1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
|
Return-Path: <alicexbt@protonmail.com>
Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133])
by lists.linuxfoundation.org (Postfix) with ESMTP id E5074C002D
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 10 Sep 2022 10:17:51 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp2.osuosl.org (Postfix) with ESMTP id AD8D140157
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 10 Sep 2022 10:17:51 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org AD8D140157
Authentication-Results: smtp2.osuosl.org;
dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com
header.a=rsa-sha256 header.s=protonmail3 header.b=EI603YJs
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Received: from smtp2.osuosl.org ([127.0.0.1])
by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 2vQqJ9_3sZw3
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 10 Sep 2022 10:17:50 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org EBE914012E
Received: from mail-4318.protonmail.ch (mail-4318.protonmail.ch [185.70.43.18])
by smtp2.osuosl.org (Postfix) with ESMTPS id EBE914012E
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 10 Sep 2022 10:17:49 +0000 (UTC)
Date: Sat, 10 Sep 2022 10:17:37 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
s=protonmail3; t=1662805066; x=1663064266;
bh=254NNZ/dGZLMajTf1oz+/1NKwCp0WoIceOA1sBecjT8=;
h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To:
References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To:
Feedback-ID:Message-ID;
b=EI603YJss4crEkDofBgXS15JsloKlMz3I2qCQdZ4xnIomvSTLoL0mloLv3fm6So01
oEMIT4wat8SJ5VlemdYyDMiOK6KtgQaTPdX8zZ5mJ/HYqDJc1JQVoTtIdn/Z0uEzKp
SU8A4WaK1ac6XXVdrl6sU9d44seJJ9qszX+fmaAH2WRi6DUDLqFdLUKlZsPfBVaTuP
c8Jr3szBwaUTz0Sx6daY5hnowahFUkbM5NpGscDCzYKcJHSXpEUuvJF1d/SKL09qOn
Mv9K+0uBiSYenY8C0IB5UqqLWPXLFApGrOpbD4CXf6xnb0phP97iq57OnYFEa8NZ4Q
UTmT5otWpggcw==
To: woltx <woltx@protonmail.com>
From: alicexbt <alicexbt@protonmail.com>
Reply-To: alicexbt <alicexbt@protonmail.com>
Message-ID: <NIAcS2bTRs-yCLyDvLvCydA8bCIFaClt_zD251QcEQ2IiEUgUCcKvTQwJ7YN-m7NUrawEdX5Z5lE2CR9UJ_RV5N77hmzoLYkiPWVgDETKi0=@protonmail.com>
In-Reply-To: <N_V7H1P2laUdee_YZE16Y4jNPGO0qBBebW1hdeRucs832Iu5ekvNlb3BDTjZG9lgnRjOm5ts7PDeyAvUAXlGdijIty2hIIXk0bEIn-RC-kQ=@protonmail.com>
References: <GDi7LdVsoIcf4DyylHYn9L24lNn6cE47Vo7DWE4GNmkHi-OePqMkqrx5VYisPG28nv4ih4763vKSS_Yul1BvxjXQn4Sr4zF62kQpL_5nzYY=@protonmail.com>
<N_V7H1P2laUdee_YZE16Y4jNPGO0qBBebW1hdeRucs832Iu5ekvNlb3BDTjZG9lgnRjOm5ts7PDeyAvUAXlGdijIty2hIIXk0bEIn-RC-kQ=@protonmail.com>
Feedback-ID: 40602938:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Sat, 10 Sep 2022 15:31:15 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] joinstr: coinjoin implementation using nostr
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Sep 2022 10:17:52 -0000
Hi woltx,
> I've been reviewing joinstr, and if I understand the code correctly, the =
cryptographic scheme mentioned as an alternative to blind signatures isn't =
implemented yet, is it? Currently, it seems that anyone can submit unrelate=
d inputs and outputs.
Thanks for reviewing joinstr. Yes, its not implemented right now as it requ=
ires a NIP and at least one relay using it.
> Instead of clients sending descriptors to the relay and then verifying th=
em using `scantxoutset`, it can send `txid:out` with a message signed with =
the address, verify using `verifymessage` and then use `gettxout` to retrie=
ve the value. That way, only the owner can send the UTXO.
