* [bitcoin-dev] BIP clearing house addresses @ 2016-08-03 18:16 Matthew Roberts 2016-08-03 21:13 ` Troy Benjegerdes ` (3 more replies) 0 siblings, 4 replies; 16+ messages in thread From: Matthew Roberts @ 2016-08-03 18:16 UTC (permalink / raw) To: bitcoin-dev [-- Attachment #1: Type: text/plain, Size: 1745 bytes --] In light of the recent hack: what does everyone think of the idea of creating a new address type that has a reversal key and settlement layer that can be used to revoke transactions? You could specify so that transactions "sent" from these addresses must receive N confirmations before they can't be revoked, after which the transaction is "settled" and the coins become redeemable from their destination output. A settlement phase would also mean that a transaction's progress was publicly visible so transparent fraud prevention and auditing would become possible by anyone. The reason why I bring this up is existing OP codes and TX types don't seem suitable for a secure clearing mechanism; Nlocktimed TXs won't work for this since you can't know ahead of time when and where a withdrawal needs to be made, plus there's still the potential for key mismanagement; Similar problems with OP_CHECKLOCKTIMEVERIFY apply too – unless you keep a private key around on the server which would defeat the purpose. The main use case here, would be specifically to improve centralized exchange security by making it impossible for a hot wallet to be raided all at once. Thoughts? Some existing background: http://hackingdistributed.com/2016/08/03/how-bitfinex-heist-could-have-been-avoided/ -- Proposed the basic idea for a time-based clearing house but using blockchains directly, this is a much better idea than my own. roberts.pm/timechain -- My original paper written in 2015 which proposed a similar idea for secure wallet design but implemented using time-locked ECDSA keys. Obviously a blockchain would work better for this. Other -- if the idea has already been brought up by other people, I apologize. [-- Attachment #2: Type: text/html, Size: 2292 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] BIP clearing house addresses 2016-08-03 18:16 [bitcoin-dev] BIP clearing house addresses Matthew Roberts @ 2016-08-03 21:13 ` Troy Benjegerdes 2016-08-03 23:55 ` Tier Nolan ` (2 subsequent siblings) 3 siblings, 0 replies; 16+ messages in thread From: Troy Benjegerdes @ 2016-08-03 21:13 UTC (permalink / raw) To: Matthew Roberts, Bitcoin Protocol Discussion On Thu, Aug 04, 2016 at 04:16:20AM +1000, Matthew Roberts via bitcoin-dev wrote: > In light of the recent hack: what does everyone think of the idea of > creating a new address type that has a reversal key and settlement layer > that can be used to revoke transactions? I think many of us who think about human - computer interactions see the need for a well defined process to roll back unexpected behavior in a computer system. My 2014 era proposal is https://bitbucket.org/tmagik/catoshi/issues/24 The fundamental assumption around cryptocoins is you have a secret (private key) known only by you. Currently in bitcoin if that assumption changes, the response is blame the user. 'Incompetence, etc, etc' This is bad business. For any cryptocurrency to really get mass market, we need to provide our users with key revocation, to be used when the assumption about being the only holder of a secret is broken. I think there's a hardfork-worthy choice here: 1) implement reversal/revocation as an add-on feature 2) implement reversal/revocation as a fundamental that every address gets. Ethereum made a quick hardfork choice to reverse a *single* instance of unexpected behavior, and looks a lot like a bank bailout. We have the chance to learn from this mistake, and, apparently, make a lot of money trading on both sides of the hardfork. > You could specify so that transactions "sent" from these addresses must > receive N confirmations before they can't be revoked, after which the > transaction is "settled" and the coins become redeemable from their > destination output. A settlement phase would also mean that a transaction's > progress was publicly visible so transparent fraud prevention and auditing > would become possible by anyone. > > The reason why I bring this up is existing OP codes and TX types don't seem > suitable for a secure clearing mechanism; Nlocktimed TXs won't work for > this since you can't know ahead of time when and where a withdrawal needs > to be made, plus there's still the potential for key mismanagement; Similar > problems with OP_CHECKLOCKTIMEVERIFY apply too ??? unless you keep a private > key around on the server which would defeat the purpose. The main use case > here, would be specifically to improve centralized exchange security by > making it impossible for a hot wallet to be raided all at once. > > Thoughts? > > Some existing background: > > http://hackingdistributed.com/2016/08/03/how-bitfinex-heist-could-have-been-avoided/ > -- Proposed the basic idea for a time-based clearing house but using > blockchains directly, this is a much better idea than my own. > > roberts.pm/timechain -- My original paper written in 2015 which proposed a > similar idea for secure wallet design but implemented using time-locked > ECDSA keys. Obviously a blockchain would work better for this. > > Other -- if the idea has already been brought up by other people, I > apologize. > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] BIP clearing house addresses 2016-08-03 18:16 [bitcoin-dev] BIP clearing house addresses Matthew Roberts 2016-08-03 21:13 ` Troy Benjegerdes @ 2016-08-03 23:55 ` Tier Nolan 2016-08-04 2:07 ` Matthew Roberts 2016-08-04 3:27 ` Luke Dashjr 2016-08-06 10:39 ` s7r 3 siblings, 1 reply; 16+ messages in thread From: Tier Nolan @ 2016-08-03 23:55 UTC (permalink / raw) To: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 1351 bytes --] On Wed, Aug 3, 2016 at 7:16 PM, Matthew Roberts via bitcoin-dev < bitcoin-dev@lists•linuxfoundation.org> wrote: > The reason why I bring this up is existing OP codes and TX types don't > seem suitable for a secure clearing mechanism; > I think reversing transactions is not likely to be acceptable. You could add an opcode that requires that an output be set to something. [target script] SPENDTO This would require that [target script] is the script for the corresponding output. This is a purely local check. For example, if SPENDTO executes as part of the script for input 3, then it checks that output 3 uses the given script as its scriptPubKey. The value of input 3 and output 3 would have to be the same too. This allows check sequence verify to be used to lock the spending script for a while. This doesn't allow reversal, but would give a 24 hour window where the spenders can reverse the transaction. [IF <1 day> CSV DROP <live public key> CHECKSIG ELSE <offline protected key> CHECKSIG] SPENDTO <live public key2> CHECKSIG Someone with the live public key can create a transaction that spends the funds to the script in the square brackets. Once that transaction hits the blockchain, then someone with the <offline protected key> has 24 hours to spend the output before the person with the live keys can send the funds onward. [-- Attachment #2: Type: text/html, Size: 1865 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] BIP clearing house addresses 2016-08-03 23:55 ` Tier Nolan @ 2016-08-04 2:07 ` Matthew Roberts 0 siblings, 0 replies; 16+ messages