๐
Original date posted:2020-06-10
๐ Original message:Good morning ZmnSCPxj,
On 06/06/2020 02:40, ZmnSCPxj wrote:
> Good morning Chris,
>
>> I think I'm having trouble understanding this, does it work like this:
>>
>> Say we're in the 2-party coinswap case (Alice and Bob)
>>
>> We have Alice's funding transaction:
>> Alice UTXO ---> 2of2 multisig (Alice+Bob)
>>
>> And we have the regular contract transaction
>> 2of2 multisig (Alice+Bob) ---> Alice+timelock1 OR Bob+hashlock
>>
>> And you propose a second pre-signed transaction?
>> 2of2 multisig (Alice+Bob) ---> Bob+timelock2
>
> No, it is:
>
> 2of2 multisig (Alice+Bob) --(nLockTime=locktime1)-> Alice
>
> The timelock is imposed as a `nLockTime`, not as an `OP_CLTV` (so not in the output of the tx, but part of the tx), and the backout returns the funds to Alice, not sends it to Bob.
> This transaction is created *before* the contract transaction.
>
> The order is:
>
> * Create (but not sign) Alice funding tx (Alice --> Alice+Bob).
> * Create and sign Alice backout transaction (Alice+Bob -(nLockTime=locktime1)-> Alice).
> * Create (but not sign) Bob funding tx (Bob --> Alice+Bob+sharedSecret).
> * Create and sign Bob backout transaction (Alice+Bob+sharedSecret -(nLocktime=locktime2)-> Bob) where timelock2 < timelock1.
> * Sign and broadcast funding txes.
> * At this point, even if Bob funding tx is confirmed but Alice funding tx is not, Bob can recover funds with the backout, but Alice cannot steal the funds (since there is no hashlock branch at this point).
> * When Alice funding tx is confirmed, create and sign contract transaction (Alice+Bob --> Alice+timelock1 OR Bob+hashlock).
> * When Bob funding tx is confirmed and Bob has received the Alice contract transaction, create and sign Bob contract transaction (Alice+Bob+sharedSecret --> Bob+timelock2 OR Alice+hashlock).
> * Continue as normal.
>
> In effect, the backout transaction creates a temporary Spilman unidirectional time-bound channel.
> We just reuse the same timelock on the HTLC we expect to instantiate, as the time bound of the Spilman channel; the timelock exists anyway, we might as well reuse it for the Spilman.
>
> Creation of the contract tx invalidates the backout tx (the backout tx is `nLockTime`d, the contract tx has no such encumbrance), but the backout allows Alice and Bob to fund their txes simultaneously without risk of race loss.
> However, they do still have to wait for (deep) confirmation before signing contract transactions, and Bob has to wait for the incoming contract transaction as well before it signs its outgoing contract transaction.
>
> The protocol is trivially extendable with more than one Bob.
>
> The insight basically is that we can split CoinSwap into a "channel establishment" phase and "HTLC forwarding" phase followed by "HTLC resolution" and "private key handover".
> HTLC forwarding and HTLC resolution are "done offchain" in the channels, and channel establishment can be done in any order, including reverse.
>
> Indeed, the Spilman channel need not have the same timelock as the HTLC it will eventually host: it could have a shorter timelock, since the contract transaction has no `nLockTime` it can be instantiated (with loss of privacy due to the nonstandard script) before the Spilman timeout.
>
> Regards,
> ZmnSCPxj
>
Thanks for the explanation. I understand now, and I understand how this
makes it possible for all funding transactions in a coinswap route to be
confirmed in the same block.
However, I think this also breaks private key handover. Here's why:
Recall that in a Alice/Bob coinswap we have two funding transactions
(Alice --> multisig(Alice, Bob) and Bob --> multisig(Bob,Alice)), and
two contract transactions (multisig(Alice, Bob) -->
Alice+OP_CSV_timelock OR Bob+hashlock and multisig(Bob,Alice -->
Bob+OP_CSV_timelock OR Alice+hashlock). After the hashlock preimage
becomes known to all then Alice and Bob give their multisig privkey to
the other party.
Bob now has both privkeys in the multisig(Alice,Bob) so he can sign any
transaction he wants spending from it, but the contract transaction
still exists. So until Bob actually spends from the multisig he must
always be watching the blockchain, and if Alice broadcasts the contract
transaction then Bob must immediately spend from it using the hash
preimage branch. If Bob waits too long and the OP_CSV timelock value
passes then Alice can steal Bob's money by spending with that path. The
OP_CSV timelock only starts ticking when the contract transaction
actually confirms, and this is crucial for making privkey handover
practical because it means the coins in the multisig can stay unspent
indefinitely.
However, I think this does not apply to the scheme you described which
uses nLockTime, because after the privkeys are handed over Alice's
backout transaction (Alice+Bob -(nLockTime=locktime1)-> Alice) still
exists, and Alice could broadcast it. Once locktime1 passes then Alice
can steal Bob's coins by broadcasting even though Bob holds both
privkeys to that multisig. And using relative nLockTime doesn't help
either because its timelock will start ticking down from when the
funding transaction is confirmed, not when the contract transaction is
confirmed, and so the coins in the multisig cant remain unspent
indefinitely.
