1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
|
Return-Path: <rsomsen@gmail.com>
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
by lists.linuxfoundation.org (Postfix) with ESMTP id 4841AC016F
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 12 May 2020 11:34:32 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by whitealder.osuosl.org (Postfix) with ESMTP id 3548185335
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 12 May 2020 11:34:32 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id hldJomuvfI8q
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 12 May 2020 11:34:31 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-ed1-f53.google.com (mail-ed1-f53.google.com
[209.85.208.53])
by whitealder.osuosl.org (Postfix) with ESMTPS id C08EE84AE3
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 12 May 2020 11:34:30 +0000 (UTC)
Received: by mail-ed1-f53.google.com with SMTP id r16so10803289edw.5
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 12 May 2020 04:34:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=Ttyzz+3eKcToR7koq25INkoytVyiojXTksIJ2+Kv4zI=;
b=gs1wx2Xsi1ImzFXCwJbPPvp3vri4S+zJdk+ge8ZvTmlgw2JiGsdARnKKcbvcSz2317
ZQLA0uRqUuDk8Sc98zI9EzlnPwxwbYtciTrRv3Y+9NJDKP28TuEzO7D0ewQuk3CCwHQ4
I859/4UInXIe82JciNHBO1Lz1fNJxcwbQARZn+Q/mr17QonjZVlTRBwPtZsQQHg7RV5O
ebnDD1s3YdJKzeT45oUumsmL0x/3GPj2hpB+SbMWznYgjb6o0ybhZjx+jTTVkWfVlWnp
awoga0uC663WbVjK/KDx55/U975mwHpYPwrV9g0L47PTymxgrsC8uUbLwIlHAKZiBMhi
Hk0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=Ttyzz+3eKcToR7koq25INkoytVyiojXTksIJ2+Kv4zI=;
b=InJKKBJ+CJZB4cwnP2p6QIoB11rhnrsn1c5XrolC4R+LJ/H9jViwSGSBdNQR4bpHtq
jAM90f2yX1ri+1mE2VJks7XtQQrnLqCnkThopTRPHDX3/Y6j2OYx32RLOjB4fgLZXNR9
LlHXWz78Xztsio322JKDkgzdj7pyFyiLiXH/WdXVXbpNrvYwvOf591WLDKASPy3Jv1J1
doNCqYrtKH7EQw6NOJQSbxqhIxhmJq5LRdGDHF1T6xfOJLHpCEgFEigvsEd2PaDNqq3v
0GrCWLBoZkCqZ1FW/MDcG+l3fBgo0dZzay6ijZMySvr62+QMS83RTuGObIhLkEZpRQfU
yFXQ==
X-Gm-Message-State: AGi0PuZGQJDdaAeX00unrp2etCd5dqiGtbQJLfGDzS9tPecjvM75RRZ0
ooY8XqWPuCT06EtXMjjHW4ZQvNofzOTQ2pjuBKnDNPNL
X-Google-Smtp-Source: APiQypJMerCkbdVmS1M0in0Qk92AsMXMX3ib3eM5EgNyjRCN+ePrnXSm6vud3F9oinrjaxaO6rnbHvOFYP8TrY12GWg=
X-Received: by 2002:a05:6402:120a:: with SMTP id
c10mr16355120edw.15.1589283268785;
Tue, 12 May 2020 04:34:28 -0700 (PDT)
MIME-Version: 1.0
References: <CAPv7TjZGBbf6f1y49HLFD2eNiP5d4e+=dFGqiMFs6jaeYyH-NQ@mail.gmail.com>
<CAH5Bsr1d57pzmNgakt=Q2M+Ey+PL9jUVUPeJ_aFj0L0TBAHzKw@mail.gmail.com>
<CAH5Bsr1paP8dmo_z6VoEHYvB_SpD4Piw91LeLJBMgFph7Qrtfg@mail.gmail.com>
<CAPv7TjYqC73zRQq2yQy9RpeHUUexjSS23uU9VwJvvoRr50p2vA@mail.gmail.com>
In-Reply-To: <CAPv7TjYqC73zRQq2yQy9RpeHUUexjSS23uU9VwJvvoRr50p2vA@mail.gmail.com>
From: Ruben Somsen <rsomsen@gmail.com>
Date: Tue, 12 May 2020 13:34:17 +0200
Message-ID: <CAPv7TjaJk5gsyZsZBfbKmjDF5-ijqcONEMtkowb1Y=2D38vRow@mail.gmail.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="000000000000aefa5505a571d83f"
X-Mailman-Approved-At: Tue, 12 May 2020 11:35:10 +0000
Subject: Re: [bitcoin-dev] SAS: Succinct Atomic Swap
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2020 11:34:32 -0000
--000000000000aefa5505a571d83f
Content-Type: text/plain; charset="UTF-8"
Hi Lloyd,
>In my opinion, this protocol is theoretical breakthrough as well as a
practical protocol. Well done!
Thanks for the kind praise, and for providing a summary of what you think
makes the protocol useful. Your different perspective is undoubtedly useful
for others who are trying to understand it.
>We might call this a "Forced Refund *TLC"
Good description, I like it.
>The advantages that Ruben's two tx protocol has over this is that
timelocks and monitoring is only needed on one of the chains.
Well put, and I agree with your point that the traditional 4 tx protocol
can also be turned into 2 tx with an online requirement. One minor thing to
add is that this would make the 4 tx protocol more clunky in the
non-cooperative case (a 4 tx timeout). In the SAS protocol it comes at no
cost.
Cheers,
Ruben
On Tue, May 12, 2020 at 1:30 PM Ruben Somsen <rsomsen@gmail.com> wrote:
> Hi ZmnSCPxj,
>
> >Would this not work?
>
> I considered and rejected that model for the following reason: there are
> moments where both Alice and Bob can claim the BTC. If they both attempt to
> do so, it also reveals both secrets, causing the LTC to also be claimable
> by both parties. This chaotic scenario is a failure mode that did not seem
> acceptable to me. The revoke transaction was specifically added to mitigate
> that issue (invalidating any attempt of Bob to claim the coins and reveal
> his secret). That said, it doesn't particularly seem in either party's
> interest wait until a moment where two timelocks become valid, so maybe it
> is not quite as bad as I thought. However, it still means that the
> incompetence/malevolence of one party can lead to losses for both parties.
> I have my doubts a gain in privacy in the uncooperative case is worth that
> risk.
>
> Of course it also reverts the protocol to 3 transactions, instead of 2,
> but regardless, not having to watch the chain is probably more practical in
> many cases. As an aside, if both chains support timelocks then we can
> ensure that the more expensive chain only receives one transaction.
>
> >if relative locktimes are used as often as absolute locktimes for
> block-sniping-prevention and a decent Scriptless Script system, then all
> protocol aborts should be doable with no information leaks
>
> I see your point, interesting observation.
>
> >A sidenote as well, that if Alice typically uses an HD wallet, the UTXO
> on the LTC side would not be in that HD, and if Alice wants to cold-store
> the LTC, it should move the money as well into an HD pubkey.
>
> Agreed, I had that listed as one of the disadvantages: "Access to money is
> contingent on remembering secrets (backup complexity)"
>
> Cheers,
> Ruben
>
>
> On Tue, May 12, 2020 at 8:50 AM Lloyd Fournier <lloyd.fourn@gmail.com>
> wrote:
>
>> A quick correction to my post:
>>
>>>
>>> Here's where the truly novel part comes in. Ruben solves this by
>>> extending the standard *TLC contract:
>>> 1. Bob redeem with secret
>>> 2. Alice refund after T1
>>> 3. Bob redeem without secret after T2
>>>
>>> This is actually:
>>
>> 1. Bob redeem with redeem secret
>> 2. Alice refund after T1 with refund secret
>> 3. Bob redeem without secret after T2
>>
>> The fact that Alice reveals a secret when she refunds is crucial.