in thread From: Matthew Roberts @ 2016-08-04 2:07 UTC (permalink / raw) To: Tier Nolan, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 2107 bytes --] This would honestly work. It forces the attacker to go through with the clearing phase which simultaneously makes it possible to "cancel" the TX through another logic branch before the timeout occurs. I'd say that would meet the needs of a clearing mechanism / fraud prevention system for an exchange perfectly while requiring minimal changes to the software. Very, very smart idea. A++, would read again. On Thu, Aug 4, 2016 at 9:55 AM, Tier Nolan via bitcoin-dev < bitcoin-dev@lists•linuxfoundation.org> wrote: > On Wed, Aug 3, 2016 at 7:16 PM, Matthew Roberts via bitcoin-dev < > bitcoin-dev@lists•linuxfoundation.org> wrote: > >> The reason why I bring this up is existing OP codes and TX types don't >> seem suitable for a secure clearing mechanism; >> > > I think reversing transactions is not likely to be acceptable. You could > add an opcode that requires that an output be set to something. > > [target script] SPENDTO > > This would require that [target script] is the script for the > corresponding output. This is a purely local check. > > For example, if SPENDTO executes as part of the script for input 3, then > it checks that output 3 uses the given script as its scriptPubKey. The > value of input 3 and output 3 would have to be the same too. > > This allows check sequence verify to be used to lock the spending script > for a while. This doesn't allow reversal, but would give a 24 hour window > where the spenders can reverse the transaction. > > [IF <1 day> CSV DROP <live public key> CHECKSIG ELSE <offline protected > key> CHECKSIG] SPENDTO <live public key2> CHECKSIG > > Someone with the live public key can create a transaction that spends the > funds to the script in the square brackets. > > Once that transaction hits the blockchain, then someone with the <offline > protected key> has 24 hours to spend the output before the person with the > live keys can send the funds onward. > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > [-- Attachment #2: Type: text/html, Size: 3120 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] BIP clearing house addresses 2016-08-03 18:16 [bitcoin-dev] BIP clearing house addresses Matthew Roberts 2016-08-03 21:13 ` Troy Benjegerdes 2016-08-03 23:55 ` Tier Nolan @ 2016-08-04 3:27 ` Luke Dashjr 2016-08-04 3:49 ` Andrew Johnson 2016-08-06 10:39 ` s7r 3 siblings, 1 reply; 16+ messages in thread From: Luke Dashjr @ 2016-08-04 3:27 UTC (permalink / raw) To: bitcoin-dev, Matthew Roberts On Wednesday, August 03, 2016 6:16:20 PM Matthew Roberts via bitcoin-dev wrote: > In light of the recent hack: what does everyone think of the idea of > creating a new address type that has a reversal key and settlement layer > that can be used to revoke transactions? This isn't something that makes sense at the address, since it represents the recipient and not the sender. Transactions are not sent from addresses ever. > You could specify so that transactions "sent" from these addresses must > receive N confirmations before they can't be revoked, after which the > transaction is "settled" and the coins become redeemable from their > destination output. A settlement phase would also mean that a transaction's > progress was publicly visible so transparent fraud prevention and auditing > would become possible by anyone. This is already possible. Just nLockTime your withdrawls for some future block. Don't sign any transaction that isn't nLockTime'd at least N blocks beyond the present tip. Luke ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] BIP clearing house addresses 2016-08-04 3:27 ` Luke Dashjr @ 2016-08-04 3:49 ` Andrew Johnson 2016-08-04 4:53 ` Matthew Roberts 0 siblings, 1 reply; 16+ messages in thread From: Andrew Johnson @ 2016-08-04 3:49 UTC (permalink / raw) To: Luke Dashjr, Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 2486 bytes --] "This is already possible. Just nLockTime your withdrawls for some future block. Don't sign any transaction that isn't nLockTime'd at least N blocks beyond the present tip." This would have prevented the Bitfinex hack if BitGo did this, but it wouldn't have helped if the Bitfinex offline key had been compromised instead of BitGo doing the 2nd sig. In the BFX hack the TXNs were signed by Bitfinex's hot key and BitGo's key, they required 2 of 2. If I'm understanding correctly, what Matthew is proposing is a new type of UTXO that is only valid to be spent as an nLockTime transaction and can be reversed by some sort of RBF-type transaction within that time period, I believe. But I don't think this will work. What do you do if the keys are compromised? What's to stop the attacker from locking the coins up indefinitely by repeatedly broadcasting a refund transaction each time you try to spend to an uncompromised address? You'd need a third distinct key required for the refund TXN that's separate from the keys used to sign the initial nLockTime TXN. And the refund TXN would need to be able to go to a new address entirely. On Aug 3, 2016 11:28 PM, "Luke Dashjr via bitcoin-dev" < bitcoin-dev@lists•linuxfoundation.org> wrote: > On Wednesday, August 03, 2016 6:16:20 PM Matthew Roberts via bitcoin-dev > wrote: > > In light of the recent hack: what does everyone think of the idea of > > creating a new address type that has a reversal key and settlement layer > > that can be used to revoke transactions? > > This isn't something that makes sense at the address, since it represents > the > recipient and not the sender. Transactions are not sent from addresses > ever. > > > You could specify so that transactions "sent" from these addresses must > > receive N confirmations before they can't be revoked, after which the > > transaction is "settled" and the coins become redeemable from their > > destination output. A settlement phase would also mean that a > transaction's > > progress was publicly visible so transparent fraud prevention and > auditing > > would become possible by anyone. > > This is already possible. Just nLockTime your withdrawls for some future > block. Don't sign any transaction that isn't nLockTime'd at least N blocks > beyond the present tip. > > Luke > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 3225 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] BIP clearing house addresses 2016-08-04 3:49 ` Andrew Johnson @ 2016-08-04 4:53 ` Matthew Roberts 2016-08-04 12:43 ` Erik Aronesty 0 siblings, 1 reply; 16+ messages in thread From: Matthew Roberts @ 2016-08-04 4:53 UTC (permalink / raw) To: Andrew Johnson; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 4064 bytes --] >This is already possible. Just nLockTime your withdrawls for some future block. Don't sign any transaction that isn't nLockTime'd at least N blocks beyond the present tip. The problem with nLockTimed transactions is a centralized exchange isn't going to know ahead of time where those locked transactions need to go or the amount that needs to be signed so you will end up having to keep the private key around. If there was a way to create these transactions offline with special SIG_HASH flags (and I don't think there is) there's nothing about nLockTime that forces that the transactions be broadcast straight away and plus: since the TXs aren't confirmed until the lock-time expires they can be overwritten anyway. I think