.68]) by silver.osuosl.org (Postfix) with ESMTPS id 33B892036D for ; Wed, 13 May 2020 09:57:22 +0000 (UTC) Received: by mail-ed1-f68.google.com with SMTP id s10so13727892edy.9 for ; Wed, 13 May 2020 02:57:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WdzjVTkXH7rZLPTbtrFg3ekDB8oDyIRsOfOqV5sxjIw=; b=Ov9uPS6giTLmtBfKvizQKLlo1t+2qHemC5OiEBldTa2DxIh8Zsb5IK6Mwc1jJKduLZ ISxL4zHO2MqgFYGw4d0uwBvRX72E0bhJbz0DNn9RMW36Az/KVoXk0gwswDsarIYXoAiZ bz/SeOa5h2kuJ4u/fMtCsy7EVl7/rtxybvAHYuFj9Y8LixCwoeQEG7WvZ8G1ip0VD3p5 btD624gdEeZEHUWIi/ffMuU6BwZFkI25ZdTNbM3z3HV6JbHavls0l4mZ8/rxNG1Oil4V 4d1vDCpEIN75+dtlBA/s861FPHh7QnGHcwsOBo+hgNja5IBk3Yc8ypZ7s2c4cmIJKXH/ dvfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WdzjVTkXH7rZLPTbtrFg3ekDB8oDyIRsOfOqV5sxjIw=; b=BSjduyzY+/Io0omTPPHAL0ATaY1xWOt3jhBryU0rUCtBeK8AxY3kTqpXUtjj+4XYJc mHefUUE4BNq48OFqrjwbGK6Rrl0Olyho5agQcqWJpYjnYARJKG30a8dyd87JG2OGIZCm Z6sASy/I515ueKvjc3LsQq6P2XjB32oDKBXgb9nLWVRS9qiysP8XQU/LeZclctdUbJRW wL4xXR8x1na9SrrbshQlzxP49dW7PvSdW43PDrKJnbU/Upbe7kaNqyTm1el4H1Hc1TJB +NJ4d8xktv/Y/TBtbk57GLW2GYH57eky2hdSswc3MulFqQgX3EV6mlRihQIQqvznIIeQ v2kg== X-Gm-Message-State: AGi0PuYHn9NUQo/X0K53YUmzGHj+W9Rh2KaoAw0N5LHlaVE4x4PulAfo NgWim/Wbw/QE3qOeWo/oldjrqqBl+7wsimSXlP7KR57k X-Google-Smtp-Source: APiQypIryN2AR6RHxq5DUV6Sv7KPKHDejkPkn1sbSCyWsZLwNVjobOAuIwYN0hMOG38JhRlXIeTETgdguB/ITYz3jy4= X-Received: by 2002:a50:9b58:: with SMTP id a24mr15021847edj.256.1589363840095; Wed, 13 May 2020 02:57:20 -0700 (PDT) MIME-Version: 1.0 References: <2-ZZw_6q-EBo5DmIK5PtzWCE9zd9FdNtYuhFf84FKxRHwmL7g7kA9YvYB9iqFFkGy_xoXARzRW8hiZa-ZcLPWeZ60PNMQc9yMdZLnTsp1yo=@protonmail.com> In-Reply-To: <2-ZZw_6q-EBo5DmIK5PtzWCE9zd9FdNtYuhFf84FKxRHwmL7g7kA9YvYB9iqFFkGy_xoXARzRW8hiZa-ZcLPWeZ60PNMQc9yMdZLnTsp1yo=@protonmail.com> From: Ruben Somsen Date: Wed, 13 May 2020 11:57:05 +0200 Message-ID: To: Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="0000000000001b9a7f05a5849bad" X-Mailman-Approved-At: Wed, 13 May 2020 09:59:30 +0000 Subject: Re: [bitcoin-dev] SAS: Succinct Atomic Swap X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 May 2020 09:57:25 -0000 --0000000000001b9a7f05a5849bad Content-Type: text/plain; charset="UTF-8" Hi Chris, Thanks for taking a look :) >it also improves privacy because the coins could stay unspend for a long time, potentially indefinitely Excellent point. The pre-swap setup transactions would still be subject to timing/amount analysis, but it's clearly a lot less problematic than the traditional 4 tx swap. And Payswap may be able to mitigate the amount analysis. >Using relative timelocks and private key handover for old-style coinswaps would give us the same two-transaction effect I agree, Lloyd pointed out the same thing. One thing to add is that such a setup would result in four on-chain transactions if the protocol is aborted, due to the need to invalidate the refund transaction. >the idea of private key handover was mentioned as early as 2016 in the original Lightning Network paper Interesting! Thanks for pointing that out. Cheers, Ruben On Wed, May 13, 2020 at 10:39 AM ZmnSCPxj wrote: > Good morning Ruben, > > > >If the shortened refund transaction exists (labeled "refund transaction > #1" in the SVG) then the same issue still occurs > > > > Yes, but there is one crucial difference: at that point in the protocol > (Bob has the success transaction and then stops cooperating) Alice and Bob > both had the opportunity not to take that path. Bob could have sent the > success transaction, and Alice could have waited and sent the revoke > transaction. They would essentially be "colluding" to fail. > > Okay, so the concern is basically, that Bob misses the deadline, then > Alice feels obligated to reclaim the funds. > In your proposal, the tx competition is between the secret-revealing > success TX and the non-secret-revealing revoke tx. > Whereas in my counterproposal, under the same conditions, the tx > competition is between the secret-revealing success tx and the > secret-revealing backout tx, and both transactions becoming visible on P2P > network means potentially both Alice and Bob know all the secrets on the > LTC side and end up competing over it, RBFing each other until the entire > fund goes to miners. > > > > >Without the refund#1 in your proposal, Bob