public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: ZmnSCPxj <ZmnSCPxj@protonmail•com>
To: Dmitry Petukhov <dp@simplexum•com>,
	Bitcoin Protocol Discussion
	<bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Improving JoinMarket's resistance to sybil attacks using fidelity bonds
Date: Thu, 08 Aug 2019 09:35:24 +0000	[thread overview]
Message-ID: <-6u9Ut_oYRThO21GIO1G8u4LpKavq2okw0Z7KoIM0tgwg4mAYXt2TP-SgiigMofdvLhvRuwX_q7Op6DUDM_eWUCjGmIEL_VTLpAeYDNOl5c=@protonmail.com> (raw)
In-Reply-To: <jyEbDqD57bjrjd1QF72bLHmubrQxdc-WVqONP0gx-PjixLnQrLwWn9A2W_MkWwkTi_aJHSuUcLfxh2JnRp71110TtNNv8ZoDIhWAXFmuT5c=@protonmail.com>

Good morning Dmitry, and list,

> > > I wonder if there's a cryptographic way to prove that muSig and
> > > 2P-ECDSA have not been used to create a certain pubkey/signature.
> >
> > In the second scheme, to revoke/spoil the bond, the entity that
> > controls one TXO participating in this bond needs to simply prove that
> > it somehow controls/have the ability to spend that TXO.
> > In shared ownership rent scheme that ZmnSCPxj described in [1],
> > the 'TXO rentier' has a signed timelocked 'backout' transaction that
> > spends the locked TXO, and assigns the reward to rentier.
> > If we say that any transaction that spends any TXO in the bond
> > (ignoring the timelock), invalidates the bond when presented to
> > takers, then TXO rentier can revoke the bond by simply
> > publishing this transaction (not to the blockchain, but by some other
> > means so that takers can receive it).
> > The transaction validity can be verified, with the relaxed rules that
> > ignores the timelock. After it is verified, takers mark the whole
> > bond as revoked and will not consider it when chosing makers.
> > One inconvenience here is that takers need to store the
> > data about revoked bonds. But it seems to me that there's no need
> > for that information to be synchronized between the participants
> > instantly. It is enougth for takers to get the revoked-set eventually.
> > The rentier are still incentivized to not spoil the bond, to receive
> > the profit. Their funds are locked anyway.
> > But if the goal of the 'rentier' is to attack the attacker, the
> > opportunity cost of these locked funds is the cost of the attack.
> > If the renter rents TXOs from several entities to include in one bond,
> > revocation by one rentier spoils whole bond, and the total loss for all
> > participants is bigger than the oportunity cost of locked funds of a
> > single rentier that made the revocation.
> > The possibility of such revocation increases risk for the renter and
> > would-be co-rentiers, and is likely limit the possible scale of such
> > TXO-renting operation.
>
> This is quite a clever solution.
>
> Let me then attempt to break it.
>
> It is possible to encrypt data in such a way that it requires sequential operations in order to decrypt.
> https://www.gwern.net/Self-decrypting-files

I apologize, I was being daft.
There is a simpler way to break this, involving such Lightning Network tropes as revocation and punishment schemes.
Truly, Lightning Network is a great great thing.

First, we should always consider, that due to the V^2, consolidated bonds are always higher weight than unconsolidated bonds.
Thus, even without considering motives to spy on CoinJoins, the existence of the V^2 tweak implies that there will be fewer larger makers and thus easier to take over the JoinMarket system.

So, let us focus on the backout transaction.
Under a consolidated bond, this requires an n-of-n.

Now, suppose we want to identify the snitch who reports our consolidation scheme to the takers.
This can be done easily by performing n MuSig n-of-n rituals, with each ritual using different `r` nonces.
We arrange this by having each of the n consolidators be the last signers in the second round of the MuSig, and have each signer keep their own unique version of the signature for the backout, with their own unique `r` nonce.

Each participant will want to keep its own version of the signature private, because if it gives out this signature to another participant in the consolidated bond scheme, the other participant can frame them for snitching.

We can now identify the snitch, by recognizing which signature was used in the transaction that was reported to the takers.
But we have not yet identified how we can punish the snitch.

As it happens, MuSig allows Scriptless Script.
This means, it is possible for one participant in the MuSig to provide an adaptor signature.
This adaptor signature commits to a particular point.
When the MuSig is completed and the participant (who is the last signer in the second round of MuSig) reveals the completed signature, the scalar that generates the commited point can be computed by anyone who knows the adaptor signature.

This is our next step in our scheme to identify and punish snitches.
In addition to putting up their funds in a consolidated bond, each of the participants in the consolidation scheme put up a fraction of the value into revocable bonds.