given the requirements that a centralized exchange has: TierNolan's idea is the best so far. Essentially, you have a new type of output script that forces the redeemer to use a designated output script template in the redeeming transaction, meaning that you can actually force people to send coins into another transaction with "relative lock-timed" outputs. The new transaction can then only be redeemed at the destination after the relative lock-time expires OR it can be moved before-hand to a designated off-line recovery address. This is much better than creating a new transaction system, IMO. >And the refund TXN would need to be able to go to a new address entirely. Agreed. On Thu, Aug 4, 2016 at 1:49 PM, Andrew Johnson <andrew.johnson83@gmail•com> wrote: > "This is already possible. Just nLockTime your withdrawls for some future > block. Don't sign any transaction that isn't nLockTime'd at least N blocks > beyond the present tip." > > This would have prevented the Bitfinex hack if BitGo did this, but it > wouldn't have helped if the Bitfinex offline key had been compromised > instead of BitGo doing the 2nd sig. In the BFX hack the TXNs were signed > by Bitfinex's hot key and BitGo's key, they required 2 of 2. > > If I'm understanding correctly, what Matthew is proposing is a new type of > UTXO that is only valid to be spent as an nLockTime transaction and can be > reversed by some sort of RBF-type transaction within that time period, I > believe. > > But I don't think this will work. What do you do if the keys are > compromised? What's to stop the attacker from locking the coins up > indefinitely by repeatedly broadcasting a refund transaction each time you > try to spend to an uncompromised address? > > You'd need a third distinct key required for the refund TXN that's > separate from the keys used to sign the initial nLockTime TXN. And the > refund TXN would need to be able to go to a new address entirely. > > On Aug 3, 2016 11:28 PM, "Luke Dashjr via bitcoin-dev" < > bitcoin-dev@lists•linuxfoundation.org> wrote: > >> On Wednesday, August 03, 2016 6:16:20 PM Matthew Roberts via bitcoin-dev >> wrote: >> > In light of the recent hack: what does everyone think of the idea of >> > creating a new address type that has a reversal key and settlement layer >> > that can be used to revoke transactions? >> >> This isn't something that makes sense at the address, since it represents >> the >> recipient and not the sender. Transactions are not sent from addresses >> ever. >> >> > You could specify so that transactions "sent" from these addresses must >> > receive N confirmations before they can't be revoked, after which the >> > transaction is "settled" and the coins become redeemable from their >> > destination output. A settlement phase would also mean that a >> transaction's >> > progress was publicly visible so transparent fraud prevention and >> auditing >> > would become possible by anyone. >> >> This is already possible. Just nLockTime your withdrawls for some future >> block. Don't sign any transaction that isn't nLockTime'd at least N blocks >> beyond the present tip. >> >> Luke >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists•linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> > [-- Attachment #2: Type: text/html, Size: 5276 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] BIP clearing house addresses 2016-08-04 4:53 ` Matthew Roberts @ 2016-08-04 12:43 ` Erik Aronesty 0 siblings, 0 replies; 16+ messages in thread From: Erik Aronesty @ 2016-08-04 12:43 UTC (permalink / raw) To: Matthew Roberts, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 4587 bytes --] https://www.reddit.com/r/Bitcoin/comments/4w016b/use_of_payment_channels_to_mitigate_exchange_risk/ On Thu, Aug 4, 2016 at 12:53 AM, Matthew Roberts via bitcoin-dev < bitcoin-dev@lists•linuxfoundation.org> wrote: > >This is already possible. Just nLockTime your withdrawls for some future > block. Don't sign any transaction that isn't nLockTime'd at least N blocks > beyond the present tip. > > The problem with nLockTimed transactions is a centralized exchange isn't > going to know ahead of time where those locked transactions need to go or > the amount that needs to be signed so you will end up having to keep the > private key around. If there was a way to create these transactions offline > with special SIG_HASH flags (and I don't think there is) there's nothing > about nLockTime that forces that the transactions be broadcast straight > away and plus: since the TXs aren't confirmed until the lock-time expires > they can be overwritten anyway. > > I think given the requirements that a centralized exchange has: > TierNolan's idea is the best so far. Essentially, you have a new type of > output script that forces the redeemer to use a designated output script > template in the redeeming transaction, meaning that you can actually force > people to send coins into another transaction with "relative lock-timed" > outputs. The new transaction can then only be redeemed at the destination > after the relative lock-time expires OR it can be moved before-hand to a > designated off-line recovery address. This is much better than creating a > new transaction system, IMO. > > >And the refund TXN would need to be able to go to a new address entirely. > > Agreed. > > On Thu, Aug 4, 2016 at 1:49 PM, Andrew Johnson <andrew.johnson83@gmail•com > > wrote: > >> "This is already possible. Just nLockTime your withdrawls for some future >> block. Don't sign any transaction that isn't nLockTime'd at least N blocks >> beyond the present tip." >> >> This would have prevented the Bitfinex hack if BitGo did this, but it >> wouldn't have helped if the Bitfinex offline key had been compromised >> instead of BitGo doing the 2nd sig. In the BFX hack the TXNs were signed >> by Bitfinex's hot key and BitGo's key, they required 2 of 2. >> >> If I'm understanding correctly, what Matthew is proposing is a new type >> of UTXO that is only valid to be spent as an nLockTime transaction and can >> be reversed by some sort of RBF-type transaction within that time period, I >> believe. >> >> But I don't think this will work. What do you do if the keys are >> compromised? What's to stop the attacker from locking the coins up >> indefinitely by repeatedly broadcasting a refund transaction each time you >> try to spend to an uncompromised address? >> >> You'd need a third distinct key required for the refund TXN that's >> separate from the keys used to sign the initial nLockTime TXN. And the >> refund TXN would need to be able to go to a new address entirely. >> >> On Aug 3, 2016 11:28 PM, "Luke Dashjr via bitcoin-dev" < >> bitcoin-dev@lists•linuxfoundation.org> wrote: >> >>> On Wednesday, August 03, 2016 6:16:20 PM Matthew Roberts via bitcoin-dev >>> wrote: >>> > In light of the recent hack: what does everyone think of the idea of >>> > creating a new address type that has a reversal key and settlement >>> layer >>> > that can be used to revoke transactions? >>> >>> This isn't something that makes sense at the address, since it >>> represents the >>> recipient and not the sender. Transactions are not sent from addresses >>> ever. >>> >>> > You could specify so that transactions "sent" from these addresses must >>> > receive N confirmations before they can't be revoked, after which the >>> > transaction is "settled" and the coins become redeemable from their >>> > destination output. A settlement phase would also mean that a >>> transaction's >>> > progress was publicly visible so transparent fraud prevention and >>> auditing >>> > would become possible by anyone. >>> >>> This is already possible. Just nLockTime your withdrawls for some future >>> block. Don't sign any transaction that isn't nLockTime'd at least N >>> blocks >>> beyond the present tip. >>> >>> Luke >>> _______________________________________________ >>> bitcoin-dev mailing list >>> bitcoin-dev@lists•linuxfoundation.org >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >>> >> > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > [-- Attachment #2: Type: text/html, Size: 6388 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] BIP clearing house addresses 2016-08-03 18:16 [bitcoin-dev] BIP clearing house addresses Matthew Roberts ` (2 preceding siblings ...) 