refusing cooperation after > Alice puts the BTC into lock for 3 days and 2 further onchain transactions > > > > I'm not sure if I correctly understood what you're saying, but it's as > follows: > > > > Refund #1 can only safely be used before the signed success tx is given > to Bob. The cost to Alice at this point if Bob aborts is two on-chain > transactions while Bob hasn't put anything on-chain yet. > > > > Refund #2 needs to be used after Bob receives the signed success tx. The > cost to Alice is now three transactions, but Bob also went-on-chain by this > point, so causing this wasn't costless to Bob and is thus a similar failure > mode. > > I think it is not accurate that Bob is already on-chain before Alice can > be forced to use 3 transactions to fail. > > The revoke tx signatures are shared at step 0 of your protocol description. > Thus Bob has a copy of the revoke tx that is valid once Alice signs and > confirms the funding transaction. > Bob can thus give a copy of the revoke tx with signature directly to its > favorite miner, forcing Alice to take 3 transactions to back out of the > swap. > > Since Bob gave the tx directly to its favorite miner (TANSTAAGM: "There > ain't no such thing as a global mempool"), Alice will only know about this > event when the revoke tx is confirmed once, at which point it is very > difficult to reverse, even if Alice has a refund#1 tx prepared. > > Bob can do this before step 2 in your protocol description, meaning before > Bob locks up any funds, so Bob can do this for free, and will even use > funds going back to Alice to pay for confirmation of the revoke tx. > Because Bob can do this for free, there is no disincentive for trolling > Bobs to exist whose sole life goal is to just grief possible Alices. > > This can be slightly mitigated by adding two CPFP outputs (one for each > participant) and using the minimum relayable feerate for the revoke tx so > that Bob is forced to bring its own fees in order to incentivize miners. > This is similar to the "bring your own fees" currently proposed for > Lightning, but note the recent hand-wringing about the various problems > this adds to mempools and CPFP and RBF rules and etc etc: > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-April/017757.html > > We could use `SIGHASH_SINGLE | SIGHASH_ANYONECANPAY` as well for a > bring-your-own-fees, but that is not `SIGHASH_ALL` and thus marks the > transaction graph as special. > And forcing bring-your-own-fees means neither Alice nor Bob can swap all > their funds in a single operation, they have to keep a reserve. > > > Bob cannot safely perform step 2 before getting both signatures for the > revoke tx, as without Bob having access to the rveoke tx, if Bob locks up > LTC, Alice can stop responding and lock both their funds indefinitely with > Bob not having any way to recover its funds, which a rich Alice can use to > completely lock out an impoverished Bob. > But if Bob is given both signatures for the revoke tx before step 2, then > Bob can send the revoke tx to its favorite miner, forcing Alice to take 3 > transactions to back out, before Bob locks any funds in LTC side. > > > > > I also agree with your observation that alternatively Bob can just spend > before the timelock expires. > > This seems to be the safest alternative; in my context, where Bob is a > CoinSwap server/maker, Bob can wait a short while for new clients/takers, > and if no new clients arrive, spend. > Bob can run multiple servers, each of which are given the completed > success transaction, and the servers can check that if the timeout is near, > to spam the Bitcoin P2P network with the completed success transactions. > (these servers need not even run fullnodes, they could just periodically > poll a number of blockchain explorers and electrum servers, and when the > blockheight approaches, attempt broadcast; if the "main" server that > accepts clients/takers has already spent the TXO the broadcast of the > completed success tx is simply rejected by the Bitcoin P2P network; if the > timeout is based on sidereal time then the backup servers only need to be > running NTP) > > > > Regards, > ZmnSCPxj > --0000000000001b9a7f05a5849bad Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Chris,

