š
Original date posted:2020-09-03
š Original message:Good morning Chris,
> A big downside is that it really ruins the property of allowing coins to
> remain unspent indefinitely. That has privacy implications: if a coin
> remains unspent for longer than 2 weeks (or another short locktime) then
> for sure the transaction was not a CoinSwap, and so the anonymity set of
> the CoinSwap system would be far smaller For this reason I'm pretty
> desperate to solve the vulnerability without losing the coins remaining
> unspent indefinitely feature.
Ah, right.... accept no small privacy leaks!
>
> We need to solve the vulnerability you found, which I'll call the
> riskless theft attempt problem. So what do you think of this solution:
>
> == Building block 1: A, B and C having different contract txes ==
>
> In the original proposal each CoinSwap peer has the same contract
> transaction, and either side can broadcast it whenever they like. This
> actually isn't necessary. We can have a contract transaction
> fully-signed but only known to one peer, with a possibly-different
> transaction transaction fully-signed and only known to the other peer.
>
> Obviously for the CoinSwap to work both contract transactions must have
> the same hash-time-locked contract, but they can differ in other ways.
>
> == Building block 2: collateral payments ==
>
> The riskless theft attempt problem happens because the previous owner of
> the coins knows the fully-signed contract transaction and can broadcast
> it at no cost to themselves. So to solve the problem we add a cost.
>
> There is a 2of2 multisig made up of Bob's and Charlie's keys. The
> associated contract transaction known to Bob must now also have one of
> Bob's single-sig inputs. The outputs are such that some of the money
> from Bob's input now ends up in the HTLC output. The result is that
> after the CoinSwap if Bob broadcasts his contract transaction but fails
> to take the money from the HTLC output, then Bob will have lost money.
Just to be clear:
* B is the one who originally funded the HTLC, and owns the timelock.
* C is the one who will accept the HTLC, and owns the hashlock.
> I'm calling this idea collateral payments, by analogy with collateral
> used for loans. A collateral is someone valuable a debtor puts on the
> table, and if they don't repay the loan then they lose the collateral
> (presumably the creditor sells it to repay the loan).
>
> Here is a diagram of the contract transaction known to Bob:
>
> multisig (B+C) [I btc]---> (B+timelock_B OR C+hash) [I+K-M~ btc]
>
> collateral(B) [J btc] (Bob) [J-K btc]
>
>
> where:
> I = CoinSwap amount
> J = Value of Bob's collateral input
> K = Value that Bob loses if he broadcasts his contract tx but doesnt
> get the money
> M~ = miner fee (random variable)
>
> The value K is something that can be set by the protocol, and made high
> enough so that doing a riskless theft attempt is not worth it. Probably
> the value of K will be quite small because the odds of a riskless
> payment attempt succeeding is very small (assuming the makers all use
> multiple redundant watchtowers). Mostly likely K will be smaller than
> M~, so if the collateral is lost to Bob then the miners will the ones to
> gain, rather than Charlie.
This seems a great solution!
Since B is the one offering HTLCs, the taker of a CoinSwap sequence can be B as well.
This means, the taker has to have *some* collateral input, of at least value K, that it cannot swap (because if it tried to swap that amount, it would be unable to provide a collateral as well).
How much does C need to know about the B collateralized contract transaction?
At the minimum, it has to know the output pays out to the correct contract, so it seems to me it has to know the entire B collateralized contract transaction, meaning it learns another input of B ("collateral(B)") that is not otherwise involved in the CoinSwap.
This is important, again, if B is a taker, as it means an unrelated input of B is now learned by C as having the same ownership as B.
A fresh maker that is given its starting funds in a single UTXO needs to split up its funds to make at least one collateral input it can use.
Of note is that the B output also serves as a point for CPFPing this transaction, thus only one version of the B collateralized contract transaction needs to be made, and the B collateralized contract transaction can be at or close to the minimum relay feerate and later CPFPed.
In terms of onchain analysis heuristics, it looks like the B output is change, while the B+C contract output is the send-out, I think, for most cases.
In case of a protocol abort, this heuristic is misled, since both outputs become owned by B due to the protocol abort.
In case of a protocol completion, this heuristic is accurate, since the B+C contract output will be claimed by C, but we do not expect this transaction to be confirmed onchain after protocol completion anyway (it effectively donates K to C or miners), so this is fine.