2016-08-04 3:27 ` Luke Dashjr @ 2016-08-06 10:39 ` s7r 2016-08-06 11:13 ` Tier Nolan 3 siblings, 1 reply; 16+ messages in thread From: s7r @ 2016-08-06 10:39 UTC (permalink / raw) To: bitcoin-dev [-- Attachment #1.1: Type: text/plain, Size: 4152 bytes --] Hi, I can clearly see some advantages for such a feature, but it's kind of in conflict with Bitcoin's fundamental design. This design might be problematic when it comes to hacks/thefts, but it's what gives Bitcoin strength and make it differentiate from other currencies: * reversal of transactions is impossible * keep private keys private and safe. Lose them, it's like losing cash, you can just forget about it. * while we try hard to make 0-conf as safe as possible (if there's no RBF flag on the transaction), we make it almost impossible or very very expensive to reverse a confirmed transaction. Also, we don't have a clear way to properly decide a good settlement period length. It doesn't fix the problem any more than nLockTime fixes it -- you can't know ahead of time when a withdraw needs to be made. Fair enough, but even if the withdraw is made with a settlement layer, will the user be able to spend it further immediately? Who will accept such an input and treat it as a payment if it can be reversed during the settlement layer? So, if you can't know ahead of time when a withdraw needs to be made (nLockTime) how can you know ahead of time+settlement period when a transaction needs to be declared irrevocable? The linked page describes that merchants will never accept payments from 'vaults', and it will take 24 hours for coins to be irreversible moved outside the 'vault'. This covers the part "is the user able to spend a transaction with settlement layer" but it has security properties equal to nLockTime = 24 hours - you can't benefit and use the coins immediately and in 24 hours price might go up or down in an undesirable way for a certain user. It however raises a lot of other questions: what if the attacker manages to steal both the private key and vault key (we have strong reasons to assume this can happen: if you can't keep a private key safe, why would you be able to keep the vault key any safer?) and starts a race with the actual user to unlock and lock back the vault? I think this is a wrong approach. hacks and big losses are sad, but all the time users / exchanges are to blame for wrong implementations or terrible security practices. Thanks! On 8/3/2016 9:16 PM, Matthew Roberts via bitcoin-dev wrote: > In light of the recent hack: what does everyone think of the idea of > creating a new address type that has a reversal key and settlement layer > that can be used to revoke transactions? > > You could specify so that transactions "sent" from these addresses must > receive N confirmations before they can't be revoked, after which the > transaction is "settled" and the coins become redeemable from their > destination output. A settlement phase would also mean that a > transaction's progress was publicly visible so transparent fraud > prevention and auditing would become possible by anyone. > > The reason why I bring this up is existing OP codes and TX types don't > seem suitable for a secure clearing mechanism; Nlocktimed TXs won't work > for this since you can't know ahead of time when and where a withdrawal > needs to be made, plus there's still the potential for key > mismanagement; Similar problems with OP_CHECKLOCKTIMEVERIFY apply too – > unless you keep a private key around on the server which would defeat > the purpose. The main use case here, would be specifically to improve > centralized exchange security by making it impossible for a hot wallet > to be raided all at once. > > Thoughts? > > Some existing background: > > http://hackingdistributed.com/2016/08/03/how-bitfinex-heist-could-have-been-avoided/ > -- Proposed the basic idea for a time-based clearing house but using > blockchains directly, this is a much better idea than my own. > > roberts.pm/timechain <http://roberts.pm/timechain> -- My original paper > written in 2015 which proposed a similar idea for secure wallet design > but implemented using time-locked ECDSA keys. Obviously a blockchain > would work better for this. > > Other -- if the idea has already been brought up by other people, I > apologize. > [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 488 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] BIP clearing house addresses 2016-08-06 10:39 ` s7r @ 2016-08-06 11:13 ` Tier Nolan 2016-08-07 5:35 ` Matthew Roberts 0 siblings, 1 reply; 16+ messages in thread From: Tier Nolan @ 2016-08-06 11:13 UTC (permalink / raw) To: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 2432 bytes --] On Sat, Aug 6, 2016 at 11:39 AM, s7r via bitcoin-dev < bitcoin-dev@lists•linuxfoundation.org> wrote: > * reversal of transactions is impossible > I think it would be more accurate to say that the requirement is that reversal doesn't happen unexpectedly. If it is clear in the script that reversal is possible, then obviously the recipient can take that into consideration. > * keep private keys private and safe. Lose them, it's like losing cash, > you can just forget about it. > Key management is a thing. Managing risk by keeping some keys offline is an important part of that. > * while we try hard to make 0-conf as safe as possible (if there's no > RBF flag on the transaction), we make it almost impossible or very very > expensive to reverse a confirmed transaction. > BitGo has an "instant" system where they promise to only sign one transaction for a given output. If you trust BitGo, then this is safe from double spending, since a double spender can't sign two transactions. If BitGo had actually implemented a daily withdrawal limit, then their system ends up similar to cold storage. Only 10% of the funds at Bitfinex could have been withdrawn before manual intervention was required (with offline keys). Who will accept > such an input and treat it as a payment if it can be reversed during the > settlement layer? Obviously, if a payment is reversible, then you treat it as a reversible payment. The protection here relates to moving coins from the equivalent of cold storage to hot storage. It is OK if it takes longer, since security is more important than convenience for coins in cold storage. > The linked page describes that merchants will never accept payments from > 'vaults', and it will take 24 hours for coins to be irreversible moved > outside the 'vault'. This relates to the reserves held by the exchange. A portion of the funds are in hot storage with