`scantxoutset` is only used to get UTXO details (txid, vout and amount) as =
I thought its easier for users to just share a descriptor for coinjoin.=20
If a user sends `txid:out` with a message signed with the address, this wou=
ld be publicly available to everyone connected to same relay and links an i=
nput with output. Responding with a secret shared by relay for the round co=
nfirms user owns one of the input but does not reveal exact input.
/dev/fd0
Sent with Proton Mail secure email.
------- Original Message -------
On Friday, September 9th, 2022 at 9:05 PM, woltx <woltx@protonmail.com> wro=
te:
> Hi /dev/fd0,
>=20
> I've been reviewing joinstr, and if I understand the code correctly, the =
cryptographic scheme mentioned as an alternative to blind signatures isn't =
implemented yet, is it? Currently, it seems that anyone can submit unrelate=
d inputs and outputs.
>=20
> Perhaps PR #24058 (https://github.com/bitcoin/bitcoin/pull/24058) (basic =
support BIP-322) can improve this scheme as it implements proof of ownershi=
p.
>=20
> Instead of clients sending descriptors to the relay and then verifying th=
em using `scantxoutset`, it can send `txid:out` with a message signed with =
the address, verify using `verifymessage` and then use `gettxout` to retrie=
ve the value. That way, only the owner can send the UTXO.
>=20
> I've done some tests connected to a node with BIP322 enabled:
>=20
> # to send
> input_txt: str =3D json.dumps(input)
> result =3D core.signmessage(wallet, input['address'], input_txt)
> input['signature'] =3D result['result']
> nostr_interface.publish_input(input)
>=20
> # to receive
> def validate_input(input: dict[str, int, str, str]) -> bool:
>=20
> # ...
> result =3D core.verifymessage(address=3Dinput['address'], message=3Djson.=
dumps(message), signature=3Dinput['signature'])
> return result['error'] =3D=3D None and result['result'] =3D=3D True
>=20
>=20
>=20
>=20
>=20
> ------- Original Message -------
> On Saturday, August 20th, 2022 at 1:52 PM, alicexbt via bitcoin-dev bitco=
in-dev@lists.linuxfoundation.org wrote:
>=20
>=20
>=20
> > Hi Max,
> >=20
> > There a few DoS vectors that need to be fixed. Its just a proof of conc=
ept that I wanted to share with everyone to get feedback which could be imp=
roved over time. There is also a warning at the bottom of README to not use=
this on mainnet as it might have bugs.
> >=20
> > I will continue the development with coinjoin transactions on signet fo=
r a few weeks until there is a stable release with no bugs.
> >=20
> > I have a few ideas in mind for various relay types that might be used c=
oncurrently to prevent numerous problems. Custom relays are supported by No=
str. Examples include paying a fee to register for a round, subscribing wit=
h a time limit, or using invite-only relays. I will run a free and open nos=
tr relay for this project and try to fix the Dos issues before a mainnet ve=
rsion is released for python script(for nerds) and android app (for all use=
rs).
> >=20
> > Related links:
> >=20
> > https://github.com/fiatjaf/relayer
> > https://github.com/fiatjaf/expensive-relay
> > https://github.com/fiatjaf/relayer/tree/master/whitelisted
> >=20
> > /dev/fd0
> >=20
> > Sent with Proton Mail secure email.
> >=20
> > ------- Original Message -------
> > On Saturday, August 20th, 2022 at 10:04 AM, Max Hillebrand max@towardsl=
iberty.com wrote:
> >=20
> > > Great to see an implementation of the idea.
> > >=20
> > > Maybe I misunderstand, but isn't there a vulnerability of denial of s=
ervice here?
> > >=20
> > > A user who registers one input will receive the round secret identifi=
er, and this is all the information required for output registration. Howev=
er, that malicious user can now register multiple outputs, providing the sa=
me secret, and nobody can link the malicious outputs to any specific input.=
Therefor there cannot be a blame round where the malicious input is remove=
d, and thus there can be a ongoing free denial of service attack without at=
tribution or defense.
