📅 Original date posted:2019-08-08
📝 Original message:Good morning Dmitry,
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, August 8, 2019 7:37 PM, Dmitry Petukhov <dp at simplexum.com> wrote:
> В Thu, 08 Aug 2019 09:35:24 +0000
> ZmnSCPxj ZmnSCPxj at protonmail.com wrote:
>
> > <MuSig(all participants except this participant)> OP_CHECKSIGVERIFY
> > <participant_snitch_key> OP_CHECKSIG
>
> This anti-snitch protection won't work if there are two snitches, which
> is concievable in the case of a large-scale consolidated bonds (one
> entity can pretend to be two independent entities with two different
> TXO). The snitch co-conspirator will refuse to sign the punishment
> transaction.
>
> If you change the MuSig(all_except_snitch) to 1-of-n multisig
> construction so that anyone other than the actual 'snitch' can
> confiscate the snitch-bond, then there's possibility that that a
> co-conspirator can get that bond before others - even before
> the sntich transaction is distributed to takers.
The correct way to do this, as with any offchain technique, is to have the punishment transactions signed by the MuSig-of-everyone-other-than-punishment-target before you even sign the funding transaction.
If consolidation is subsidized by paying rent out to the consolidators, then the lessee of the UTXOs adds its rent payment in the same transaction that atomically instantiates the fidelity bond and all revocable bonds as a single CoinJoined transaction.
If any participant refuses to sign the punishment transactions of their co-consolidators, then the lessee refuses to sign the funding transaction and nobody earns any rent and the lessee goes look for another set of UTXO owners (or just kicks out the participant who refuses to sign and lives with the smaller fidelity bond, no big deal).
Of course, anyone renting consolidated bonds can themselves be unironic victims of sybil attackers who split up their funds to smaller parts so that their liability when later snitching is reduced, possibly to a level that is comfortable to them.
The sybil attacker then pretends to be lessors of UTXOs.
>
> It seems that to reasonably protect from more than one snitch with this
> punishment scheme, you want to make a multitude of taproot leaves where
> each leaf can be spent by cooperation of N entities, where N is the
> size of expected non-snitch participant set.
>
> > Finally, aggregation is still possible to insure by off-blockchain
> > agreements, possibly with legal consequences, and thus entities like
> > exchanges might still be able to aggregate funds and acquire an
> > undeservedly large weight in the fidelity bond system.
>
> This seems to me like the most immediate problem for the discussed
> system.
>
> Since the centralized exchanges or other custodial services already
> control TXOs of their customers who sent their funds there, they can
> use them to make extra profit with joinmarket, and create fidelity
> bonds out of these TXO with (or without) consent of the customers, and
> pay them (or not) the amount according to their UTXO, while getting the
> consolidation benefit of V^2 for themselves. It is also more probable
> that such centralized custodial services would be willing to
> participate in a deanonymization efforts, so that they can explain
> their participation in coinjoins to regulators.
Yes, down with the V^2 superlinearity, it is too strongly centralizing.
Regards,
ZmnSCPxj
ZmnSCPxj [ARCHIVE] /
npub1g5…3ms3l
2023-06-07 18:20:00
in reply to nevent1q…zad8
Author Public Key
npub1g5zswf6y48f7fy90jf3tlcuwdmjn8znhzaa4vkmtxaeskca8hpss23ms3lPublished at
2023-06-07 18:20:00Event JSON
{
"id": "82db05ac044943a1427e15311e68a53700ec4d704adbe7bd6c7574087c25636e",
"pubkey": "4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861",
"created_at": 1686162000,
"kind": 1,
"tags": [
[
"e",
"a08dce3b67359ed00d4e2ce273a5fce8912dd2b587c89f8e261331c71b6b29ce",
"",
"root"
],
[
"e",
"a42a6beb853ddb109661f03057800b4f9682adacb5d81438b883ad2b148a14c1",
"",
"reply"
],
[
"p",
"78f5a82a0b64fb3c18bd33a69c53b1af612b3ac8dd81e12f74ba62f3793dac05"
]
],
"content": "📅 Original date posted:2019-08-08\n📝 Original message:Good morning Dmitry,\n\n\nSent with ProtonMail Secure Email.\n\n‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐\nOn Thursday, August 8, 2019 7:37 PM, Dmitry Petukhov \u003cdp at simplexum.com\u003e wrote:\n\n\u003e В Thu, 08 Aug 2019 09:35:24 +0000\n\u003e ZmnSCPxj ZmnSCPxj at protonmail.com wrote:\n\u003e\n\u003e \u003e \u003cMuSig(all participants except this participant)\u003e OP_CHECKSIGVERIFY\n\u003e \u003e \u003cparticipant_snitch_key\u003e OP_CHECKSIG\n\u003e\n\u003e This anti-snitch protection won't work if there are two snitches, which\n\u003e is concievable in the case of a large-scale consolidated bonds (one\n\u003e entity can pretend to be two independent entities with two different\n\u003e TXO). The snitch co-conspirator will refuse to sign the punishment\n\u003e transaction.\n\u003e\n\u003e If you change the MuSig(all_except_snitch) to 1-of-n multisig\n\u003e construction so that anyone other than the actual 'snitch' can\n\u003e confiscate the snitch-bond, then there's possibility that that a\n\u003e co-conspirator can get that bond before others - even before\n\u003e the sntich transaction is distributed to takers.\n\nThe correct way to do this, as with any offchain technique, is to have the punishment transactions signed by the MuSig-of-everyone-other-than-punishment-target before you even sign the funding transaction.\nIf consolidation is subsidized by paying rent out to the consolidators, then the lessee of the UTXOs adds its rent payment in the same transaction that atomically instantiates the fidelity bond and all revocable bonds as a single CoinJoined transaction.\nIf any participant refuses to sign the punishment transactions of their co-consolidators, then the lessee refuses to sign the funding transaction and nobody earns any rent and the lessee goes look for another set of UTXO owners (or just kicks out the participant who refuses to sign and lives with the smaller fidelity bond, no big deal).\n\nOf course, anyone renting consolidated bonds can themselves be unironic victims of sybil attackers who split up their funds to smaller parts so that their liability when later snitching is reduced, possibly to a level that is comfortable to them.\nThe sybil attacker then pretends to be lessors of UTXOs.\n\n\u003e\n\u003e It seems that to reasonably protect from more than one snitch with this\n\u003e punishment scheme, you want to make a multitude of taproot leaves where\n\u003e each leaf can be spent by cooperation of N entities, where N is the\n\u003e size of expected non-snitch participant set.\n\u003e\n\u003e \u003e Finally, aggregation is still possible to insure by off-blockchain\n\u003e \u003e agreements, possibly with legal consequences, and thus entities like\n\u003e \u003e exchanges might still be able to aggregate funds and acquire an\n\u003e \u003e undeservedly large weight in the fidelity bond system.\n\u003e\n\u003e This seems to me like the most immediate problem for the discussed\n\u003e system.\n\u003e\n\u003e Since the centralized exchanges or other custodial services already\n\u003e control TXOs of their customers who sent their funds there, they can\n\u003e use them to make extra profit with joinmarket, and create fidelity\n\u003e bonds out of these TXO with (or without) consent of the customers, and\n\u003e pay them (or not) the amount according to their UTXO, while getting the\n\u003e consolidation benefit of V^2 for themselves. It is also more probable\n\u003e that such centralized custodial services would be willing to\n\u003e participate in a deanonymization efforts, so that they can explain\n\u003e their participation in coinjoins to regulators.\n\nYes, down with the V^2 superlinearity, it is too strongly centralizing.\n\nRegards,\nZmnSCPxj",
"sig": "657d2a43ffb08c0622de5c8405580497f871359b46c7e7128b8358b4b99a2f08603de3fb6aa311238404b4935b4577eb0edaf8450ce5c9a2e0985df01590eb77"
}