live keys. These funds can be stolen by anyone who gets access to the servers. The remaining funds are held in cold storage and they cannot be accessed unless you have the offline keys. These funds are supposed to be hard to reach and require manual intervention. I think this is a wrong approach. hacks and big losses are sad, but all > the time users / exchanges are to blame for wrong implementations or > terrible security practices. > Setting up offline keys to act as firebreaks is part of good security practices. [-- Attachment #2: Type: text/html, Size: 3678 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] BIP clearing house addresses 2016-08-06 11:13 ` Tier Nolan @ 2016-08-07 5:35 ` Matthew Roberts 2016-08-07 22:59 ` Erik Aronesty 0 siblings, 1 reply; 16+ messages in thread From: Matthew Roberts @ 2016-08-07 5:35 UTC (permalink / raw) To: Tier Nolan, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 7222 bytes --] I'm wondering if we're fully on the same page here. What I was thinking was that this protection mechanism would be applied to the coins in the hot wallet (I wasn't talking about moving coins from the cold wallet to the hot wallet -- though such a mechanism is also needed.) With the hot wallet you would have an output script that only allowed coins to be sent to a new transaction whose output script was then only redeemable after N confirmations (the output is relative time-locked) but which can also be recovered to a fixed fail-safe address before the time-lock is reached (exactly like TierNolan already listed only the time-locked destination shouldn't be completely fixed.) So the private key for this hot wallet can still sign valid transactions to withdraw coins to any known destination and these transactions still reach the blockchain. The key difference from a regular transaction is that the destination only has access to the coins -after- the relative time-lock is reached (N blocks after first confirm) so everyone knows where withdrawals are suppose to be going and how many coins are being withdrawn at any given time. Deposits to the hot wallet would therefore need to be encumbered by the same protection so that from then on this time-lock to redeem coins can be applied to every new transaction trying to move coins (withdrawn by a user of the exchange or sent to the cold wallet.) Notice we don't care about the destination in the TX script for the hot wallet because to process user's withdrawals we can't know ahead of time where they need to be sent (so it isn't possible to use a fixed address here – though you might want to remove the clearing phase and set a fixed address for coins sent from the hot wallet to the cold wallet.) The benefit here comes from being able to see what withdrawals are being cleared, matching those up to our expectations, and being able to "cancel" withdrawals if they look suspicious, and you get the benefits for transfers made from the hot wallet to the cold wallet and visa-versa. This approach is good for a number of crucial services: 1. Wallets could be built that grouped coins into different "accounts" with different time-frames required for clearing / unlocking coins. Your savings or investment account would say -- take up to a week to clear -- whereas your everyday account used for smaller purchases (with less money) would only take a few hours. This could all be linked up to services that notified you of your money being moved + made any phone calls needed to verify any larger transfers. The service could also be entrusted with the “cancellation” key which can only be used to move money to your offline fail-safe address. This would be quite an interesting way to mitigate fraud without the user having to be trusted to do anything (except I suppose – not storing their recovery keys online … but this could be partially solved with BIP 32-style “master” public keys + hardware wallets + multi-sig, N factor auth, etc ...) 2. Gambling websites that process a lot of Bitcoins also have a hot wallet which could be better protected by this. 3. Various other e-commerce websites also accept Bitcoins directly. (Deep web markets come to mind -- hey, people breaking the law need good security too.) 4. Provable dead man's switches on the protocol level is another idea -- no need to keep special time-locked transactions around and rely on them to be broadcast = more reliable escrow services. 5. And obviously exchange hot (and cold) wallets - enemy number 1. I hope that makes sense. I think I initially managed to confuse a lot of people by talking about revoking transactions / “settlement layers”, etc. But IMO: all of this needs to take place on the blockchain with a new set of OP_CODES and other than the fixed address issue with OP_SPENDTO, I think the general idea would still work. tl; dr, A pseudo-reversal mechanism for transactions would mean that stolen private keys were no longer such an issue. This is desperately needed for exchanges, wallets, and other services that are forced to manage private keys, and whose users (I argue) already expect for this to be possible (or at least will when they're hacked.) On Sat, Aug 6, 2016 at 9:13 PM, Tier Nolan via bitcoin-dev < bitcoin-dev@lists•linuxfoundation.org> wrote: > On Sat, Aug 6, 2016 at 11:39 AM, s7r via bitcoin-dev <bitcoin-dev@lists. > linuxfoundation.org> wrote: > >> * reversal of transactions is impossible >> > > I think it would be more accurate to say that the requirement is that > reversal doesn't happen unexpectedly. > > If it is clear in the script that reversal is possible, then obviously the > recipient can take that into consideration. > > >> * keep private keys private and safe. Lose them, it's like losing cash, >> you can just forget about it. >> > > Key management is a thing. Managing risk by keeping some keys offline is > an important part of that. > > >> * while we try hard to make 0-conf as safe as possible (if there's no >> RBF flag on the transaction), we make it almost impossible or very very >> expensive to reverse a confirmed transaction. >> > > BitGo has an "instant" system where they promise to only sign one > transaction for a given output. If you trust BitGo, then this is safe from > double spending, since a double spender can't sign two transactions. > > If BitGo had actually implemented a daily withdrawal limit, then their > system ends up similar to cold storage. Only 10% of the funds at Bitfinex > could have been withdrawn before manual intervention was required (with > offline keys). > > Who will accept >> such an input and treat it as a payment if it can be reversed during the >> settlement layer? > > > Obviously, if a payment is reversible, then you treat it as a reversible > payment. The protection here relates to moving coins from the equivalent > of cold storage to hot storage. > > It is OK if it takes longer, since security is more important than > convenience for coins in cold storage. > > >> The linked page describes that merchants will never accept payments from >> 'vaults', and it will take 24 hours for coins to be irreversible moved >> outside the 'vault'. > > > This relates to the reserves held by the exchange. A portion of the funds > are in hot storage with live keys. These funds can be stolen by anyone who > gets access to the servers. The remaining funds are held in cold storage > and they cannot be accessed unless you have the offline keys. These funds > are supposed to be hard