> > >=20
> > > Skol
> > > Max
> > >=20
> > > On August 20, 2022 10:20:00 AM GMT+02:00, alicexbt via bitcoin-dev bi=
tcoin-dev@lists.linuxfoundation.org wrote:
> > >=20
> > > > Hi Bitcoin Developers,
> > > >=20
> > > > I have written a python script as proof of concept for the coinjoin=
implementation using nostr. I used a lot of Python scripts created by othe=
rs in school, so it feels nice to offer something that could be useful to o=
thers.
> > > >=20
> > > > The implementation uses Bitcoin Core wallet and RPCs: `listunspent`=
, `getnewaddress`, `scantxoutset`, `createpsbt`, `combinepsbt`, `finalizeps=
bt` and `sendrawtransaction`. It requires python-nostr library because nost=
r is used for coordination between peers. Nostr is a decentralized network =
based on cryptographic keypairs. It is not peer-to-peer however simple and =
scalable.
> > > >=20
> > > > Every step is published as an event using a nostr relay and 5 peers=
coordinate to create, sign and broadcast a coinjoin transaction. I need to=
write a NIP that would be an alternative to blind signatures. Relay will s=
hare a random secret with clients for one round which should be present in =
output registration request although never gets published. If someone tries=
to register an output without registering any inputs, request would not ha=
ve the number initially shared with inputs so request would get rejected or=
published as unverified. Relay would not be able to link inputs and output=
s as the number is same for all inputs in a round and they get registered a=
t different times with new keys and IP address. Clients can use multiple re=
lays at the same time to avoid trusting one relay. This would result in dif=
ferent shared secret number but same process. If a relay tries to cheat, us=
ers will not sign the transaction and avoid using it in future.
> > > >=20
> > > > Usage:
> > > >=20
> > > > 1)Run `python coinjoin.py` and enter descriptor for one of the inpu=
ts.
> > > > 2)Script will check inputs for this round in every 30 seconds and r=
egister a new adddress for output once 5 inputs are registered.
> > > > 3)Similar check happens every 30 seconds for outputs. Last peer sho=
uld create a PSBT.
> > > > 4)Unsigned PSBT will be printed and signed by wallet with `walletpr=
ocesspsbt` RPC.
> > > > 5)Script will check signed PSBTs and last peer to sign should final=
ize coinjoin transaction once 5 signed PSBTs are received.
> > > > 6)Coinjoin transaction will be broadcasted and txid will printed.
> > > >=20
> > > > Example:
> > > >=20
> > > > ```
> > > > List of utxos in wallet:
> > > >=20
> > > > wpkh([53830dca/84'/1'/0'/0/0]02449be5fb74725255eeeb50eba930fa87705f=
21e99d13cd710cf2c1f21153c808)#x2hyyeg5
> > > >=20
> > > > Enter descriptor for the input registration: wpkh([53830dca/84'/1'/=
0'/0/0]02449be5fb74725255eeeb50eba930fa87705f21e99d13cd710cf2c1f21153c808)#=
x2hyyeg5
> > > >=20
