Date: Mon, 01 Jun 2020 02:34:03 +0000
To: Ruben Somsen <rsomsen@gmail.com>
From: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Reply-To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Message-ID: <WKC6zH0X8ad2bK_JwklQegyJBKf5rTp1Ub_fPPPkS_EeIkIoc_wcRd9k3a_aq6sFIZ3-gOtG9ubWq3gTPG5fZW5aA1s_2C8-emEsr67Qxjk=@protonmail.com>
In-Reply-To: <CAPv7TjZn6+j10a_X_vCG3Qn1Fv19uidw50Cf38NNUvp8m+uh2w@mail.gmail.com>
References: <82d90d57-ad07-fc7d-4aca-2b227ac2068d@riseup.net>
 <CAPv7TjY9h8n-nK_CPiYCWYDcbXpT1gfRMQDgf9VUkcR532rxOw@mail.gmail.com>
 <VxL93WE7bDrK1riquTWTTEgJj9mDQ4W5CuhOgdnnDPeidw2ho6evVh4cLZLz0jEYMqejaD1tiLULVTXkNRbI5A7wSwV49qSwnXcTWCDJ96E=@protonmail.com>
 <CAPv7TjZn6+j10a_X_vCG3Qn1Fv19uidw50Cf38NNUvp8m+uh2w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Design for a CoinSwap implementation for
	massively improving Bitcoin privacy and fungibility
Precedence: list

Good morning Ruben,


>
> That assumes there will be a second transaction. With SAS I believe we ca=
n avoid that, and make it look like this:
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0+---+
> =C2=A0 =C2=A0 Alice ---| =C2=A0 |--- Bob
> =C2=A0 =C2=A0 Alice ---| =C2=A0 |
> =C2=A0 =C2=A0 =C2=A0 Bob ---| =C2=A0 |
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0+---+

If Alice is paying to a non-SAS aware payee that just provides an onchain a=
ddress (i.e. all current payees today), then the 2-of-2 output it gets from=
 the swap (both of whose keys it learns at the end of the swap) is **not** =
the payee onchain address.
And it cannot just hand over both private keys, because the payee will stil=
l want unambiguous ownership of the entire UTXO.
So it needs a second transaction anyway.
(with Schnorr then Alice and payee Carol can act as a single entity/taker t=
o Bob, a la Lightning Nodelets using Composable MuSig, but that is a pretty=
 big increase in protocol complexity)

If Alice does not want to store the remote-generated privkey as well, and u=
se only an HD key, then it also has to make the second transaction.
Alice might want to provide the same assurances as current wallets that mem=
orizing a 12-word or so mnemonic is sufficient backup for all the funds (ot=
her than funds currently being swapped), and so would not want to leave any=
 funds in a 2-of-2.

If Bob is operating as a maker, then it also cannot directly use the 2-of-2=
 output it gets from the swap, and has to make a new 2-of-2 output, for the=
 *next* taker that arrives to request its services.

So there is always going to be a second transaction in a SwapMarket system,=
 I think.


What SAS / private key turnover gets us is that there is not a *third* tran=
saction to move from a 1-of-1 to the next address that makers and takers wi=
ll be moving anyway, and that the protocol does not have to add communicati=
on provisions for special things like adding maker inputs or specifying all=
 destination addresses for the second stage and so on, because those can be=
 done unilaterally once the private key is turned over.


> >A thing I have been trying to work out is whether SAS can be done with m=
ore than one participant, like in S6
>
> S6 requires timelocks for each output in order to function, so I doubt it=
 can be made to work with SAS.

Hmmm right right.

Naively it seems both chaining SAS/private key turnover to multiple makers,=
 and a multi-maker S6 augmented with private key turnover, would result in =
the same number of transactions onchain, but I probably have to go draw som=
e diagrams or something first.

But S6 has the mild advantage that all the funding transactions paying to 2=
-of-2s *can* appear on the same block, whereas chaining swaps will have a p=
articular order of when the transactions appear onchain, which might be use=
d to derive the order of swaps.
On the other hand, funds claiming in S6 is also ordered in time, so someone=
 paying attention to the mempool could guess as well the order of swaps.


Regards,
ZmnSCPxj