to reach and require manual intervention. > > I think this is a wrong approach. hacks and big losses are sad, but all >> the time users / exchanges are to blame for wrong implementations or >> terrible security practices. >> > > Setting up offline keys to act as firebreaks is part of good security > practices. > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > [-- Attachment #2: Type: text/html, Size: 9540 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] BIP clearing house addresses 2016-08-07 5:35 ` Matthew Roberts @ 2016-08-07 22:59 ` Erik Aronesty 2016-08-08 0:48 ` Matthew Roberts 0 siblings, 1 reply; 16+ messages in thread From: Erik Aronesty @ 2016-08-07 22:59 UTC (permalink / raw) To: Matthew Roberts, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 8788 bytes --] I still feel like you're better off getting rid of "hot wallets" and use lightning-esqe networks to route orders. I don't think either speed or flexibility is an issue there. IMO, the point of Bitcoin is to avoid the centralization that seems to be happening on the network now. By making "hot wallets" more "secure", we encourage things to keep heading downhill with massive centralized crappy-security exchanges. Because, ultimately, there's no security that will prevent an inside job. And all of these thefts have, in my opinion, been at least partly inside jobs. And centralization is the actually demon that needs slaying here. A client-side library with P2P order routing, tether.to + bitcoin .... and you've got a decentralized exchange... with orders matched to users directly, and channel-trades executed instantly. And "market makers" running nodes to facilitate routing, etc. No center... nothing to shut down or sue... and no one holds your funds. That's a real Bitcoin exchange. On Sun, Aug 7, 2016 at 1:35 AM, Matthew Roberts via bitcoin-dev < bitcoin-dev@lists•linuxfoundation.org> wrote: > I'm wondering if we're fully on the same page here. What I was thinking > was that this protection mechanism would be applied to the coins in the hot > wallet (I wasn't talking about moving coins from the cold wallet to the hot > wallet -- though such a mechanism is also needed.) > > With the hot wallet you would have an output script that only allowed > coins to be sent to a new transaction whose output script was then only > redeemable after N confirmations (the output is relative time-locked) but > which can also be recovered to a fixed fail-safe address before the > time-lock is reached (exactly like TierNolan already listed only the > time-locked destination shouldn't be completely fixed.) So the private key > for this hot wallet can still sign valid transactions to withdraw coins to > any known destination and these transactions still reach the blockchain. > > The key difference from a regular transaction is that the destination only > has access to the coins -after- the relative time-lock is reached (N blocks > after first confirm) so everyone knows where withdrawals are suppose to be > going and how many coins are being withdrawn at any given time. Deposits to > the hot wallet would therefore need to be encumbered by the same protection > so that from then on this time-lock to redeem coins can be applied to every > new transaction trying to move coins (withdrawn by a user of the exchange > or sent to the cold wallet.) > > Notice we don't care about the destination in the TX script for the hot > wallet because to process user's withdrawals we can't know ahead of time > where they need to be sent (so it isn't possible to use a fixed address > here – though you might want to remove the clearing phase and set a fixed > address for coins sent from the hot wallet to the cold wallet.) The benefit > here comes from being able to see what withdrawals are being cleared, > matching those up to our expectations, and being able to "cancel" > withdrawals if they look suspicious, and you get the benefits for transfers > made from the hot wallet to the cold wallet and visa-versa. > > > This approach is good for a number of crucial services: > > 1. Wallets could be built that grouped coins into different "accounts" > with different time-frames required for clearing / unlocking coins. Your > savings or investment account would say -- take up to a week to clear -- > whereas your everyday account used for smaller purchases (with less money) > would only take a few hours. This could all be linked up to services that > notified you of your money being moved + made any phone calls needed to > verify any larger transfers. > > The service could also be entrusted with the “cancellation” key which can > only be used to move money to your offline fail-safe address. This would be > quite an interesting way to mitigate fraud without the user having to be > trusted to do anything (except I suppose – not storing their recovery keys > online … but this could be partially solved with BIP 32-style “master” > public keys + hardware wallets + multi-sig, N factor auth, etc ...) > > 2. Gambling websites that process a lot of Bitcoins also have a hot wallet > which could be better protected by this. > > 3. Various other e-commerce websites also accept Bitcoins directly. (Deep > web markets come to mind -- hey, people breaking the law need good security > too.) > > 4. Provable dead man's switches on the protocol level is another idea -- > no need to keep special time-locked transactions around and rely on them to > be broadcast = more reliable escrow services. > > 5. And obviously exchange hot (and cold) wallets - enemy number 1. > > I hope that makes sense. I think I initially managed to confuse a lot of > people by talking about revoking transactions / “settlement layers”, etc. > But IMO: all of this needs to take place on the blockchain with a new set > of OP_CODES and other than the fixed address issue with OP_SPENDTO, I think > the general idea would still work. > > > tl; dr, A pseudo-reversal mechanism for transactions would mean that > stolen private keys were no longer such an issue. This is desperately > needed for exchanges, wallets, and other services that are forced to manage > private keys, and whose users (I argue) already expect for this to be > possible (or at least will when they're hacked.) > > > > > On Sat, Aug 6, 2016 at 9:13 PM, Tier Nolan via bitcoin-dev < > bitcoin-dev@lists•linuxfoundation.org> wrote: > >> On Sat, Aug 6, 2016 at 11:39 AM, s7r via bitcoin-dev < >> bitcoin-dev@lists•linuxfoundation.org> wrote: >> >>> * reversal of transactions is impossible >>> >> >> I think it would be more accurate to say that the requirement is that >> reversal doesn't happen unexpectedly. >> >> If it is clear in the script that reversal is possible, then obviously >> the recipient can take that into consideration. >> >> >>> * keep private keys private and safe. Lose them, it's like losing cash, >>> you can just forget about it. >>> >> >> Key management is a thing. Managing risk by keeping some keys offline is >> an important part of that. >> >> >>> * while we try hard to make 0-conf as safe as possible (if there's no >>> RBF flag on the transaction), we make it almost impossible or very very >>> expensive to reverse a confirmed transaction. >>> >> >> BitGo has an "instant" system where they promise to only sign one >> transaction for a given output. If you trust BitGo, then this is safe from >> double spending, since a double spender can't sign two transactions. >> >> If BitGo had