> The other contract transaction, known only to Charlie, does not contain
> a collateral input or collateral value (K), because Charlie can't do a
> riskless theft attempt to Bob.
Because it has a single output only, the C contract transaction needs to have RBFed versions.
> If Bob ever spends his collateral input in another transaction, then his
> contract transaction will become invalid. However Bob will only be
> harming himself, so he'll never do this.
At least until B gets its own incoming funds in the swap, at which point the collateral input can be used for other purposes (and effectively "releases" the lease of B on that output).
Since C knows the collateral input (it has to, in order to verify the B collateralized contract transaction is correct), it can monitor the collateral input for spendedness, and stop watching for the B collateralized contract transaction in its watchtower(s) if the collateral input is deeply spent.
The B collateralized contract transaction is invalidated if the collateral input is spent, and then only C can spend the funding outpoint at that point, so it can remove that from the watchtower.
This can be significant if C is using a for-pay watchtower that supports deletion of watches, which I believe is planned for watchtowers as well, and reduces the operating cost of C.
Regards,
ZmnSCPxj
ZmnSCPxj [ARCHIVE] /
npub1g5ā¦3ms3l
2023-06-07 18:26:41
in reply to nevent1qā¦8cs2
Author Public Key
npub1g5zswf6y48f7fy90jf3tlcuwdmjn8znhzaa4vkmtxaeskca8hpss23ms3lPublished at
2023-06-07 18:26:41Event JSON
{
"id": "51cf469f062645b2763c70a4bed6082a1ed63aef1f08ac4abdcd8fbdbf82a0ff",
"pubkey": "4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861",
"created_at": 1686162401,
"kind": 1,
"tags": [
[
"e",
"a7116ebfc542ae2f9abdddad722cd3c2ee214a2f93e701f0a2d9550e18f74750",
"",
"root"
],
[
"e",
"a9c310cb65dc08fedffb6f1750b557a5cd5ff0fc23221bc4498087eaa4f02b46",
"",
"reply"
],
[
"p",
"cd99305dce8f7a8772455d28d44a8451787c19b2ffd2c8b1010acecc3c5f95c7"
]
],
"content": "š
Original date posted:2020-09-03\nš Original message:Good morning Chris,\n\n\u003e A big downside is that it really ruins the property of allowing coins to\n\u003e remain unspent indefinitely. That has privacy implications: if a coin\n\u003e remains unspent for longer than 2 weeks (or another short locktime) then\n\u003e for sure the transaction was not a CoinSwap, and so the anonymity set of\n\u003e the CoinSwap system would be far smaller For this reason I'm pretty\n\u003e desperate to solve the vulnerability without losing the coins remaining\n\u003e unspent indefinitely feature.\n\nAh, right.... accept no small privacy leaks!\n\n\u003e\n\u003e We need to solve the vulnerability you found, which I'll call the\n\u003e riskless theft attempt problem. So what do you think of this solution:\n\u003e\n\u003e == Building block 1: A, B and C having different contract txes ==\n\u003e\n\u003e In the original proposal each CoinSwap peer has the same contract\n\u003e transaction, and either side can broadcast it whenever they like. This\n\u003e actually isn't necessary. We can have a contract transaction\n\u003e fully-signed but only known to one peer, with a possibly-different\n\u003e transaction transaction fully-signed and only known to the other peer.\n\u003e\n\u003e Obviously for the CoinSwap to work both contract transactions must have\n\u003e the same hash-time-locked contract, but they can differ in other ways.\n\u003e\n\u003e == Building block 2: collateral payments ==\n\u003e\n\u003e The riskless theft attempt problem happens because the previous owner of\n\u003e the coins knows the fully-signed contract transaction and can broadcast\n\u003e it at no cost to themselves. So to solve the problem we add a cost.\n\u003e\n\u003e There is a 2of2 multisig made up of Bob's and Charlie's keys. The\n\u003e associated contract transaction known to Bob must now also have one of\n\u003e Bob's single-sig inputs. The outputs are such that some of the money\n\u003e from Bob's input now ends up in the HTLC output. The result is that\n\u003e after the CoinSwap if Bob broadcasts his contract transaction but fails\n\u003e to take the money from the HTLC output, then Bob will have lost money.\n\nJust to be clear:\n\n* B is the one who originally funded the HTLC, and owns the timelock.\n* C is the one who will accept the HTLC, and owns the hashlock.