1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
|
Return-Path: <alicexbt@protonmail.com>
Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])
by lists.linuxfoundation.org (Postfix) with ESMTP id 31F79C0032
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 20 Aug 2023 17:13:55 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp3.osuosl.org (Postfix) with ESMTP id 04A4060B2D
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 20 Aug 2023 17:13:55 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 04A4060B2D
Authentication-Results: smtp3.osuosl.org;
dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com
header.a=rsa-sha256 header.s=protonmail3 header.b=rfIXyZp9
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Received: from smtp3.osuosl.org ([127.0.0.1])
by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id ZfBm-MmECgDO
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 20 Aug 2023 17:13:53 +0000 (UTC)
Received: from mail-4327.protonmail.ch (mail-4327.protonmail.ch [185.70.43.27])
by smtp3.osuosl.org (Postfix) with ESMTPS id 1325960AFD
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 20 Aug 2023 17:13:52 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 1325960AFD
Date: Sun, 20 Aug 2023 17:13:33 +0000
Authentication-Results: mail-4321.protonmail.ch;
dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com
header.b="rfIXyZp9"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
s=protonmail3; t=1692551619; x=1692810819;
bh=dECWS8o/iA/Ir1kxo8qH7pABu0oPc2+DE4wFGJB3N+8=;
h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
Message-ID:BIMI-Selector;
b=rfIXyZp9+NIiJSMa6eLbOcsPFonFwcn07JkwCvU+/G6iCPADg/V8pIUVBeU1Uit1F
VLLot3JkjgcJxbjSpyrl+gJjRUMG65PrzaHAU1aTxaxNhkvD2CSttYOO0xvUfhnpYF
WpqoRJjxsrCrKDHnucZNe42dr1MvszllNquQJ4lZ/sWNU6Kb6fw4fBcYApOjkcsO3M
h8WHBgnrzglKDVMii/g2pidHDlAjGUBRupp66MFt5e1YCywloN10J8ARL2bPWLQZcF
vhkA+G4qkgegxNG+K3MxmsSBmDkDsON9fffizQRvjbJ3bniyICEqxyL2iHpoTpWPOl
TEJtDtADwcSjw==
To: Dan Gould <d@ngould.dev>
From: alicexbt <alicexbt@protonmail.com>
Message-ID: <8qSa5NNuqF64Yg-R-OvO34IYBI0efPOUYYGrFBwvhsDuRMdQzcA6joTi0BNdBkoGgZQgBut257mfwX1e-bDdExlmcxdtRrSjCtWYPBlne6M=@protonmail.com>
In-Reply-To: <3C0A6E4C-444E-4E75-829C-1A21D8EE40E0@ngould.dev>
References: <3C0A6E4C-444E-4E75-829C-1A21D8EE40E0@ngould.dev>
Feedback-ID: 40602938:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Mon, 21 Aug 2023 00:12:10 +0000
Cc: bitcoin-dev@lists.linuxfoundation.org
Subject: Re: [bitcoin-dev] Serverless Payjoin
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Aug 2023 17:13:55 -0000
Hi Dan,
May be too late to reply. Sorry.
Based on our last communication, I wanted to share these points after readi=
ng https://payjoin.substack.com/p/serverless-payjoin-gets-its-wings so that=
other can also evaluate them:
1) I don't think NIP 4 has any security issues. Maybe privacy issues. Its j=
ust metadata leak which should be okay if a new npub is used every time use=
rs do payjoin. Message itself will remain secret because it's encrypted.
2) Backwards compatibility due to npub, relay etc. shared in payjoin URI as=
implemented by Kukks. Not sure how to fix this.
3) Relays have no incentive to anything malicious if multiple relays are us=
ed. Although I am still not clear what malicious activity can they do with =
encrypted messages.
4) IP address is an issues with lot of projects and this can be managed by =
users or wallet implementation with the use of RiseupVPN, Tor, i2p etc.
5) Random padding suggested by a few senior devs makes sense.
/dev/fd0
floppy disk guy
------- Original Message -------
On Monday, January 23rd, 2023 at 2:20 AM, Dan Gould via bitcoin-dev <bitcoi=
n-dev@lists.linuxfoundation.org> wrote:
> Hi all,
>=20
> I'm publishing a payjoin upgrade in response to a request from this list.=
The payjoin receiver no longer has to run a public server. They lean on a =
relay for the connection and share a symmetric-key for security rather than=
a TLS certificate or a Tor hidden service.
>=20
> I think this work raises a greater problem which is that payjoin assumes =
synchronous communication while it=E2=80=99s an asynchronous world.