actually implemented a daily withdrawal limit, then their >> system ends up similar to cold storage. Only 10% of the funds at Bitfinex >> could have been withdrawn before manual intervention was required (with >> offline keys). >> >> Who will accept >>> such an input and treat it as a payment if it can be reversed during the >>> settlement layer? >> >> >> Obviously, if a payment is reversible, then you treat it as a reversible >> payment. The protection here relates to moving coins from the equivalent >> of cold storage to hot storage. >> >> It is OK if it takes longer, since security is more important than >> convenience for coins in cold storage. >> >> >>> The linked page describes that merchants will never accept payments from >>> 'vaults', and it will take 24 hours for coins to be irreversible moved >>> outside the 'vault'. >> >> >> This relates to the reserves held by the exchange. A portion of the >> funds are in hot storage with live keys. These funds can be stolen by >> anyone who gets access to the servers. The remaining funds are held in >> cold storage and they cannot be accessed unless you have the offline keys. >> These funds are supposed to be hard to reach and require manual >> intervention. >> >> I think this is a wrong approach. hacks and big losses are sad, but all >>> the time users / exchanges are to blame for wrong implementations or >>> terrible security practices. >>> >> >> Setting up offline keys to act as firebreaks is part of good security >> practices. >> >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists•linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> >> > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > [-- Attachment #2: Type: text/html, Size: 11634 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] BIP clearing house addresses 2016-08-07 22:59 ` Erik Aronesty @ 2016-08-08 0:48 ` Matthew Roberts 2016-08-08 9:56 ` Tier Nolan 2016-08-08 10:09 ` Erik Aronesty 0 siblings, 2 replies; 16+ messages in thread From: Matthew Roberts @ 2016-08-08 0:48 UTC (permalink / raw) To: Erik Aronesty; +Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 10243 bytes --] Not everyone who uses centralized exchanges are there to obtain the currency though. A large portion are speculators who need to be able to enter and exit complex positions in milliseconds and don't care about decentralization, security, and often even the asset that they're buying. Try telling everyone who currently uses Btc-e to go do their margin trading over lightning channels, for example. They're not going to want to do that because these exchanges are already meeting their needs perfectly well, and like I argued before -- it would be very hard to do that as efficiently with any other design (there are major drawbacks for traders with a decentralized exchange.) Like it or not, these exchanges play an integral role in the current Bitcoin eco-system since they allow us to most efficiently discover price and help improve liquidity. A decentralized exchange isn't going to stop any more centralized exchanges from being hacked even if they are more secure simply because traders don't want to use them. (Sorry for the duplicate message Erik, I haven't used many mailing lists before. I think I have the hang of it now though :) ) On Mon, Aug 8, 2016 at 8:59 AM, Erik Aronesty <erik@q32•com> wrote: > I still feel like you're better off getting rid of "hot wallets" and use > lightning-esqe networks to route orders. I don't think either speed or > flexibility is an issue there. > > IMO, the point of Bitcoin is to avoid the centralization that seems to be > happening on the network now. By making "hot wallets" more "secure", we > encourage things to keep heading downhill with massive centralized > crappy-security exchanges. > > Because, ultimately, there's no security that will prevent an inside > job. And all of these thefts have, in my opinion, been at least partly > inside jobs. > > And centralization is the actually demon that needs slaying here. > > A client-side library with P2P order routing, tether.to + bitcoin .... > and you've got a decentralized exchange... with orders matched to users > directly, and channel-trades executed instantly. And "market makers" > running nodes to facilitate routing, etc. > > No center... nothing to shut down or sue... and no one holds your funds. > That's a real Bitcoin exchange. > > > > On Sun, Aug 7, 2016 at 1:35 AM, Matthew Roberts via bitcoin-dev < > bitcoin-dev@lists•linuxfoundation.org> wrote: > >> I'm wondering if we're fully on the same page here. What I was thinking >> was that this protection mechanism would be applied to the coins in the hot >> wallet (I wasn't talking about moving coins from the cold wallet to the hot >> wallet -- though such a mechanism is also needed.) >> >> With the hot wallet you would have an output script that only allowed >> coins to be sent to a new transaction whose output script was then only >> redeemable after N confirmations (the output is relative time-locked) but >> which can also be recovered to a fixed fail-safe address before the >> time-lock is reached (exactly like TierNolan already listed only the >> time-locked destination shouldn't be completely fixed.) So the private key >> for this hot wallet can still sign valid transactions to withdraw coins to >> any known destination and these transactions still reach the blockchain. >> >> The key difference from a regular transaction is that the destination >> only has access to the coins -after- the relative time-lock is reached (N >> blocks after first confirm) so everyone knows where withdrawals are suppose >> to be going and how many coins are being withdrawn at any given time. >> Deposits to the hot wallet would therefore need to be encumbered by the >> same protection so that from then on this time-lock to redeem coins can be >> applied to every new transaction trying to move coins (withdrawn by a user >> of the exchange or sent to the cold wallet.) >> >> Notice we don't care about the destination in the TX script for the hot >> wallet because to process user's withdrawals we can't know ahead of time >> where they need to be sent (so it isn't possible to use a fixed address >> here – though you might want to remove the clearing phase and set a fixed >> address for coins sent from the hot wallet to the cold wallet.) The benefit >> here comes from being able to see what withdrawals are being cleared, >> matching those up to our expectations, and being able to "cancel" >> withdrawals if they look suspicious, and you get the benefits for transfers >> made from the hot wallet to the cold wallet and visa-versa. >> >> >> This approach is good for a number of crucial services: >> >> 1. Wallets could be built that grouped coins into different "accounts" >> with different time-frames required for clearing / unlocking coins. Your >> savings or investment account would say -- take up to a week to clear -- >> whereas your everyday account used for smaller purchases (with less money) >> would only take a few hours. This could all be linked up to services that >> notified you of your money being moved + made any phone calls needed to >> verify any larger transfers. >> >> The service could also be entrusted with the “cancellation” key which can >> only be used to move money to your offline fail-safe address. This would be >> quite an interesting way to mitigate fraud without the user having to be >> trusted