1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
|
Return-Path: <belcher@riseup.net>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 7C4ECC5C
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 6 Aug 2019 10:27:23 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id DB74D82D
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 6 Aug 2019 10:27:22 +0000 (UTC)
Received: from bell.riseup.net (bell-pn.riseup.net [10.0.1.178])
(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(Client CN "*.riseup.net",
Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK))
by mx1.riseup.net (Postfix) with ESMTPS id 8FF231A0D1D
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 6 Aug 2019 03:27:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
t=1565087242; bh=yKIDJNxT3XW/IKd00r9/iVTGg5yl9ynISYTeaUVIzK0=;
h=Subject:To:References:From:Date:In-Reply-To:From;
b=DpU7thyElOnOvg/AorP2Q9iW6o+M+SYUy6prpUlFM2nNIRdJA+72z6lYQArrWw8b0
zAvBs444cE6A3PXS9oeniubKZSJI+4FDVY97nvARM0sILlbJShV90SW+36nwOJwM0V
JtYdA4l3/DdF5uB6g49mQIyMlNlQ2eJi6eTKrQg0=
X-Riseup-User-ID: 6103D23761BDC8B31C1177E591A51C46CCF61BE6AFBA761339BBB3D4F1633D28
Received: from [127.0.0.1] (localhost [127.0.0.1])
by bell.riseup.net (Postfix) with ESMTPSA id 0A8DF222A5E
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 6 Aug 2019 03:27:21 -0700 (PDT)
To: bitcoin-dev@lists.linuxfoundation.org
References: <985792b1-e7aa-677b-a7a1-6a5f672da884@riseup.net>
<94534006-D560-4C90-9D5D-A3A64B698518@gmail.com>
<20190726143738.0be561da@simplexum.com>
<3c328312-2bdd-60d9-7425-8db620d09abb@riseup.net>
<20190731205018.10ed4302@simplexum.com>
<ae32dcbb-c950-3b3f-22b9-d152d6b221cb@riseup.net>
<20190802145057.7b81c597@simplexum.com>
<ad501873-8912-765e-8df5-c9b0451fcd0a@riseup.net>
<3a9a9277-130d-fbb2-fa51-6119a2242812@LeoWandersleb.de>
From: Chris Belcher <belcher@riseup.net>
Openpgp: preference=signencrypt
Autocrypt: addr=belcher@riseup.net; prefer-encrypt=mutual; keydata=
mQINBFPk74oBEACzBLjd+Z5z7eimqPuObFTaJCTXP7fgZjgVwt+q94VQ2wM0ctk/Ft9w2A92
f14T7PiHaVDjHxrcW+6sw2VI2f60T8Tjf+b4701hIybluWL8DntG9BW19bZLmjAj7zkgektl
YNDUrlYcQq2OEHm/MGk6Ajt2RA56aRKqoz22e+4ZA89gDgamxUAadul7AETSsgqOEUDI0FKR
FODzoH65w1ien/DLkG1f76jd0XA6AxrESJVO0JzvkTnJGElBcA37rYaMmDi4DhG2MY4u63VE
8h6DyUXcRhmTZIAj+r+Ht+KMDiuiyQcKywCzzF/7Ui7YxqeAgjm5aPDU2E8X9Qd7cqHQzFM7
ZCqc9P6ENAk5a0JjHw0d0knApboSvkIJUB0j1xDIS0HaRlfHM4TPdOoDgnaXb7BvDfE+0zSz
WkvAns9oJV6uWdnz5kllVCjgB/FXO4plyFCHhXikXjm1XuQyL8xV88OqgDFXwVhKrDL9Pknu
sTchYm3BS2b5Xq1HQqToT3I2gRGTtDzZVZV0izCefJaDp1mf49k2cokDEfw9MroEj4A0Wfht
0J64pzlBYn/9zor5cZp/EAblLRDK6HKhSZArIiDR1RC7a6s7oTzmfn0suhKDdTzkbTAnDsPi
Dokl58xoxz+JdYKjzVh98lpcvMPlbZ+LwIsgbdH4KZj7mVOsJwARAQABtB9DaHJpcyBCZWxj
aGVyIDxmYWxzZUBlbWFpbC5jb20+iQI+BBMBAgAoBQJT5O+KAhsDBQkSzAMABgsJCAcDAgYV
CAIJCgsEFgIDAQIeAQIXgAAKCRDvc06md/MRKS8jD/9P9fSYSIVjltL9brAMfIu7wJn0H0lX
TbcuCM2uQitJ3BNxI3c7aq5dEby27u5Ud54otncDJuRPQVDKs6H7t1rInitgJ1MTQ9/aQGFA
btKcgtVIMFbeClzTTfWr4W7fE45NI7E9EANgk5JfmWh3U+KINYLF5RtqynYocrsP6zOV+G9A
HCpBemd9TN60CoMLMyMzTHEW1oQffaVAXY8DgthEYO/odWYIod7VTmEm0zU1aSysPqMwPWNm