So fundamentally I think privkey handover gets broken here because it
requires relative timelocks. And those the relative timelocks need to
start ticking down only after a contract transaction is confirmed.
> I am uncertain if you are aware, but some years ago somebody claimed that 2p-ECDSA could use Scriptless Script as well over on lightning-dev.
I was aware. In such a scheme we'd still require the other building
blocks like fidelity bonds, multi-transaction and routing. So I was
thinking to code the project using the simplest hash-time-locked
contracts and once it all works we can add things like ECDSA-2P
scriptless scripts or schnorr signatures when they get added. Making the
Spilman channel scheme work with that is an interesting idea, thanks for
the thought.
> Let me propose an alternative: swap-on-receive+swap-on-change.
That's an interesting point, thanks for the thought. This scheme might
not be appropriate for every threat model and use case.
For example, if someone wants to use bitcoin just as a foreign currency
for its privacy and censorship-resistant properties. So for example if
they want to pay for a VPN anonymously, so they buy bitcoins and
immediately send all of them to the VPN merchant. The swap-on-receive
wouldn't be appropriate for them because they'll be doing a coinswap
straight away to the VPN merchant. So perhaps this plan could be an
optional mode of operation (which may or may not be the default). The
scheme obviously is useful when bitcoin is being used more as a
day-to-day money.
Regards
CB
Chris Belcher [ARCHIVE] /
npub1ekโฆlnm2u
2023-06-07 18:25:04
in reply to nevent1qโฆxtht
Author Public Key
npub1ekvnqhww3aagwuj9t55dgj5y29u8cxdjllfv3vgppt8vc0zljhrs6lnm2uPublished at
2023-06-07 18:25:04Event JSON
{
"id": "092d21a8d1fc8a1abea5aa9c45da9c6d265e0522e4c98ec24329742061deb191",
"pubkey": "cd99305dce8f7a8772455d28d44a8451787c19b2ffd2c8b1010acecc3c5f95c7",
"created_at": 1686162304,
"kind": 1,
"tags": [
[
"e",
"812ea09327d0d60318e0dbb8828e39487ff300b44ffb16833385faf46e010f8f",
"",
"root"
],
[
"e",
"5447b9162bbc807ff0f3fbd0e726dbbfc37ec63db404b14ce38e17c0b0d2479c",
"",
"reply"
],
[
"p",
"4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861"
]
],
"content": "๐
Original date posted:2020-06-10\n๐ Original message:Good morning ZmnSCPxj,\n\nOn 06/06/2020 02:40, ZmnSCPxj wrote:\n\u003e Good morning Chris,\n\u003e \n\u003e\u003e I think I'm having trouble understanding this, does it work like this:\n\u003e\u003e\n\u003e\u003e Say we're in the 2-party coinswap case (Alice and Bob)\n\u003e\u003e\n\u003e\u003e We have Alice's funding transaction:\n\u003e\u003e Alice UTXO ---\u003e 2of2 multisig (Alice+Bob)\n\u003e\u003e\n\u003e\u003e And we have the regular contract transaction\n\u003e\u003e 2of2 multisig (Alice+Bob) ---\u003e Alice+timelock1 OR Bob+hashlock\n\u003e\u003e\n\u003e\u003e And you propose a second pre-signed transaction?\n\u003e\u003e 2of2 multisig (Alice+Bob) ---\u003e Bob+timelock2\n\u003e \n\u003e No, it is:\n\u003e \n\u003e 2of2 multisig (Alice+Bob) --(nLockTime=locktime1)-\u003e Alice\n\u003e \n\u003e The timelock is imposed as a `nLockTime`, not as an `OP_CLTV` (so not in the output of the tx, but part of the tx), and the backout returns the funds to Alice, not sends it to Bob.\n\u003e This transaction is created *before* the contract transaction.\n\u003e \n\u003e The order is:\n\u003e \n\u003e * Create (but not sign) Alice funding tx (Alice --\u003e Alice+Bob).\n\u003e * Create and sign Alice backout transaction (Alice+Bob -(nLockTime=locktime1)-\u003e Alice).\n\u003e * Create (but not sign) Bob funding tx (Bob --\u003e Alice+Bob+sharedSecret).\n\u003e * Create and sign Bob backout transaction (Alice+Bob+sharedSecret -(nLocktime=locktime2)-\u003e Bob) where timelock2 \u003c timelock1.\n\u003e * Sign and broadcast funding txes.\n\u003e * At this point, even if Bob funding tx is confirmed but Alice funding tx is not, Bob can recover funds with the backout, but Alice cannot steal the funds (since there is no hashlock branch at this point).\n\u003e * When Alice funding tx is confirmed, create and sign contract transaction (Alice+Bob --\u003e Alice+timelock1 OR Bob+hashlock).\n\u003e * When Bob funding tx is confirmed and Bob has received the Alice contract transaction, create and sign Bob contract transaction (Alice+Bob+sharedSecret --\u003e Bob+timelock2 OR Alice+hashlock).\n\u003e * Continue as normal.\n\u003e \n\u003e In effect, the backout transaction creates a temporary Spilman unidirectional time-bound channel.\n\u003e We just reuse the same timelock on the HTLC we expect to instantiate, as the time bound of the Spilman channel; the timelock exists anyway, we might as well reuse it for the Spilman.\n\u003e \n\u003e Creation of the contract tx invalidates the backout tx (the backout tx is `nLockTime`d, the contract tx has no such encumbrance), but the backout allows Alice and Bob to fund their txes simultaneously without risk of race loss.