đź“… Original date posted:2023-08-06
🗒️ Summary of this message: The text discusses the Ark proposal, which involves three entities: the sender, receiver, and ASP. It explains the different types of transactions involved and highlights a potential weakness in the vTXLO transfer phase. The weakness allows the sender and receiver to collude and double-spend the ASP without compensation. The author suggests adding another round of interactivity to fix the weakness.
đź“ť Original message:
Hi Burak,
Thanks for the interesting Ark proposal.
>From my understanding the protocol is played between 3 entities: the
sender, the receiver and the ASP and you have 3 types of transactions:
- the pool_tx
- the ATLC-connection_tx
- the ATLC-refund_tx
The pool_tx spends an on-chain funding input and 3 outputs:
- the commitment output, committing to a set of N vTXOs outputs (e.g a tree
of promised outputs)
- the connector output, spendable by the ASP signature
- the change output, from the value overflow of the on-chain funding input
A "receiver" vTXO scriptpubkey on pool_tx N includes the following
pseudo-script: multisig(receiver, ASP) or ((pk(receiver)+24h) or
(pk(ASP)+4weeks)). From the PoV of the next pool_tx state, the receiver
becomes the sender.
A ATLC-connection_tx is associated with a pool_tx N is spending one or more
vTXOs outputs from the "sender" (i.e receiver at pool_tx N-1) and one or
more connector outputs from pool_tx N. The initial
uplifting ATLC- connection_tx spends an on-chain input from the initial
sender.
I think there is a loss of funds weakness during the vTXLO transfer phase,
i.e by leveraging an ATLC-refund transaction using the unilateral exit path.
Let's say you have Alice (the sender), Bob (the receiver) and the ASP at
state N. Alice owns a vTXO on pool_tx N:
- after 24, her vTXO N can be spend unilaterally with only her own signature
- she engages with the ASP to construct a new pool_tx N+1 paying a vTXO to
Bob (this vTXO has same relative locktime 24h)
- she reveals her signature to the ASP for the ATLC-connection_tx N+1
spending her vTXO at state N and the connector output at state N+1
- the ASP broadcasts the pool_tx N+1 and the transaction is pending in
network mempools
- Alice broadcasts her ATLC refund tx using the mature unilateral exit path
- this ATLC refund tx replaces any ATLC-connection tx pending in network
mempools
- both the ATLC refund tx for vTXO at state N and the pool_tx at state N+1
confirms
- Bob the receiver can wait 24h and then he can spend the vTXO at state N+1
unilaterally
Alice and Bob successfully colluded to "double-spend" the ASP, without this
service provider earning compensation for the pool_tx state N+1 funding
input.
If I'm correct, I don't know if this weakness can be fixed by adding
another round of interactivity between the sender and the ASP, e.g
disclosing a revocation secret for the ATLC-refund transaction, without
opening the door for the ASP to steal user by stalling the next pool_tx N+1
broadcast and waiting 4 weeks time lock expiration.
All mistakes, confusion or misunderstanding are my own. More details about
transactions, scripts and protocol phases would be appreciated.
Cheers,
Antoine
Le ven. 26 mai 2023 Ă 16:27, Burak Keceli via bitcoin-dev <
bitcoin-dev at lists.linuxfoundation.org> a Ă©crit :
> Hi David,
>
> Ark can be used for three purposes:
>
> 1. Mixing coins.
> Ark is a scalable, footprint-minimal off-chain mixer. People can use Ark
> to mix their coins with others. This doesn’t require waiting for on-chain
> confirmations since you’re mixing your own coins with others.
>
> 2. Paying lightning invoices
> Ark is interoperable with Lightning, and you can use your Ark funds to pay
> Lightning invoices in a conjoin. This also doesn’t require waiting for
> on-chain confirmations since you consider your payment “done” when you
> obtain the vendor's preimage.
>
> 3. Making internal transfers
> You can use your Ark funds to make internal money transfers without
> introducing inbound liquidity assumptions. The recipient-end has to wait
> for several on-chain confirmations to consider their payment “final”,
> however, their payment has immediate availability to them. Recipients can
> spend their zero-conf funds to pay Lightning invoices in coordination with
> their service provider. If we want to enable Lightning-style instant
> settlement assurances for the internal transfers, we need OP_XOR or OP_CAT
> on the base layer [1].
>
>
> I think you get the gist of it, but I lost you after ”Bob wants to deposit
> 1 BTC with Alice.” sorry.
>
> The initial onboarding phase is non-interactive, and there is no PSBT
> involved. Onboarding (or lifting) is as simple as funding a Bitcoin
> address.