Thanks for taking a look :)

>it also improves privacy because the coins could = stay unspend for a long time, potentially indefinitely

Excellent point. The pre-swap setup transactions would still be su= bject to timing/amount analysis, but it's clearly a lot less problemati= c than the traditional 4 tx swap. And Payswap may be able to mitigate the a= mount analysis.

>Using relative timelocks and p= rivate key handover for old-style coinswaps would give us the same two-tran= saction effect

I agree, Lloyd pointed out th= e same thing. One thing to add is that such a setup would result in four on= -chain transactions if the protocol is aborted, due to the need to invalida= te the refund transaction.

>the idea of private= key handover was mentioned as early as 2016 in the original Lightning Netw= ork paper

Interesting! Thanks for pointing that ou= t.

Cheers,
Ruben

On Wed, May 13, 20= 20 at 10:39 AM ZmnSCPxj <ZmnS= CPxj@protonmail.com> wrote:
Good morning Ruben,

> >If the shortened refund transaction exists (labeled "refund t= ransaction #1" in the SVG) then the same issue still occurs=C2=A0
>
> Yes, but there is one crucial difference: at that point in the protoco= l (Bob has the success transaction and then stops cooperating) Alice and Bo= b both had the opportunity not to take that path. Bob could have sent the s= uccess transaction, and Alice could have waited and sent the revoke transac= tion. They would essentially be "colluding" to fail.

Okay, so the concern is basically, that Bob misses the deadline, then Alice= feels obligated to reclaim the funds.
In your proposal, the tx competition is between the secret-revealing succes= s TX and the non-secret-revealing revoke tx.
Whereas in my counterproposal, under the same conditions, the tx competitio= n is between the secret-revealing success tx and the secret-revealing backo= ut tx, and both transactions becoming visible on P2P network means potentia= lly both Alice and Bob know all the secrets on the LTC side and end up comp= eting over it, RBFing each other until the entire fund goes to miners.


> >Without the refund#1 in your proposal, Bob refusing cooperation af= ter Alice puts the BTC into lock for 3 days and 2 further onchain transacti= ons
>
> I'm not sure if I correctly understood what you're saying, but= it's as follows:
>
> Refund #1 can only safely be used before the signed success tx is give= n to Bob. The cost to Alice at this point if Bob aborts is two on-chain tra= nsactions while Bob hasn't put anything on-chain yet.
>
> Refund #2 needs to be used after Bob receives the signed success tx. T= he cost to Alice is now three transactions, but Bob also went-on-chain by t= his point, so causing this wasn't costless to Bob and is thus a similar= failure mode.

I think it is not accurate that Bob is already on-chain before Alice can be= forced to use 3 transactions to fail.

The revoke tx signatures are shared at step 0 of your protocol description.=
Thus Bob has a copy of the revoke tx that is valid once Alice signs and con= firms the funding transaction.
Bob can thus give a copy of the revoke tx with signature directly to its fa= vorite miner, forcing Alice to take 3 transactions to back out of the swap.=

Since Bob gave the tx directly to its favorite miner (TANSTAAGM: "Ther= e ain't no such thing as a global mempool"), Alice will only know = about this event when the revoke tx is confirmed once, at which point it is= very difficult to reverse, even if Alice has a refund#1 tx prepared.

Bob can do this before step 2 in your protocol description, meaning before = Bob locks up any funds, so Bob can do this for free, and will even use fund= s going back to Alice to pay for confirmation of the revoke tx.
Because Bob can do this for free, there is no disincentive for trolling Bob= s to exist whose sole life goal is to just grief possible Alices.

This can be slightly mitigated by adding two CPFP outputs (one for each par= ticipant) and using the minimum relayable feerate for the revoke tx so that= Bob is forced to bring its own fees in order to incentivize miners.
This is similar to the "bring your own fees" currently proposed f= or Lightning, but note the recent hand-wringing about the various problems = this adds to mempools and CPFP and RBF rules and etc etc: https://lists.linuxfoundation.org/piper= mail/bitcoin-dev/2020-April/017757.html

We could use `SIGHASH_SINGLE | SIGHASH_ANYONECANPAY` as well for a bring-yo= ur-own-fees, but that is not `SIGHASH_ALL` and thus marks the transaction g= raph as special.
And forcing bring-your-own-fees means neither Alice nor Bob can swap all th= eir funds in a single operation, they have to keep a reserve.


Bob cannot safely perform step 2 before getting both signatures for the rev= oke tx, as without Bob having access to the rveoke tx, if Bob locks up LTC,= Alice can stop responding and lock both their funds indefinitely with Bob = not having any way to recover its funds, which a rich Alice can use to comp= letely lock out an impoverished Bob.
But if Bob is given both signatures for the revoke tx before step 2, then B= ob can send the revoke tx to its favorite miner, forcing Alice to take 3 tr= ansactions to back out, before Bob locks any funds in LTC side.

>
> I also agree with your observation that alternatively Bob can just spe= nd before the timelock expires.

This seems to be the safest alternative; in my context, where Bob is a Coin= Swap server/maker, Bob can wait a short while for new clients/takers, and i= f no new clients arrive, spend.
Bob can run multiple servers, each of which are given the completed success= transaction, and the servers can check that if the timeout is near, to spa= m the Bitcoin P2P network with the completed success transactions.
(these servers need not even run fullnodes, they could just periodically po= ll a number of blockchain explorers and electrum servers, and when the bloc= kheight approaches, attempt broadcast; if the "main" server that = accepts clients/takers has already spent the TXO the broadcast of the compl= eted success tx is simply rejected by the Bitcoin P2P network; if the timeo= ut is based on sidereal time then the backup servers only need to be runnin= g NTP)



Regards,
ZmnSCPxj
--0000000000001b9a7f05a5849bad--