\n\u003e However, they do still have to wait for (deep) confirmation before signing contract transactions, and Bob has to wait for the incoming contract transaction as well before it signs its outgoing contract transaction.\n\u003e \n\u003e The protocol is trivially extendable with more than one Bob.\n\u003e \n\u003e The insight basically is that we can split CoinSwap into a \"channel establishment\" phase and \"HTLC forwarding\" phase followed by \"HTLC resolution\" and \"private key handover\".\n\u003e HTLC forwarding and HTLC resolution are \"done offchain\" in the channels, and channel establishment can be done in any order, including reverse.\n\u003e \n\u003e Indeed, the Spilman channel need not have the same timelock as the HTLC it will eventually host: it could have a shorter timelock, since the contract transaction has no `nLockTime` it can be instantiated (with loss of privacy due to the nonstandard script) before the Spilman timeout.\n\u003e \n\u003e Regards,\n\u003e ZmnSCPxj\n\u003e \n\nThanks for the explanation. I understand now, and I understand how this\nmakes it possible for all funding transactions in a coinswap route to be\nconfirmed in the same block.\n\nHowever, I think this also breaks private key handover. Here's why:\n\nRecall that in a Alice/Bob coinswap we have two funding transactions\n(Alice --\u003e multisig(Alice, Bob) and Bob --\u003e multisig(Bob,Alice)), and\ntwo contract transactions (multisig(Alice, Bob) --\u003e\nAlice+OP_CSV_timelock OR Bob+hashlock and multisig(Bob,Alice --\u003e\nBob+OP_CSV_timelock OR Alice+hashlock). After the hashlock preimage\nbecomes known to all then Alice and Bob give their multisig privkey to\nthe other party.\n\nBob now has both privkeys in the multisig(Alice,Bob) so he can sign any\ntransaction he wants spending from it, but the contract transaction\nstill exists. So until Bob actually spends from the multisig he must\nalways be watching the blockchain, and if Alice broadcasts the contract\ntransaction then Bob must immediately spend from it using the hash\npreimage branch. If Bob waits too long and the OP_CSV timelock value\npasses then Alice can steal Bob's money by spending with that path. The\nOP_CSV timelock only starts ticking when the contract transaction\nactually confirms, and this is crucial for making privkey handover\npractical because it means the coins in the multisig can stay unspent\nindefinitely.\n\nHowever, I think this does not apply to the scheme you described which\nuses nLockTime, because after the privkeys are handed over Alice's\nbackout transaction (Alice+Bob -(nLockTime=locktime1)-\u003e Alice) still\nexists, and Alice could broadcast it. Once locktime1 passes then Alice\ncan steal Bob's coins by broadcasting even though Bob holds both\nprivkeys to that multisig. And using relative nLockTime doesn't help\neither because its timelock will start ticking down from when the\nfunding transaction is confirmed, not when the contract transaction is\nconfirmed, and so the coins in the multisig cant remain unspent\nindefinitely.\n\nSo fundamentally I think privkey handover gets broken here because it\nrequires relative timelocks. And those the relative timelocks need to\nstart ticking down only after a contract transaction is confirmed.\n\n\n\u003e I am uncertain if you are aware, but some years ago somebody claimed that 2p-ECDSA could use Scriptless Script as well over on lightning-dev.\n\nI was aware. In such a scheme we'd still require the other building\nblocks like fidelity bonds, multi-transaction and routing. So I was\nthinking to code the project using the simplest hash-time-locked\ncontracts and once it all works we can add things like ECDSA-2P\nscriptless scripts or schnorr signatures when they get added. Making the\nSpilman channel scheme work with that is an interesting idea, thanks for\nthe thought.\n\n\u003e Let me propose an alternative: swap-on-receive+swap-on-change.\n\nThat's an interesting point, thanks for the thought. This scheme might\nnot be appropriate for every threat model and use case.\nFor example, if someone wants to use bitcoin just as a foreign currency\nfor its privacy and censorship-resistant properties. So for example if\nthey want to pay for a VPN anonymously, so they buy bitcoins and\nimmediately send all of them to the VPN merchant. The swap-on-receive\nwouldn't be appropriate for them because they'll be doing a coinswap\nstraight away to the VPN merchant. So perhaps this plan could be an\noptional mode of operation (which may or may not be the default). The\nscheme obviously is useful when bitcoin is being used more as a\nday-to-day money.\n\n\nRegards\nCB",
"sig": "992df2f258d28ce9212f7b349ace04a47c0417e944ae1c20bd6c797c6a11ff4d27bcbc1f5edf609c4942b4e3a6db0875d1a9004ac26afea112a2f3c2c0186254"
}