This revocable bond is a Taproot with a known-NUMS point as internal Taproot key, and the script alternatives below:

    <bond_time - 1> OP_CHECKLOCKTIMEVERIFY OP_DROP <participant_key> OP_CHECKSIG

and

    <MuSig(all participants *except* this participant)> OP_CHECKSIGVERIFY <participant_snitch_key> OP_CHECKSIG

A punishment transaction spends from the revocable bond via the second alternative above, and divides it equally among the *other* participants.
THis is signed using the MuSig above (where all participants except the owner of this revocable bond are part of).

Then, before starting the n rituals to sign the backoff transaction, the participants provide adaptor signatures to their own `participant_snitch_key`, such that if they publish the backoff transaction to the takers, any of their co-participants that masquerades as a taker can find out about this and derive the private key to the `participant_snitch_key`.

So:

1.  In case all the participants cooperate with the other consolidators, then just before the bond expires, each participant can recover their revocable bond via the first alternative shown above.
    Once the revocable bond is spent back to an address they solely control, the `participant_snitch_key` is worthless.
    Then any participant can publish onchain the backoff transaction without repercussion.
2.  In case a participant snitches and reveals a pre-signed backoff to the takers before the end of the bond period, they can only reveal their own version of the signature of the backoff transaction.
    In that case, their previously-shown adaptor signature can be used to reveal the private key behind their `participant_snitch_key`.
    Then any one of the other participants in the consolidation scheme can complete the punishment transaction.

We can even ensure that setup of the whole system is atomic, by unironically CoinJoining the creation of the consolidated JoinMarket V^2 fidelity bond, in the same transaction that creates the revocable bonds that can be used to ensure that snitches are punishable.

Now you might say, "well now the bond they can put into the JoinMarket fidelity bond is smaller because of the need to put a revocable bond".
And that is right.
It also shows that the V^2 tweak is broken.

Suppose there are two makers with 1.0 BTC each.
They decide to consolidate their bond in order to increase their consolidated weight in the JoinMarket fidelity bond system.
They decide to put up 0.25BTC each for the revocable bonds, and 0.75BTC each into the consolidated JoinMarket V^2 fidelity bond.
The total consolidated bond is 1.5BTC, which has a weight 2.25x the weight of one 1.0BTC bond, or 1.125x the weight of 2x 1.0BTC bonds.
Thus consolidation pressure still exists strongly (and I would think that losing as little as 5% of your total bondable funds would be enough to discourage snitches: this example is 25%).

The scheme would not be broken if there was no V^2 tweak, and would have worked perfectly to disable consolidation, if not for the V^2 tweak.

Regards,
ZmnSCPxj


  reply	other threads:[~2019-08-08  9:35 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-25 11:47 Chris Belcher
2019-07-26  8:10 ` Tamas Blummer
2019-07-26  9:38   ` Dmitry Petukhov
2019-07-30 21:39     ` Chris Belcher
2019-07-31 15:50       ` Dmitry Petukhov
2019-08-02  9:21         ` Chris Belcher
     [not found]           ` <20190802145057.7b81c597@simplexum.com>
2019-08-05 19:04             ` Chris Belcher
2019-08-06  1:51               ` Leo Wandersleb
2019-08-06 10:27                 ` Chris Belcher
2019-08-06 13:07                   ` Leo Wandersleb
2019-08-06  2:54               ` ZmnSCPxj
2019-08-06 20:55               ` Dmitry Petukhov
2019-08-06 21:37                 ` Dmitry Petukhov
2019-08-06 23:33                   ` ZmnSCPxj
2019-08-07  9:38                     ` Chris Belcher
2019-08-07 11:20                       ` ZmnSCPxj
2019-08-07 10:05                   ` Chris Belcher
2019-08-07 11:35                     ` ZmnSCPxj
2019-08-07 15:10                     ` Dmitry Petukhov
2019-08-08  0:09                       ` ZmnSCPxj
2019-08-08  9:35                         ` ZmnSCPxj [this message]
2019-08-08 11:37                           ` Dmitry Petukhov
2019-08-08 13:59                             ` ZmnSCPxj
2019-08-08 20:06                               ` Chris Belcher
2019-08-08 12:05                       ` Dmitry Petukhov
2019-07-27 19:34 ` David A. Harding
2019-07-28 14:17   ` Tamas Blummer
2019-07-28 18:29   ` Tamas Blummer
2019-07-30 21:27   ` Chris Belcher
2019-07-31 17:59     ` David A. Harding
2019-08-02 14:24 ` Adam Gibson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='-6u9Ut_oYRThO21GIO1G8u4LpKavq2okw0Z7KoIM0tgwg4mAYXt2TP-SgiigMofdvLhvRuwX_q7Op6DUDM_eWUCjGmIEL_VTLpAeYDNOl5c=@protonmail.com' \
    --to=zmnscpxj@protonmail$(echo .)com \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    --cc=dp@simplexum$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox