Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 3362EA7A for ; Sat, 27 Jul 2019 19:35:36 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from newmail.dtrt.org (li1228-87.members.linode.com [45.79.129.87]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id B2C24FE for ; Sat, 27 Jul 2019 19:35:35 +0000 (UTC) Received: from harding by newmail.dtrt.org with local (Exim 4.89) (envelope-from ) id 1hrSTb-0005nq-K8; Sat, 27 Jul 2019 15:35:31 -0400 Date: Sat, 27 Jul 2019 09:34:17 -1000 From: "David A. Harding" To: Chris Belcher , Bitcoin Protocol Discussion Message-ID: <20190727193417.cxf544dbempencql@ganymede> References: <985792b1-e7aa-677b-a7a1-6a5f672da884@riseup.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <985792b1-e7aa-677b-a7a1-6a5f672da884@riseup.net> User-Agent: NeoMutt/20180716 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Sat, 27 Jul 2019 20:17:43 +0000 Subject: Re: [bitcoin-dev] Improving JoinMarket's resistance to sybil attacks using fidelity bonds X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Jul 2019 19:35:36 -0000 On Thu, Jul 25, 2019 at 12:47:54PM +0100, Chris Belcher via bitcoin-dev wrote: > A way to create a fidelity bond is to burn an amount of bitcoins by > sending to a OP_RETURN output. Another kind is time-locked addresses > created using OP_CHECKLOCKTIMEVERIFY where the valuable thing being > sacrificed is time rather than money, but the two are related because of > the time-value-of-money. Timelocking bitcoins, especially for long periods, carries some special risks in Bitcoin: 1. Inability to sell fork coins, also creating an inability to influence the price signals that help determine the outcome of chainsplits. 2. Possible inability to transition to new security mechanisms if a major weakness is discovered in ECC or a hash function. An alternative to timelocks might be coin age---the value of a UTXO multiplied by the time since that UTXO was confirmed. Coin age may be even harder for an attacker to acquire given that it is a measure of past patience rather than future sacrifice. It also doesn't require using any particular script and so is flexible no matter what policy the coin owner wants to use (especially if proof-of-funds signatures are generated using something like BIP322). Any full node (archival or pruned) can verify coin age using the UTXO set.[1] Unlike script-based timelock (CLTV or CSV), there is no current SPV-level secure way to prove to lite clients that an output is still unspent, however such verification may be possible within each lite client's own security model related to transaction withholding attacks: - Electrum-style clients can poll their server to see if a particular UTXO is unspent. - BIP158 users who have saved their past filters to disk can use them to determine which blocks subsequent to the one including the UTXO may contain a spend from it. However, since a UTXO can be spent in the same block, they'd always need to download the block containing the UTXO (alternatively, the script could contain a 1-block CSV delay ensuring any spend occurred in a later block). If BIP158 filters become committed at some point, this mechanism is upgraded to SPV-level security. > Note that a long-term holder (or hodler) of bitcoins can buy time-locked > fidelity bonds essentially for free, assuming they never intended to > transact with their coins much anyway. This is the thing I most like about the proposal. I suspect most honest makers are likely to have only a small portion of their funds under JoinMarket control, with the rest sitting idle in a cold wallet. Giving makers a way to communicate that they fit that user template would indeed seem to provide significant sybil resistance. -Dave [1] See, bitcoin-cli help gettxout