📅 Original date posted:2019-08-02
📝 Original message:On 31/07/2019 16:50, Dmitry Petukhov wrote:
> В Tue, 30 Jul 2019 22:39:14 +0100
> Chris Belcher via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org>
> wrote:
>
>> This is where a sacrifice of V bitcoins creates a
>> bond of value V^2. The formula provides a strong incentive for
>> profit-motivated makers to use all their fidelity bond coins with just
>> one maker, not spread them out over many makers.
>
> The attacker derives additional value from the use of
> locked utxo - the deanonimyzation capabilities.
>
> An entity M can use all of its locked coins to run a maker, and then
> earn value X. It will also incur some operational expenses in the course
> of running the maker, so the profit will be less than X.
>
> If these locked coins are given to the attacker A as a package, an
> attacker can derive a value of X+D where D is a value of increased
> deanonymization capabilities for an attacker. Operational expenses
> for an attacker are the same as before (without timelocked bonds),
> because they need to operate a lot of makers either way.
>
> If M is profit-driven and non-ideological, it can rent out all of its
> coins to A as a package, for the price X, and get the same value without
> running a maker and dedicating any resources and time to it, not
> incurring any operatinal expenses (thus having a bigger profit in the
> end).
>
> Attacker A will run a maker with M's coins, get profit X, pay X to M,
> get increased deanonymization capabilities.
>
> If renting out of utxo is done in a way that the owner always gets X
> after the lock expires, the operation will be riskless for the owner.
> The attacker will need to lock amount X along with owner's coins, but
> hopefully makes X back by running a maker operation.
>
> The price for renting out the coins will be determined on the size of
> the 'coin package', so it will not be feasible for the owners of the
> coins to rent them out separately.
>
> An attacker can even rent coins from several entities and combine them
> to create a more 'powerful' maker. If I understand correctly, such
> 'powerful' maker can have bigger profit than two less 'powerful'
> makers. It seems like a centralization risk to me.
>
There's a few different issues here.
Yes TXO fidelity bonds can be rented out, but that doesn't make a sybil
attack cheaper. The aim of the fidelity bond scheme is to require makers
to sacrifice value, renting out their fidelity bond coins doesn't avoid
that sacrifice because the sacrifice is the paid rent. Because of the
maths and market forces the rent paid by the attacker should be about
the same as the cost of just buying the bitcoins and locking them.
Centralization and decentralization are not ends in themselves, the main
aim in JoinMarket is to improve privacy while keeping the other
properties of bitcoin (e.g. censorship resistance). A single maker can
never deanonoymize coinjoins no matter how valuable their bond is,
because takers always choose multiple makers, and all of them need to be
controlled by the sybil attacker for the attack to succeed. If a sybil
attacker splits up their fidelity bonds (rented or not) amongst multiple
maker bots then they reduce the value of their bonds because of the V^2
term.
Rented TXOs does destroy the effect of "A long-term holder probably
won't want to attack a system like JoinMarket which makes his own
investment coins more private and more fungible". However this is not
the main effect which would protect JoinMarket's privacy. The main
effect is the cost which for real-life numbers would be about 45-120
bitcoin sent to burner outputs.
Perhaps then rented TXOs is an argument against using coin age as a way
to create fidelity bonds. Hodlers would be far less likely to rent out
their coins if they have to specifically move them to a special
time-locked address. Another point is that for privacy reasons creators
of fidelity bonds should mix their coins before and after using them,
because those TXOs are revealed to the world. So it's likely that
fidelity bonds creators will need to install and run JoinMarket anyway.