>
> Here I have refactored it for you:
> Bob wants to deposit 1 BTC with Alice. Bob asks his friend Charlie to send
> 1 BTC to an on-chain Bitcoin address whose script is:
> pk(B) && (older(4 weeks) || pk(A))
>
> From here, there are several things that Bob can do:
> - *Unilaterally withdraw:*
> If Alice happens to be non-collaborative or non-responsive, Bob can simply
> take his 1 BTC back after four weeks.
>
> - *Collaboratively withdraw:*
> Bob and Alice can sign from the 2-of-2 to collaboratively withdraw 1 BTC
> anytime.
>
> - *Collaboratively trade commitments:*
> Alice crafts a transaction containing three outputs; (a) a commitment
> output, (b) a connector output, and (c) a change output. We call this
> transaction “pool”.
> (a) commitment output
> Commitment output (either using CTV or n-of-n multisig) constrains its
> descendant transaction to a set of transaction outputs. To simplify things,
> let’s say there are no other participants in this transaction besides Bob,
> and the descendant transaction has only one output. We call this output
> Bob’s vTXO. Bob’s vTXO also constrains (using CTV or 2-of-2 multisig) its
> descendant transaction to a single transaction output called Bob’s ATLC.
> Bob’s ATLC contains the following script:
> pk(B) && (older(4 weeks) || pk(A))
> As you realize “ATLC” script is identical to the “Funding address” script.
>
> (b) connectors output
> Connectors output is simply a single-sig output spendable by Alice herself:
> pk(A)
>
> Alice locally crafts a descending transaction from this output, spending
> “connectors output” to fund a new output. We call this output a
> ”connector,” which always carries a dust value and is spendable by Alice
> herself:
> pk(A)
>
> In short, Alice crafts a Bitcoin transaction that spends an input that she
> controls and funds an output that she controls. Alice does not broadcast
> this transaction and keeps it secret.
>
> (c) change output
> money not used for the other two outputs gets sent back to Alice.
>
> 1. Alice places one (or more) input(s) to her “pool” transaction to supply
> funds to commitment output, connectors output, change output, and
> transaction fees.
>
> 2. Bob creates an unsigned PSBT, placing the input that Charlie was
> previously funded.
>
> 3. Bob passes his PSBT to Alice.
>
> 4. Alice places one input to PSBT, the ”connector output,” which is a
> descendant of the (b) connectors output she is crafting.
>
> 5. Alice places one output to PSBT, a single-sig output that sweeps all
> money to herself (pk(A)).
>
> 6. Alice passes PSBT to Bob. Alice and Bob sign the PSBT and keeps this
> transaction private. This transaction is not valid yet, since the
> connector’s outpoint context does not exist.
>
> 7. Alice signs her one-in, three-out and broadcasts it.
>
> 8. Alice can now claim 1 BTC Charlie has previously funded by revealing
> the descendant transaction of (b) connectors output. She should claim this
> before four weeks.
>
> 9. Bob now has a 1 BTC worth UTXO representation as a descendant of the
> (a) commitment output (a virtual UTXO). He can unilaterally claim this 1
> BTC by revealing the child (Bob’s vTXO) and grandchild (Bob’s ATLC) of the
> (a) commitments output, then waiting a 24-hour window period.
>
> So far, Charlie polluted on-chain by funding an address, and Alice by
> claiming funds from that address. Further steps from here will be footprint
> minimal.
>
> 1. Say, Bob wants to send 1 BTC to Dave.
>
> 2. Alice crafts a transaction containing three outputs; (a) a commitment
> output, (b) a connector output, and (c) a change output. This time
> descendant of (a) commitment output is Daves’s vTXO instead of Bob’s.
> Similarly descendant of Daves’s vTXO is Dave’s ATLC. Dave’s ATLC is:
> pk(D) && (older(4 weeks) || pk(A))
>
> 3. Alice places one connector output as a descendant of (b) connectors
> output, just like before.
>
> 4. Alice places one input to her one-in, three-out transaction to supply
> funds to commitment output, connectors output, change output, and
> transaction fees.
>
> 5. Bob creates an unsigned PSBT, placing his 1-BTC-worth virtual UTXO from
> the (a) commitment output descendants that Alice previously
>
> 6. Bob passes his PSBT to Alice.
>
> 7. Alice places one input to PSBT, the ”connector output,” which is a
> descendant of the (b) connectors output she is crafting.
>
> 8. Alice places one output to PSBT, a single-sig output that sweeps all
> money to herself (pk(A)).