8XIl0f8SfKQyZlAU8e1eCFVCenkE44FKC5qQNYc2UxexEYtfCWChTGc4oHKxIyYmTCCefsQF
LvgwtvlNHRXHSDKSPSNcRcpl8DFpNEKrmMlkJ8Mx+YR05CydlTQ0bI3FBohJC+UHrjD5I3hA
wJUC1o+yVSOEd+zN3cG1EECIwkEQSmBgG5t/le2RdzfXOdpf9ku2/zoBpq00R54JxUKlfRM7
OPTv7X+1AKHkxOySdCZwGgvdh2Whuqs4kTvtco00gCFM9fBd5oi1RJuHtxHsj8+/XU15UItb
jeo96CIlM5YUeoRLPT5mxZYWgYAARFeSFReNq/Tuwq9d8EokUrtAyrPayznliy53UJfWDVzl
925c0Cz0HWaP2fWj+uFcj/8K0bhptuWJQy0Poht1z3aJC1UjEgr1Xz8I7jeSJmIlA9plcJw2
k4dhWbkCDQRT5O+KARAAyFxAM28EQwLctr0CrQhYWZfMKzAhCw+EyrUJ+/e4uiAQ4OyXifRr
ZV6kLRul3WbTB1kpA6wgCShO0N3vw8fFG2Cs6QphVagEH8yfQUroaVxgADYOTLHMOb7INS8r
KI/uRNmE6bXTX27oaqCEXLMycqYlufad7hr42S/T8zNh5m2vl6T/1Poj2/ormViKwAxM+8qf
xd8FNI4UKmq2zZE9mZ5PiSIX0qRgM0yCvxV39ex/nhxzouTBvv4Lb1ntplR/bMLrHxsCzhyM
KDgcX7ApGm+y6YEsOvzw9rRCRuJpE4lth8ShgjTtNTHfklBD6Ztymc7q7bdPWpKOEvO5lDQ6
q8+KfENv862cOLlWLk7YR2+mHZ1PXGhWC7ggwEkfGJoXo0x8X+zgUKe2+9Jj4yEhfL0IbFYC
z2J5d+cWVIBktI3xqkwLUZWuAbE3vgYA4h8ztR6l18NTPkiAvpNQEaL4ZRnAx22WdsQ8GlEW
dyKZBWbLUdNcMmPfGi5FCw2nNvCyN6ktv5mTZE12EqgvpzYcuUGQPIMV9KTlSPum3NLDq8QI
6grbG8iNNpEBxmCQOKz2/BuYApU2hwt2E44fL8e6CRK3ridcRdqpueg75my6KkOqm8nSiMEc
/pVIHwdJ9/quiuRaeC/tZWlYPIwDWgb8ZE/g66z35WAguMQ+EwfvgAUAEQEAAYkCJQQYAQIA
DwUCU+TvigIbDAUJEswDAAAKCRDvc06md/MRKaZwD/9OI3o3gVmst/mGx6hVQry++ht8dFWN
IiASPBvD3E5EWbqWi6mmqSIOS6CxjU0PncxTBPCXtzxo/WzuHGQg/xtNeQ0T8b2lBScZAw93
qm1IcHXLUe5w/Tap6YaDmSYCIZAdtbHzYfPW4JK7cmvcjvF8jhTFOBEOFVQkTi19G7caVot0
+wL1e2DRHDXAe5CinEpaLBlwHeEu/5j6wc3erohUZlK9IbAclj4iZTQbaq3EyqUXl59dBOON
xmL5edJxzVishIYQGIyA9WP1SylXt+kO82NEqZG2OxdXAlzjuJ8C2pAG+nbLtDo4hcsiN/MA
aX9/JB7MXclT5ioerF4yNgKEdfq7LmynsTUd8w/Ilyp7AD+BWoujyO94i8h9eKvjf9PvSwxQ
uAjRpxne7ZJD8vCsMNXBHSbeEK2LiwStHL/w473viXpDD53J6OLxX6a5RummR+rixbMH7dgK
MJQ7FlyDphm3or6CSkGEir1KA0y1vqQNFtHhguFapAWMDKaJjQQNgvZUmOo6hbZqmvUF1OWc
d6GA6j3WOUe3fDJXfbq6P9Jmxq64op887dYKsg7xjQq/7KM7wyRcqXXcbBdgvNtVDP+EnzBN
HyYY/3ms4YIHE5JHxQ9LV4yPcWkYTvb1XpNIFVbrSXAeyGHVNT+SO6olFovbWIC3Az9yesaM
1aSoTg==
Message-ID: <7a42fc7c-2e89-deae-12d6-8f7f5a46b915@riseup.net>
Date: Tue, 6 Aug 2019 11:27:17 +0100
MIME-Version: 1.0
In-Reply-To: <3a9a9277-130d-fbb2-fa51-6119a2242812@LeoWandersleb.de>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] Improving JoinMarket's resistance to sybil
attacks using fidelity bonds
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 10:27:23 -0000
On 06/08/2019 02:51, Leo Wandersleb via bitcoin-dev wrote:
> On 8/6/19 7:04 AM, Chris Belcher via bitcoin-dev wrote:
>> However, there _is_ a cost to being a sybil attacker. If we define
>> honest makers as entities who run just one maker bot, and dishonest
>> makers as entities who run multiple maker bots, then we can say that
>> running a dishonest maker operation requires a sacrifice of fee income,
>> because someone doing that would earn more money if they ran an honest
>> maker instead. This happens because of the quadratic V^2 term in the
>> formula calculating the fidelity bond value, which provides this
>> incentive for lumping together fidelity bonds. This V^2 is probably the
>> most important part for privacy.