>=20
> I added the full write-up in plain text below, though I recommend reading=
the gist for improved formatting and in order to benefit from future edits=
:
> https://gist.github.com/DanGould/243e418752fff760c9f6b23bba8a32f9
>=20
> Best regards,
> Dan
>=20
>=20
>=20
> Serverless Payjoin
>=20
>=20
> Receive surveillance-busting bitcoin transfers without hosting a secure e=
ndpoint
>=20
>=20
>=20
> OVERVIEW
>=20
>=20
> Payjoin[1] solves the sole privacy problem left open in the bitcoin paper=
, that transactions with multiple inputs "necessarily reveal that their inp=
uts were owned by the same owner."[2] Breaking that common-input ownership =
assumption requires contributions from multiple owners via interaction, nam=
ely hosting a server endpoint secured by a certificate on the receiving sid=
e. This problem has been singled out on this list as a barrier to greater p=
ayjoin adoption.[3]
>=20
> Instead of a peer-hosted endpoint, this scheme weilds a TURN[4] relay for=
connectivity and symmetric cryptography for security. Without a replacemen=
t for secured networking, the relay could steal funds. Aside from a pre-sha=
red secret and relayed networking, the protocol takes the same form as the =
existing BIP 78 payjoin spec.
>=20
>=20
>=20
> BASIC SCHEME
>=20
>=20
> The recipient requests that the relay allocate them an endpoint at which =
they may be reached by UDP. Once allocated, they listen on it. They then ge=
nerate a 256-bit key, psk. Out of band, they share a BIP 21[5] payjoin uri =
including their unique relay allocation endpoint in the pj query parameter =
and psk in a new psk query parameter.
>=20
> The sender constructs their request containing an original PSBT as in BIP=
78. Instead of sending it over TLS or Tor, they follow noise framework NNp=
sk0[6] pattern. They encrypt the request using psk alongside an ephemeral s=
ender key and MAC. The resulting ciphertext ensures message secrecy and int=
egrity when relayed to the recipient by the pj endpoint.
>=20
> The pay-to-endpoint protocol proceeds to produce a payjoin as in BIP 78 e=
xcept that messages are secured by the noise NNpsk0 pattern rather than TLS=
or Tor.
>=20
>=20
>=20
> IMPROVEMENTS
>=20
>=20
> HTTP/3
>=20
> TURN defaults to UDP. In order to adhere to the BIP 78 protocol HTTP mess=
aging, HTTP/3 should be used on top of TURN/UDP.
> Offline Asynchronous Payjoins
>=20
> It may be possible for a relay to hold a requeust for an offline payjoin =
peer until that peer comes online. However, the BIP 78 spec recommends broa=
dcasting request PSBTs in the case of an offline counterparty. Doing so exp=
oses a na=C3=AFve, surveillance-vulnerable transaction which payjoin intend=
s to avoid. More research needs to be done before such a protocol can be re=
commended.
>=20
>=20
> Nostr
>=20
> While a custom Nostr relay could in theory replace the TURN relay while s=
haring shnorr crypto with bitcoin, it would require another protocol to syn=
chronize networking, since Nostr makes no assumptions about whether a peer =
is online or not, and a careful cryptography audit to secure. TURN and Nois=
e are already well understood, tested, and have production library support =
across multiple popular languages and other bitcoin-related projects. Noise=
even has tooling for formal verification. Nostr relays may prove more like=
ly to allow public access and more robust if we figure out async payjoin, h=
owever.
>=20
>=20
>=20
> NOTEWORTHY DETAILS
>=20
>=20
> Attack vectors
>=20
> Since TURN relays can be used for any kind of internet traffic they are v=
ulnerable to the tragedy of the commons. Relay operators may impose authent=
ication requirements for endpoint allocation provisions.
>=20
> Since psk is a symmetric key, the first message containing the sender's o=
riginal PSBT does not have forward secrecy.
>=20
>=20
> Network Privacy
>=20
> Peers will only see the IP address of the TURN relay but not their peer's=
. TURN relays may be made available via Tor hidden service in addition to I=
P to allow either of the peers to protect their IP with Tor without forcing=
the other to use it too.
>=20
>=20
>=20
> IMPLEMENTATION
>=20
>=20
> I've published working proof of concept sender, receiver clients and rela=
y code in rust[7]
>=20
>=20
>=20
> ACKNOWLEDGEMENTS
>=20
>=20
> Deepest gratitude to Ethan Heilman for sitting down with me to help get t=
o the bottom of the requirements of this problem, to Ruben Somsen for this =
slick format, and to all those engaged in defending the right to privacy.
>=20
>=20
>=20
> REFERENCES
>=20
>=20
> [1] BIP 78 A Simple Payjoin Proposal, Nicolas Doier:
> https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki
>=20
> [2] Bitcoin: A Peer-to-Peer Electronic Cash System, Satoshi Nakamoto:
> https://chaincase.app/bitcoin.pdf
>=20
> [3] [bitcoin-dev] PayJoin adoption, Craig Raw:
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-January/0183=
58.html
>=20
> [4] RFC 5766: Traversal Using Relays around NAT (TURN):
> https://www.rfc-editor.org/rfc/rfc5766
>=20
> [5] BIP 21 URI Scheme, Nils Schneider, Matt Corallo:
> https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki
>=20
> [6] Noise Explorer: NNpsk0:
> https://noiseexplorer.com/patterns/NNpsk0
>=20
> [7] Serverless PayJoin PoC:
> https://github.com/chaincase-app/payjoin/pull/21
>=20
>=20
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
|