>
> 9. Alice passes PSBT to Bob. Alice and Bob sign the PSBT and keeps this
> transaction private.
>
> 10. Alice signs her one-in, three-out transaction and broadcasts it.
>
> 11. Bob lets Dave know about this transaction (Alice’s transaction id,
> Dave’s vTXO output index) out-of-band.
>
> 12. When Dave comes back online, he sees from the out-of-band message that
> Bob sent him 1-BTC. He then verifies whether Alice’s transaction id exists,
> whether his vTXO output index is correct, and a set of other validations.
>
> 13. If Dave had been online all this time, he would have had to wait for
> enough confirmations to consider his payment “final.”
>
> [1] https://eprint.iacr.org/2017/394.pdf
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20230806/ea402b43/attachment-0001.html>;
Antoine Riard [ARCHIVE] /
npub1vj…4x8dd
2023-08-06 23:37:36
in reply to nevent1q…92ry
Author Public Key
npub1vjzmc45k8dgujppapp2ue20h3l9apnsntgv4c0ukncvv549q64gsz4x8ddPublished at
2023-08-06 23:37:36Event JSON
{
"id": "4c0d3ef00904bb94e9f031a39e3bad754e92050af873c5e941fdb1bb17a880b9",
"pubkey": "6485bc56963b51c9043d0855cca9f78fcbd0ce135a195c3f969e18ca54a0d551",
"created_at": 1691365056,
"kind": 1,
"tags": [
[
"e",
"eba56aa9d4b2592aa8555b2eb14dc308e243ea4921af98543011181b6891c484",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "📅 Original date posted:2023-08-06\n🗒️ Summary of this message: The text discusses the Ark proposal, which involves three entities: the sender, receiver, and ASP. It explains the different types of transactions involved and highlights a potential weakness in the vTXLO transfer phase. The weakness allows the sender and receiver to collude and double-spend the ASP without compensation. The author suggests adding another round of interactivity to fix the weakness.\n📝 Original message:\nHi Burak,\n\nThanks for the interesting Ark proposal.\n\n\u003eFrom my understanding the protocol is played between 3 entities: the\nsender, the receiver and the ASP and you have 3 types of transactions:\n- the pool_tx\n- the ATLC-connection_tx\n- the ATLC-refund_tx\n\nThe pool_tx spends an on-chain funding input and 3 outputs:\n- the commitment output, committing to a set of N vTXOs outputs (e.g a tree\nof promised outputs)\n- the connector output, spendable by the ASP signature\n- the change output, from the value overflow of the on-chain funding input\n\nA \"receiver\" vTXO scriptpubkey on pool_tx N includes the following\npseudo-script: multisig(receiver, ASP) or ((pk(receiver)+24h) or\n(pk(ASP)+4weeks)). From the PoV of the next pool_tx state, the receiver\nbecomes the sender.\n\nA ATLC-connection_tx is associated with a pool_tx N is spending one or more\nvTXOs outputs from the \"sender\" (i.e receiver at pool_tx N-1) and one or\nmore connector outputs from pool_tx N. The initial\nuplifting ATLC- connection_tx spends an on-chain input from the initial\nsender.\n\nI think there is a loss of funds weakness during the vTXLO transfer phase,\ni.e by leveraging an ATLC-refund transaction using the unilateral exit path.\n\nLet's say you have Alice (the sender), Bob (the receiver) and the ASP at\nstate N. Alice owns a vTXO on pool_tx N:\n- after 24, her vTXO N can be spend unilaterally with only her own signature\n- she engages with the ASP to construct a new pool_tx N+1 paying a vTXO to\nBob (this vTXO has same relative locktime 24h)\n- she reveals her signature to the ASP for the ATLC-connection_tx N+1\nspending her vTXO at state N and the connector output at state N+1\n- the ASP broadcasts the pool_tx N+1 and the transaction is pending in\nnetwork mempools\n- Alice broadcasts her ATLC refund tx using the mature unilateral exit path\n- this ATLC refund tx replaces any ATLC-connection tx pending in network\nmempools\n- both the ATLC refund tx for vTXO at state N and the pool_tx at state N+1\nconfirms\n- Bob the receiver can wait 24h and then he can spend the vTXO at state N+1\nunilaterally\n\nAlice and Bob successfully colluded to \"double-spend\" the ASP, without this\nservice provider earning compensation for the pool_tx state N+1 funding\ninput.