Chris Belcher [ARCHIVE] /
npub1ek…lnm2u
2023-06-07 18:19:54
in reply to nevent1q…exed
Author Public Key
npub1ekvnqhww3aagwuj9t55dgj5y29u8cxdjllfv3vgppt8vc0zljhrs6lnm2uPublished at
2023-06-07 18:19:54Event JSON
{
"id": "b1523069a19b2f2b592177a1cd488c9297d7fdb1ed82f60941e38d1b2b47cba1",
"pubkey": "cd99305dce8f7a8772455d28d44a8451787c19b2ffd2c8b1010acecc3c5f95c7",
"created_at": 1686161994,
"kind": 1,
"tags": [
[
"e",
"a08dce3b67359ed00d4e2ce273a5fce8912dd2b587c89f8e261331c71b6b29ce",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "📅 Original date posted:2019-08-02\n📝 Original message:On 31/07/2019 16:50, Dmitry Petukhov wrote:\n\u003e В Tue, 30 Jul 2019 22:39:14 +0100\n\u003e Chris Belcher via bitcoin-dev \u003cbitcoin-dev at lists.linuxfoundation.org\u003e\n\u003e wrote:\n\u003e \n\u003e\u003e This is where a sacrifice of V bitcoins creates a\n\u003e\u003e bond of value V^2. The formula provides a strong incentive for\n\u003e\u003e profit-motivated makers to use all their fidelity bond coins with just\n\u003e\u003e one maker, not spread them out over many makers.\n\u003e \n\u003e The attacker derives additional value from the use of\n\u003e locked utxo - the deanonimyzation capabilities.\n\u003e \n\u003e An entity M can use all of its locked coins to run a maker, and then\n\u003e earn value X. It will also incur some operational expenses in the course\n\u003e of running the maker, so the profit will be less than X.\n\u003e \n\u003e If these locked coins are given to the attacker A as a package, an\n\u003e attacker can derive a value of X+D where D is a value of increased\n\u003e deanonymization capabilities for an attacker. Operational expenses\n\u003e for an attacker are the same as before (without timelocked bonds),\n\u003e because they need to operate a lot of makers either way.\n\u003e \n\u003e If M is profit-driven and non-ideological, it can rent out all of its\n\u003e coins to A as a package, for the price X, and get the same value without\n\u003e running a maker and dedicating any resources and time to it, not\n\u003e incurring any operatinal expenses (thus having a bigger profit in the\n\u003e end).\n\u003e \n\u003e Attacker A will run a maker with M's coins, get profit X, pay X to M,\n\u003e get increased deanonymization capabilities. \n\u003e \n\u003e If renting out of utxo is done in a way that the owner always gets X\n\u003e after the lock expires, the operation will be riskless for the owner.\n\u003e The attacker will need to lock amount X along with owner's coins, but\n\u003e hopefully makes X back by running a maker operation. \n\u003e \n\u003e The price for renting out the coins will be determined on the size of\n\u003e the 'coin package', so it will not be feasible for the owners of the\n\u003e coins to rent them out separately.\n\u003e \n\u003e An attacker can even rent coins from several entities and combine them\n\u003e to create a more 'powerful' maker. If I understand correctly, such\n\u003e 'powerful' maker can have bigger profit than two less 'powerful'\n\u003e makers. It seems like a centralization risk to me.\n\u003e \n\nThere's a few different issues here.\n\nYes TXO fidelity bonds can be rented out, but that doesn't make a sybil\nattack cheaper. The aim of the fidelity bond scheme is to require makers\nto sacrifice value, renting out their fidelity bond coins doesn't avoid\nthat sacrifice because the sacrifice is the paid rent. Because of the\nmaths and market forces the rent paid by the attacker should be about\nthe same as the cost of just buying the bitcoins and locking them.\n\nCentralization and decentralization are not ends in themselves, the main\naim in JoinMarket is to improve privacy while keeping the other\nproperties of bitcoin (e.g. censorship resistance). A single maker can\nnever deanonoymize coinjoins no matter how valuable their bond is,\nbecause takers always choose multiple makers, and all of them need to be\ncontrolled by the sybil attacker for the attack to succeed. If a sybil\nattacker splits up their fidelity bonds (rented or not) amongst multiple\nmaker bots then they reduce the value of their bonds because of the V^2\nterm.\n\nRented TXOs does destroy the effect of \"A long-term holder probably\nwon't want to attack a system like JoinMarket which makes his own\ninvestment coins more private and more fungible\". However this is not\nthe main effect which would protect JoinMarket's privacy. The main\neffect is the cost which for real-life numbers would be about 45-120\nbitcoin sent to burner outputs.\n\nPerhaps then rented TXOs is an argument against using coin age as a way\nto create fidelity bonds. Hodlers would be far less likely to rent out\ntheir coins if they have to specifically move them to a special\ntime-locked address. Another point is that for privacy reasons creators\nof fidelity bonds should mix their coins before and after using them,\nbecause those TXOs are revealed to the world. So it's likely that\nfidelity bonds creators will need to install and run JoinMarket anyway.",
"sig": "2a989ec762130b46149ef9b18c623ec01715dce86d3e0cf7c2fb06d91930f2b12fccec7f6075a657d8c69192f0cd79f1717eb6a84c014d48e88f2eb63c877979"
}