> > > > event id: bcbbe62d75d99fed73f1e50ac58a38d1840b658951893e63c0322b378=
d7d56f0
> > > >=20
> > > > tb1qhxrp4zl54ul0twtyz0gury5399q7z0kvqqrl6m registered for output
> > > >=20
> > > > event id: 9449c9065bef356d21507a98f88b028b17fc1c49eb195c8d4420604fc=
aaef041
> > > >=20
> > > > Unsigned PSBT: cHNidP8BAP1yAQIAAAAFtMaoJYcXvOG5L3Yaz3YyS7gIt4h5/zzO=
rRRS3hrVvwoAAAAAAP////+o83geaSm4L76KToIUl5MiZqLAUbIDJLq6DWrjP/3b8AEAAAAA///=
//zEF3CXIvVHpIa7No1s1yg+KtyOfXTRSyWnOdXMfzcDwAQAAAAD/////wMa4XAgnU+39Ien+KG=
9rYtv8bLMNYakmZyY/QFfwLRcAAAAAAP/////5M42ID6uLmQTb2tnFHnN7UMpnDD25uN8ZX7A+G=
NSM3QEAAAAA/////wV4xwEAAAAAABYAFLmGGov0rz71uWQT0cGSkSlB4T7MeMcBAAAAAAAWABSc=
0/FM6Hdbdxh10IJkYOklVFWqjnjHAQAAAAAAFgAUPSZKe/w6PT6qIF+WhL4wHaFymjd4xwEAAAA=
AABYAFMx0rxYlpPWB3NFry4Ctk2eVi/UNeMcBAAAAAAAWABSzc4xK0VTfvjK0MHXrAUFLYgYnOg=
AAAAAAAAAAAAAAAAAAAA=3D=3D
> > > >=20
> > > > event id: 976744b38fa9343fb79e1b5215512ead6ee08e5890d79a201fc5b872f=
6de4eba
> > > >=20
> > > > Signed PSBT: cHNidP8BAP1yAQIAAAAFtMaoJYcXvOG5L3Yaz3YyS7gIt4h5/zzOrR=
RS3hrVvwoAAAAAAP////+o83geaSm4L76KToIUl5MiZqLAUbIDJLq6DWrjP/3b8AEAAAAA/////=
zEF3CXIvVHpIa7No1s1yg+KtyOfXTRSyWnOdXMfzcDwAQAAAAD/////wMa4XAgnU+39Ien+KG9r=
Ytv8bLMNYakmZyY/QFfwLRcAAAAAAP/////5M42ID6uLmQTb2tnFHnN7UMpnDD25uN8ZX7A+GNS=
M3QEAAAAA/////wV4xwEAAAAAABYAFLmGGov0rz71uWQT0cGSkSlB4T7MeMcBAAAAAAAWABSc0/=
FM6Hdbdxh10IJkYOklVFWqjnjHAQAAAAAAFgAUPSZKe/w6PT6qIF+WhL4wHaFymjd4xwEAAAAAA=
BYAFMx0rxYlpPWB3NFry4Ctk2eVi/UNeMcBAAAAAAAWABSzc4xK0VTfvjK0MHXrAUFLYgYnOgAA=
AAAAAQBxAgAAAAG+qpMXZCy6tBuUlgo8JD0GVXKp60FkhwDeg2sF1fkFkwMAAAAA/f///wLo9wE=
AAAAAABYAFFfLA5xarC/w/SxeMDQ5tuXrYJLUWwMAAAAAAAAWABRfPf//hwMjHB4OKj87cU19XO=
Sh7yOWAQABAR/o9wEAAAAAABYAFFfLA5xarC/w/SxeMDQ5tuXrYJLUAQhrAkcwRAIgOIhLoC534=
8U8YkEr4GU1K4yWskIOEXgW4Wsk/W2cR7ICIEJXqtOuDJ5CkwrSuwJLWtzab4dslbN3KuL/pyoo=
MnOCASECRJvl+3RyUlXu61DrqTD6h3BfIemdE81xDPLB8hFTyAgAAAAAACICA77Cnd6o3kr0yc+=
91eabpOn5igs/MUMbudNYSS6oyMWMGFODDcpUAACAAQAAgAAAAIAAAAAAFAAAAAAAAAAA
> > > >=20
> > > > event id: 5846b6e6902f3c5a43496d7d9785ed62444aa74963f03c33d637d8b09=
ee7a139
> > > >=20
> > > > Coinjoin tx: 75e490b10b15a6a0422f25ff66ad98ef70390c8fecaac02712705d=
ce8cc3564b
> > > >=20
> > > > event id: 9b5d4bf279b59e2b6e539e683fba83da72dce2b640360aa95db1b1400=
be93190
> > > > ```
> > > >=20
> > > > There are lot of things that could be improved and a few suggestion=
s are in the gist that described the idea. I would love read to any opinion=
s about this experiment and will start working on creating an Android app f=
or joinstr next week.
> > > >=20
> > > > Credits:
> > > >=20
> > > > - fiatjaf (Nostr)
> > > > - Andrew Chow (PSBT)
> > > > - Jeff Thibault (python-nostr)
> > > > - Existing coinjoin implmentations
> > > >=20
> > > > /dev/fd0
> > > >=20
> > > > Sent with Proton Mail secure email.
> > > >=20
> > > > bitcoin-dev mailing list
> > > > bitcoin-dev@lists.linuxfoundation.org
> > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >=20
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
|