\n\nIf I'm correct, I don't know if this weakness can be fixed by adding\nanother round of interactivity between the sender and the ASP, e.g\ndisclosing a revocation secret for the ATLC-refund transaction, without\nopening the door for the ASP to steal user by stalling the next pool_tx N+1\nbroadcast and waiting 4 weeks time lock expiration.\n\nAll mistakes, confusion or misunderstanding are my own. More details about\ntransactions, scripts and protocol phases would be appreciated.\n\nCheers,\nAntoine\n\nLe ven. 26 mai 2023 à 16:27, Burak Keceli via bitcoin-dev \u003c\nbitcoin-dev at lists.linuxfoundation.org\u003e a écrit :\n\n\u003e Hi David,\n\u003e\n\u003e Ark can be used for three purposes:\n\u003e\n\u003e 1. Mixing coins.\n\u003e Ark is a scalable, footprint-minimal off-chain mixer. People can use Ark\n\u003e to mix their coins with others. This doesn’t require waiting for on-chain\n\u003e confirmations since you’re mixing your own coins with others.\n\u003e\n\u003e 2. Paying lightning invoices\n\u003e Ark is interoperable with Lightning, and you can use your Ark funds to pay\n\u003e Lightning invoices in a conjoin. This also doesn’t require waiting for\n\u003e on-chain confirmations since you consider your payment “done” when you\n\u003e obtain the vendor's preimage.\n\u003e\n\u003e 3. Making internal transfers\n\u003e You can use your Ark funds to make internal money transfers without\n\u003e introducing inbound liquidity assumptions. The recipient-end has to wait\n\u003e for several on-chain confirmations to consider their payment “final”,\n\u003e however, their payment has immediate availability to them. Recipients can\n\u003e spend their zero-conf funds to pay Lightning invoices in coordination with\n\u003e their service provider. If we want to enable Lightning-style instant\n\u003e settlement assurances for the internal transfers, we need OP_XOR or OP_CAT\n\u003e on the base layer [1].\n\u003e\n\u003e\n\u003e I think you get the gist of it, but I lost you after ”Bob wants to deposit\n\u003e 1 BTC with Alice.” sorry.\n\u003e\n\u003e The initial onboarding phase is non-interactive, and there is no PSBT\n\u003e involved. Onboarding (or lifting) is as simple as funding a Bitcoin\n\u003e address.\n\u003e\n\u003e Here I have refactored it for you:\n\u003e Bob wants to deposit 1 BTC with Alice. Bob asks his friend Charlie to send\n\u003e 1 BTC to an on-chain Bitcoin address whose script is:\n\u003e pk(B) \u0026\u0026 (older(4 weeks) || pk(A))\n\u003e\n\u003e From here, there are several things that Bob can do:\n\u003e - *Unilaterally withdraw:*\n\u003e If Alice happens to be non-collaborative or non-responsive, Bob can simply\n\u003e take his 1 BTC back after four weeks.\n\u003e\n\u003e - *Collaboratively withdraw:*\n\u003e Bob and Alice can sign from the 2-of-2 to collaboratively withdraw 1 BTC\n\u003e anytime.\n\u003e\n\u003e - *Collaboratively trade commitments:*\n\u003e Alice crafts a transaction containing three outputs; (a) a commitment\n\u003e output, (b) a connector output, and (c) a change output. We call this\n\u003e transaction “pool”.\n\u003e (a) commitment output\n\u003e Commitment output (either using CTV or n-of-n multisig) constrains its\n\u003e descendant transaction to a set of transaction outputs. To simplify things,\n\u003e let’s say there are no other participants in this transaction besides Bob,\n\u003e and the descendant transaction has only one output. We call this output\n\u003e Bob’s vTXO. Bob’s vTXO also constrains (using CTV or 2-of-2 multisig) its\n\u003e descendant transaction to a single transaction output called Bob’s ATLC.\n\u003e Bob’s ATLC contains the following script:\n\u003e pk(B) \u0026\u0026 (older(4 weeks) || pk(A))\n\u003e As you realize “ATLC” script is identical to the “Funding address” script.\n\u003e\n\u003e (b) connectors output\n\u003e Connectors output is simply a single-sig output spendable by Alice herself:\n\u003e pk(A)\n\u003e\n\u003e Alice locally crafts a descending transaction from this output, spending\n\u003e “connectors output” to fund a new output. We call this output a\n\u003e ”connector,” which always carries a dust value and is spendable by Alice\n\u003e herself:\n\u003e pk(A)\n\u003e\n\u003e In short, Alice crafts a Bitcoin transaction that spends an input that she\n\u003e controls and funds an output that she controls. Alice does not broadcast\n\u003e this transaction and keeps it secret.