📅 Original date posted:2020-09-03
📝 Original message:Hello ZmnSCPxj,
On 03/09/2020 10:45, ZmnSCPxj wrote:
> Good morning Chris,
>
>> A big downside is that it really ruins the property of allowing coins to
>> remain unspent indefinitely. That has privacy implications: if a coin
>> remains unspent for longer than 2 weeks (or another short locktime) then
>> for sure the transaction was not a CoinSwap, and so the anonymity set of
>> the CoinSwap system would be far smaller For this reason I'm pretty
>> desperate to solve the vulnerability without losing the coins remaining
>> unspent indefinitely feature.
>
> Ah, right.... accept no small privacy leaks!
I'd argue its not even a small leak. A huge amount of coins remain
unspent for weeks, months and years, and it would be great to add them
to our CoinSwap anonymity set. And also have them benefit from
CoinSwap's anonymity set even if they didn't use CoinSwap.
> This seems a great solution!
>
> Since B is the one offering HTLCs, the taker of a CoinSwap sequence can be B as well.
> This means, the taker has to have *some* collateral input, of at least value K, that it cannot swap (because if it tried to swap that amount, it would be unable to provide a collateral as well).
>
> How much does C need to know about the B collateralized contract transaction?
> At the minimum, it has to know the output pays out to the correct contract, so it seems to me it has to know the entire B collateralized contract transaction, meaning it learns another input of B ("collateral(B)") that is not otherwise involved in the CoinSwap.
> This is important, again, if B is a taker, as it means an unrelated input of B is now learned by C as having the same ownership as B.
Yes, in fact that's why in my example I talk about a CoinSwap between
two makers Bob and Charlie. Makers can be reasonably expected to own
multiple UTXOs, but takers cannot. As you say because collateral
payments breaks the ability of takers to sweep their entire wallet
through CoinSwap.
Happily, I think takers themselves don't need to use collateral
payments. Here's an argument to why:
Riskless theft attempts by the taker who no longer controls the coins
actually isnt riskless or costless: Because it reduces the privacy of
the previously-owned coins. If a taker genuinely wanted good privacy
(Which, after all, they're paying for via miner fees and CoinSwap fees)
then they would benefit if the coins they no longer own remain unspent
for a long time, because it increases their anonymity set by making them
hide among a greater crowd of coins which also don't get spent for a
long time.
Assuming that all peers, especially makers, deploy multiple redundant
watchtowers then we can assume the success rate of such a theft attempt
is very low. Because of the very low payoff, and privacy benefit of
leaving coins unspent, then it can be argued that taker software which
attempts such theft will never get popular.
Of course this privacy argument only applies to takers, and if the
CoinSwap contract is between two makers as part of a multi-transaction
CoinSwap then it doesn't apply. So a maker-to-maker CoinSwap must use
collateral payments.
== Leak of first hop ==
Collateral inputs only applying to maker-maker CoinSwaps adds an
additional information leak, which is that makers can now tell whether
their previous peer was a taker or maker, based on whether they used a
collateral input or not.
This should be okay because the first maker doesn't know the final
destination of the coins. This is similar to Tor, where this information
is already leaked, for example when the user connects to a Tor bridge.
The operator of the Tor bridge knows that everyone connecting to it is
not a Tor relay node but an actual user. The operator of the tor bridge
still has no idea where the user's internet traffic goes. Our situation
is actually better than Tor, because in Tor the final relay always knows
that they are an exit node, while the final maker in a CoinSwap might
not know that.
Also, if the taker does happen to own an extra UTXO, they may choose to
use a collateral input anyway, just to pretend that they're a maker.
Regards
CB
Chris Belcher [ARCHIVE] /
npub1ek…lnm2u
2023-06-07 18:26:42
in reply to nevent1q…mtjr
Author Public Key
npub1ekvnqhww3aagwuj9t55dgj5y29u8cxdjllfv3vgppt8vc0zljhrs6lnm2uPublished at
2023-06-07 18:26:42Event JSON
{
"id": "9b39a7649ae7dfbd792352fd45b6825c346f24ca3bdf88f9c76fbf70f8b68ee8",
"pubkey": "cd99305dce8f7a8772455d28d44a8451787c19b2ffd2c8b1010acecc3c5f95c7",
"created_at": 1686162402,
"kind": 1,
"tags": [
[
"e",
"a7116ebfc542ae2f9abdddad722cd3c2ee214a2f93e701f0a2d9550e18f74750",
"",
"root"
],
[
"e",
"51cf469f062645b2763c70a4bed6082a1ed63aef1f08ac4abdcd8fbdbf82a0ff",
"",
"reply"
],
[
"p",
"4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861"
]
],
"content": "📅 Original date posted:2020-09-03\n📝 Original message:Hello ZmnSCPxj,\n\nOn 03/09/2020 10:45, ZmnSCPxj wrote:\n\u003e Good morning Chris,\n\u003e \n\u003e\u003e A big downside is that it really ruins the property of allowing coins to\n\u003e\u003e remain unspent indefinitely. That has privacy implications: if a coin\n\u003e\u003e remains unspent for longer than 2 weeks (or another short locktime) then\n\u003e\u003e for sure the transaction was not a CoinSwap, and so the anonymity set of\n\u003e\u003e the CoinSwap system would be far smaller For this reason I'm pretty\n\u003e\u003e desperate to solve the vulnerability without losing the coins remaining\n\u003e\u003e unspent indefinitely feature.\n\u003e \n\u003e Ah, right.... accept no small privacy leaks!\n\nI'd argue its not even a small leak. A huge amount of coins remain\nunspent for weeks, months and years, and it would be great to add them\nto our CoinSwap anonymity set. And also have them benefit from\nCoinSwap's anonymity set even if they didn't use CoinSwap.\n\n\u003e This seems a great solution!\n\u003e \n\u003e Since B is the one offering HTLCs, the taker of a CoinSwap sequence can be B as well.\n\u003e This means, the taker has to have *some* collateral input, of at least value K, that it cannot swap (because if it tried to swap that amount, it would be unable to provide a collateral as well).\n\u003e \n\u003e How much does C need to know about the B collateralized contract transaction?\n\u003e At the minimum, it has to know the output pays out to the correct contract, so it seems to me it has to know the entire B collateralized contract transaction, meaning it learns another input of B (\"collateral(B)\") that is not otherwise involved in the CoinSwap.\n\u003e This is important, again, if B is a taker, as it means an unrelated input of B is now learned by C as having the same ownership as B.\n\nYes, in fact that's why in my example I talk about a CoinSwap between\ntwo makers Bob and Charlie. Makers can be reasonably expected to own\nmultiple UTXOs, but takers cannot. As you say because collateral\npayments breaks the ability of takers to sweep their entire wallet\nthrough CoinSwap.\n\nHappily, I think takers themselves don't need to use collateral\npayments. Here's an argument to why:\n\nRiskless theft attempts by the taker who no longer controls the coins\nactually isnt riskless or costless: Because it reduces the privacy of\nthe previously-owned coins. If a taker genuinely wanted good privacy\n(Which, after all, they're paying for via miner fees and CoinSwap fees)\nthen they would benefit if the coins they no longer own remain unspent\nfor a long time, because it increases their anonymity set by making them\nhide among a greater crowd of coins which also don't get spent for a\nlong time.\nAssuming that all peers, especially makers, deploy multiple redundant\nwatchtowers then we can assume the success rate of such a theft attempt\nis very low. Because of the very low payoff, and privacy benefit of\nleaving coins unspent, then it can be argued that taker software which\nattempts such theft will never get popular.\n\nOf course this privacy argument only applies to takers, and if the\nCoinSwap contract is between two makers as part of a multi-transaction\nCoinSwap then it doesn't apply. So a maker-to-maker CoinSwap must use\ncollateral payments.\n\n== Leak of first hop ==\nCollateral inputs only applying to maker-maker CoinSwaps adds an\nadditional information leak, which is that makers can now tell whether\ntheir previous peer was a taker or maker, based on whether they used a\ncollateral input or not.\n\nThis should be okay because the first maker doesn't know the final\ndestination of the coins. This is similar to Tor, where this information\nis already leaked, for example when the user connects to a Tor bridge.\nThe operator of the Tor bridge knows that everyone connecting to it is\nnot a Tor relay node but an actual user. The operator of the tor bridge\nstill has no idea where the user's internet traffic goes. Our situation\nis actually better than Tor, because in Tor the final relay always knows\nthat they are an exit node, while the final maker in a CoinSwap might\nnot know that.\n\nAlso, if the taker does happen to own an extra UTXO, they may choose to\nuse a collateral input anyway, just to pretend that they're a maker.\n\n\nRegards\nCB",
"sig": "59ba4792704fcacb233a9cd89d42b3c8a1dd3b5999cb8c44c46dcf81eb1b92f7d760a9793edc913d2c0e7c69a0e70e2416580ea192d313e1af9b04295801c7ee"
}