>
> As established above, there will emerge a market to lock coins, so these locks
> will be readily available without having to buy them. Even with V^2 there is no
> reason to amass more coins beyond a certain point. Running the biggest 5 V^2
> scores should be pretty solid to get in on many coin joins.
We can be much more exact than saying makers get in on "many" coins. The
supporting document "Financial mathematics of JoinMarket fidelity bonds"
contains calculations for exactly this:
https://gist.github.com/chris-belcher/87ebbcbb639686057a389acb9ab3e25b#sybil-attacks-from-enemies-within
The document finds that with realistic real-world data, the makers with
the top 5 most valuable bonds will be chosen 48% of the time. So
approximately half:half success for one coinjoin. This isn't enough to
deanonymize every single coinjoin. For example, the tumbler script by
default makes around 16 transactions so the odds of a successful sybil
attack is (0.48)^16 = 8 parts per million, with the success probability
reducing exponentially after each additional coinjoin.
>> Another way is to require the bond signature proofs to involve the
>> one-time taker identifier, and so be different every time. This
>> basically requires fidelity bond privkeys to be online in hot wallets,
>> and so should massively increase the difficulty of renting TXOs because
>> the maker and the TXO owner need to be in constant real-time communication.
>
> Requiring the bond to reside on a hot wallet would be a massive disadvantage.
Hopefully it won't come to that and we can invent some other way to stop
renting TXOs. But if that's the only way then we'd have to code it in
order to protect the interests of takers.
The most dangerous source of rented TXOs seems to be the coin age form
of fidelity bond. Hodlers could have coins already in a hardware wallet
or cold storage and just sign proofs renting their UTXOs to earn an
extra income without changing their setup at all. Bonds from OP_CLTV and
OP_RETURN burned coins seems to me a much less likely source of rented TXOs.
Because of that, it seems to me only coin age fidelity bonds would be
required to be on hot wallets.
Another option worth considering is the have a separate lower interest
rate for coin age bonds compared to OP_CLTV bonds, this would reflect
the lower sacrifice for coin age (past sacrifices must be worth less
than future sacrifices, because of risk and uncertainty of the unknown
future, as well as the risk of rented UTXOs)
> No matter how you look at the whole problem of sibyl attacks, the honest maker
> will have operational costs and gain fees and the sibyl attacker will have the
> same plus profit from the deanonymization. As long as makers hunt marginal
> profits, the sibyl attacker having the higher margin from deanonymization will
> always win. The fidelity bonds would make this even worse, as increased
> complexity and entry cost would not favor more makers but less even before the
> centralization incentive mentioned above (V^2). To say that old holders have
> bitcoins laying around that they can use for such bonds is a fallacy as they
> could just as well rent them out on a bonds market.
I think this is absolutely wrong, because sybil attackers give up some
fee income. Here is a worked example:
Let's say the sybil attacker is operating the top 5 most valuable maker
bots. If this attacker has X coins they would split them equally into 5,
so each maker has X/5 coins and their bond is worth (X^5)^2 = X^2/25,
with a total of 5 bots the fee income would be proportional to 5*X^2/25
= X^2/5. However if an honest maker had X coins they could create a
single bond which would be worth simply X^2 with a fee income
proportional to X^2. So the honest maker has a fee income higher by a
factor of 5 than the sybil attacker. The sybil attacker must take a 5x
hit to their fee income in order to sybil attack. This is the crucial
effect of the V^2 term.
The V^2 term is important, it just has the downside of incentivizing
renting of coins. If we can make that impossible then the problem would
go away.
> How about turning this upside down and shift the incentives from being taker to
> being maker by introducing a mandatory fee? If each join costs 1% per maker,
> people would initially gasp and reject to update to that version but those who
> do, will do to become makers, increasing the maker count massively and
> eventually most people in frequent need of joining will also become makers to
> offset the costs of being takers.
>
> With these changed rules again the sibyl attackers would still have their
> competitive edge and would flood the market with even more cheap offers but now
> everybody would have an incentive to do the same and as makers have to have the
> UTXOs, it's not free to sibyl attack already.
>
Apart from the inability of developers to enforce any kind of price, I
don't think this scheme would fix the sybil attack problem, because a
sybil attacker still gets a higher gain (deanonymization + fees)
compared to honest makers (who earn just fees)
|