\n\n\u003e I'm calling this idea collateral payments, by analogy with collateral\n\u003e used for loans. A collateral is someone valuable a debtor puts on the\n\u003e table, and if they don't repay the loan then they lose the collateral\n\u003e (presumably the creditor sells it to repay the loan).\n\u003e\n\u003e Here is a diagram of the contract transaction known to Bob:\n\u003e\n\u003e multisig (B+C) [I btc]---\u003e (B+timelock_B OR C+hash) [I+K-M~ btc]\n\u003e\n\u003e collateral(B) [J btc] (Bob) [J-K btc]\n\u003e\n\u003e\n\u003e where:\n\u003e I = CoinSwap amount\n\u003e J = Value of Bob's collateral input\n\u003e K = Value that Bob loses if he broadcasts his contract tx but doesnt\n\u003e get the money\n\u003e M~ = miner fee (random variable)\n\u003e\n\u003e The value K is something that can be set by the protocol, and made high\n\u003e enough so that doing a riskless theft attempt is not worth it. Probably\n\u003e the value of K will be quite small because the odds of a riskless\n\u003e payment attempt succeeding is very small (assuming the makers all use\n\u003e multiple redundant watchtowers). Mostly likely K will be smaller than\n\u003e M~, so if the collateral is lost to Bob then the miners will the ones to\n\u003e gain, rather than Charlie.\n\nThis seems a great solution!\n\nSince B is the one offering HTLCs, the taker of a CoinSwap sequence can be B as well.\nThis means, the taker has to have *some* collateral input, of at least value K, that it cannot swap (because if it tried to swap that amount, it would be unable to provide a collateral as well).\n\nHow much does C need to know about the B collateralized contract transaction?\nAt the minimum, it has to know the output pays out to the correct contract, so it seems to me it has to know the entire B collateralized contract transaction, meaning it learns another input of B (\"collateral(B)\") that is not otherwise involved in the CoinSwap.\nThis is important, again, if B is a taker, as it means an unrelated input of B is now learned by C as having the same ownership as B.\n\nA fresh maker that is given its starting funds in a single UTXO needs to split up its funds to make at least one collateral input it can use.\n\nOf note is that the B output also serves as a point for CPFPing this transaction, thus only one version of the B collateralized contract transaction needs to be made, and the B collateralized contract transaction can be at or close to the minimum relay feerate and later CPFPed.\n\nIn terms of onchain analysis heuristics, it looks like the B output is change, while the B+C contract output is the send-out, I think, for most cases.\nIn case of a protocol abort, this heuristic is misled, since both outputs become owned by B due to the protocol abort.\nIn case of a protocol completion, this heuristic is accurate, since the B+C contract output will be claimed by C, but we do not expect this transaction to be confirmed onchain after protocol completion anyway (it effectively donates K to C or miners), so this is fine.\n\n\u003e The other contract transaction, known only to Charlie, does not contain\n\u003e a collateral input or collateral value (K), because Charlie can't do a\n\u003e riskless theft attempt to Bob.\n\nBecause it has a single output only, the C contract transaction needs to have RBFed versions.\n\n\u003e If Bob ever spends his collateral input in another transaction, then his\n\u003e contract transaction will become invalid. However Bob will only be\n\u003e harming himself, so he'll never do this.\n\nAt least until B gets its own incoming funds in the swap, at which point the collateral input can be used for other purposes (and effectively \"releases\" the lease of B on that output).\n\nSince C knows the collateral input (it has to, in order to verify the B collateralized contract transaction is correct), it can monitor the collateral input for spendedness, and stop watching for the B collateralized contract transaction in its watchtower(s) if the collateral input is deeply spent.\nThe B collateralized contract transaction is invalidated if the collateral input is spent, and then only C can spend the funding outpoint at that point, so it can remove that from the watchtower.\nThis can be significant if C is using a for-pay watchtower that supports deletion of watches, which I believe is planned for watchtowers as well, and reduces the operating cost of C.\n\n\nRegards,\nZmnSCPxj",
"sig": "3d76b98e8090e8833a53e0b9b974db58ccd0a641961e11f758f9157ba3248258a04d1128aaf38b3bd52b7ad38aa8c4573570beb22eb09a32fe4adb1901fe27ce"
}