\n\u003e\n\u003e (c) change output\n\u003e money not used for the other two outputs gets sent back to Alice.\n\u003e\n\u003e 1. Alice places one (or more) input(s) to her “pool” transaction to supply\n\u003e funds to commitment output, connectors output, change output, and\n\u003e transaction fees.\n\u003e\n\u003e 2. Bob creates an unsigned PSBT, placing the input that Charlie was\n\u003e previously funded.\n\u003e\n\u003e 3. Bob passes his PSBT to Alice.\n\u003e\n\u003e 4. Alice places one input to PSBT, the ”connector output,” which is a\n\u003e descendant of the (b) connectors output she is crafting.\n\u003e\n\u003e 5. Alice places one output to PSBT, a single-sig output that sweeps all\n\u003e money to herself (pk(A)).\n\u003e\n\u003e 6. Alice passes PSBT to Bob. Alice and Bob sign the PSBT and keeps this\n\u003e transaction private. This transaction is not valid yet, since the\n\u003e connector’s outpoint context does not exist.\n\u003e\n\u003e 7. Alice signs her one-in, three-out and broadcasts it.\n\u003e\n\u003e 8. Alice can now claim 1 BTC Charlie has previously funded by revealing\n\u003e the descendant transaction of (b) connectors output. She should claim this\n\u003e before four weeks.\n\u003e\n\u003e 9. Bob now has a 1 BTC worth UTXO representation as a descendant of the\n\u003e (a) commitment output (a virtual UTXO). He can unilaterally claim this 1\n\u003e BTC by revealing the child (Bob’s vTXO) and grandchild (Bob’s ATLC) of the\n\u003e (a) commitments output, then waiting a 24-hour window period.\n\u003e\n\u003e So far, Charlie polluted on-chain by funding an address, and Alice by\n\u003e claiming funds from that address. Further steps from here will be footprint\n\u003e minimal.\n\u003e\n\u003e 1. Say, Bob wants to send 1 BTC to Dave.\n\u003e\n\u003e 2. Alice crafts a transaction containing three outputs; (a) a commitment\n\u003e output, (b) a connector output, and (c) a change output. This time\n\u003e descendant of (a) commitment output is Daves’s vTXO instead of Bob’s.\n\u003e Similarly descendant of Daves’s vTXO is Dave’s ATLC. Dave’s ATLC is:\n\u003e pk(D) \u0026\u0026 (older(4 weeks) || pk(A))\n\u003e\n\u003e 3. Alice places one connector output as a descendant of (b) connectors\n\u003e output, just like before.\n\u003e\n\u003e 4. Alice places one input to her one-in, three-out transaction to supply\n\u003e funds to commitment output, connectors output, change output, and\n\u003e transaction fees.\n\u003e\n\u003e 5. Bob creates an unsigned PSBT, placing his 1-BTC-worth virtual UTXO from\n\u003e the (a) commitment output descendants that Alice previously\n\u003e\n\u003e 6. Bob passes his PSBT to Alice.\n\u003e\n\u003e 7. Alice places one input to PSBT, the ”connector output,” which is a\n\u003e descendant of the (b) connectors output she is crafting.\n\u003e\n\u003e 8. Alice places one output to PSBT, a single-sig output that sweeps all\n\u003e money to herself (pk(A)).\n\u003e\n\u003e 9. Alice passes PSBT to Bob. Alice and Bob sign the PSBT and keeps this\n\u003e transaction private.\n\u003e\n\u003e 10. Alice signs her one-in, three-out transaction and broadcasts it.\n\u003e\n\u003e 11. Bob lets Dave know about this transaction (Alice’s transaction id,\n\u003e Dave’s vTXO output index) out-of-band.\n\u003e\n\u003e 12. When Dave comes back online, he sees from the out-of-band message that\n\u003e Bob sent him 1-BTC. He then verifies whether Alice’s transaction id exists,\n\u003e whether his vTXO output index is correct, and a set of other validations.\n\u003e\n\u003e 13. If Dave had been online all this time, he would have had to wait for\n\u003e enough confirmations to consider his payment “final.”\n\u003e\n\u003e [1] https://eprint.iacr.org/2017/394.pdf\n\u003e _______________________________________________\n\u003e bitcoin-dev mailing list\n\u003e bitcoin-dev at lists.linuxfoundation.org\n\u003e https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev\n\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20230806/ea402b43/attachment-0001.html\u003e",
"sig": "44628f1a7a9eef270b4ea2865dd56e3bb743cf5583db2939cb30c42d88d0786a55b27a64381a3125e198bb32a95376220a220f7e23e3fec5ca795d04b810e85c"
}