>>
>> LL
>>
>
--000000000000aefa5505a571d83f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div>Hi Lloyd,</div><div><br></div><div>>In my opinion,=
this protocol is theoretical breakthrough as well as a practical protocol.=
Well done!<br></div><div><br></div><div>Thanks for the kind praise, and fo=
r providing a summary of what you think makes the protocol useful. Your dif=
ferent perspective is undoubtedly useful for others who are trying to under=
stand it.</div><div><br></div><div>>We might call this a "Forced Re=
fund *TLC"</div><div><br></div><div>Good description, I like it.</div>=
<div><br></div><div>>The advantages that Ruben's two tx protocol has=
over this is that timelocks and monitoring is only needed on one of the ch=
ains.=C2=A0=C2=A0=C2=A0<br></div><div><br></div><div>Well put, and I agree =
with your point that the traditional 4 tx protocol can also be turned into =
2 tx with an online requirement. One minor thing to add is that this would =
make the 4 tx protocol more clunky in the non-cooperative case (a 4 tx time=
out). In the SAS protocol it comes at no cost.</div><div><br></div><div>Che=
ers,</div><div>Ruben</div></div><br><div class=3D"gmail_quote"><div dir=3D"=
ltr" class=3D"gmail_attr">On Tue, May 12, 2020 at 1:30 PM Ruben Somsen <=
<a href=3D"mailto:rsomsen@gmail.com">rsomsen@gmail.com</a>> wrote:<br></=
div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bor=
der-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr">Hi Z=
mnSCPxj,<br><br>>Would this not work?<br><br>I considered and rejected t=
hat model for the following reason: there are moments where both Alice and =
Bob can claim the BTC. If they both attempt to do so, it also reveals both =
secrets, causing the LTC to also be claimable by both parties. This chaotic=
scenario is a failure mode that did not seem acceptable to me. The revoke =
transaction was specifically added to mitigate that issue (invalidating any=
attempt of Bob to claim the coins and reveal his secret). That said, it do=
esn't particularly seem in either party's interest wait until a mom=
ent where two timelocks become valid, so maybe it is not quite as bad as I =
thought. However, it still means that the incompetence/malevolence of one p=
arty can lead to losses for both parties. I have my doubts a gain in privac=
y in the uncooperative case is worth that risk.<br><br>Of course it also re=
verts the protocol to 3 transactions, instead of 2, but regardless, not hav=
ing to watch the chain is probably more practical in many cases. As an asid=
e, if both chains support timelocks then we can ensure that the more expens=
ive chain only receives one transaction.<br><br>>if relative locktimes a=
re used as often as absolute locktimes for block-sniping-prevention and a d=
ecent Scriptless Script system, then all protocol aborts should be doable w=
ith no information leaks<br><br>I see your point, interesting observation.<=
br><br>>A sidenote as well, that if Alice typically uses an HD wallet, t=
he UTXO on the LTC side would not be in that HD, and if Alice wants to cold=
-store the LTC, it should move the money as well into an HD pubkey.<br><br>=
Agreed, I had that listed as one of the disadvantages: "Access to mone=
y is contingent on remembering secrets (backup complexity)"<div><br></=
div><div>Cheers,</div><div>Ruben</div></div><br><br><div class=3D"gmail_quo=
te"><div dir=3D"ltr" class=3D"gmail_attr">On Tue, May 12, 2020 at 8:50 AM L=
loyd Fournier <<a href=3D"mailto:lloyd.fourn@gmail.com" target=3D"_blank=
">lloyd.fourn@gmail.com</a>> wrote:<br></div><blockquote class=3D"gmail_=
quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,=
204);padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr">A quick correction=
to my post:</div><div class=3D"gmail_quote"><blockquote class=3D"gmail_quo=
te" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204=
);padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr"><div><br></div><div>H=
ere's where the truly novel part comes in. Ruben solves this by extendi=
ng the standard *TLC contract:</div><div>1. Bob redeem with secret</div><di=
v>2. Alice refund after T1</div><div>3. Bob redeem without secret after T2<=
/div><div><br></div></div></div></blockquote><div>This is actually:</div><d=
iv><br></div><div>1. Bob redeem with redeem secret</div><div>2. Alice refun=
d after T1 with refund secret</div><div>3. Bob redeem without secret after =
T2</div><div><br></div><div>The fact that Alice reveals a secret when she r=
efunds is crucial.</div><div><br></div><div>LL=C2=A0</div></div></div>
</blockquote></div>
</blockquote></div>
--000000000000aefa5505a571d83f--
|