to do anything (except I suppose – not storing their recovery keys >> online … but this could be partially solved with BIP 32-style “master” >> public keys + hardware wallets + multi-sig, N factor auth, etc ...) >> >> 2. Gambling websites that process a lot of Bitcoins also have a hot >> wallet which could be better protected by this. >> >> 3. Various other e-commerce websites also accept Bitcoins directly. (Deep >> web markets come to mind -- hey, people breaking the law need good security >> too.) >> >> 4. Provable dead man's switches on the protocol level is another idea -- >> no need to keep special time-locked transactions around and rely on them to >> be broadcast = more reliable escrow services. >> >> 5. And obviously exchange hot (and cold) wallets - enemy number 1. >> >> I hope that makes sense. I think I initially managed to confuse a lot of >> people by talking about revoking transactions / “settlement layers”, etc. >> But IMO: all of this needs to take place on the blockchain with a new set >> of OP_CODES and other than the fixed address issue with OP_SPENDTO, I think >> the general idea would still work. >> >> >> tl; dr, A pseudo-reversal mechanism for transactions would mean that >> stolen private keys were no longer such an issue. This is desperately >> needed for exchanges, wallets, and other services that are forced to manage >> private keys, and whose users (I argue) already expect for this to be >> possible (or at least will when they're hacked.) >> >> >> >> >> On Sat, Aug 6, 2016 at 9:13 PM, Tier Nolan via bitcoin-dev < >> bitcoin-dev@lists•linuxfoundation.org> wrote: >> >>> On Sat, Aug 6, 2016 at 11:39 AM, s7r via bitcoin-dev < >>> bitcoin-dev@lists•linuxfoundation.org> wrote: >>> >>>> * reversal of transactions is impossible >>>> >>> >>> I think it would be more accurate to say that the requirement is that >>> reversal doesn't happen unexpectedly. >>> >>> If it is clear in the script that reversal is possible, then obviously >>> the recipient can take that into consideration. >>> >>> >>>> * keep private keys private and safe. Lose them, it's like losing cash, >>>> you can just forget about it. >>>> >>> >>> Key management is a thing. Managing risk by keeping some keys offline >>> is an important part of that. >>> >>> >>>> * while we try hard to make 0-conf as safe as possible (if there's no >>>> RBF flag on the transaction), we make it almost impossible or very very >>>> expensive to reverse a confirmed transaction. >>>> >>> >>> BitGo has an "instant" system where they promise to only sign one >>> transaction for a given output. If you trust BitGo, then this is safe from >>> double spending, since a double spender can't sign two transactions. >>> >>> If BitGo had actually implemented a daily withdrawal limit, then their >>> system ends up similar to cold storage. Only 10% of the funds at Bitfinex >>> could have been withdrawn before manual intervention was required (with >>> offline keys). >>> >>> Who will accept >>>> such an input and treat it as a payment if it can be reversed during the >>>> settlement layer? >>> >>> >>> Obviously, if a payment is reversible, then you treat it as a reversible >>> payment. The protection here relates to moving coins from the equivalent >>> of cold storage to hot storage. >>> >>> It is OK if it takes longer, since security is more important than >>> convenience for coins in cold storage. >>> >>> >>>> The linked page describes that merchants will never accept payments from >>>> 'vaults', and it will take 24 hours for coins to be irreversible moved >>>> outside the 'vault'. >>> >>> >>> This relates to the reserves held by the exchange. A portion of the >>> funds are in hot storage with live keys. These funds can be stolen by >>> anyone who gets access to the servers. The remaining funds are held in >>> cold storage and they cannot be accessed unless you have the offline keys. >>> These funds are supposed to be hard to reach and require manual >>> intervention. >>> >>> I think this is a wrong approach. hacks and big losses are sad, but all >>>> the time users / exchanges are to blame for wrong implementations or >>>> terrible security practices. >>>> >>> >>> Setting up offline keys to act as firebreaks is part of good security >>> practices. >>> >>> _______________________________________________ >>> bitcoin-dev mailing list >>> bitcoin-dev@lists•linuxfoundation.org >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >>> >>> >> >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists•linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> >> > [-- Attachment #2: Type: text/html, Size: 13371 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] BIP clearing house addresses 2016-08-08 0:48 ` Matthew Roberts @ 2016-08-08 9:56 ` Tier Nolan 2016-08-08 10:09 ` Erik Aronesty 1 sibling, 0 replies; 16+ messages in thread From: Tier Nolan @ 2016-08-08 9:56 UTC (permalink / raw) Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 1357 bytes --] On Mon, Aug 8, 2016 at 1:48 AM, Matthew Roberts <matthew@roberts•pm> wrote: > Not everyone who uses centralized exchanges are there to obtain the > currency though. A large portion are speculators who need to be able to > enter and exit complex positions in milliseconds and don't care about > decentralization, security, and often even the asset that they're buying. > Centralized exchanges also allow for things like limit orders. You don't even have to be logged in and they can execute trades. This couldn't be done with channels. > Try telling everyone who currently uses Btc-e to go do their margin > trading over lightning channels, for example. > Using channels and a centralized exchange gets many of the benefits of a distributed exchange. The channel allows instant funding while allowing the customer to have full control over the funds. The customer could fund the channel and then move money to the exchange when needed. Even margin account holders might like the fact that it is clear which funds are under their direct control and which funds are held by the exchange. If they are using bitcoin funds as collateral for a margin trade, then inherently the exchange has to have control over those funds. A 2 of 3 system where the customer, exchange and a 3rd party arbitration agency holds keys might be acceptable to the exchange. [-- Attachment #2: Type: text/html, Size: 2046 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] BIP clearing house addresses 2016-08-08 0:48 ` Matthew Roberts 2016-08-08 9:56 ` Tier Nolan @ 2016-08-08 10:09 ` Erik Aronesty 2016-08-08 11:01 ` Tier Nolan 1 sibling, 1 reply; 16+ messages in thread From: Erik Aronesty @ 2016-08-08 10:09 UTC (permalink / raw) To: Matthew Roberts; +Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 210 bytes --] I'm not convinced you need to hold people's funds to provide those features. Maybe the millisecond thing. But 99 out of 100 traders would accept a 100 millisecond latency in exchange for 0 counterparty risk. [-- Attachment #2: Type: text/html, Size: 238 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] BIP clearing house addresses 2016-08-08 10:09 ` Erik Aronesty @ 2016-08-08 11:01 ` Tier Nolan 0 siblings, 0 replies; 16+ messages in thread From: Tier Nolan @ 2016-08-08 11:01 UTC (permalink / raw) Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 864 bytes --] With channels and the exchange acting as hub, you can do instant trades between altcoins. This doesn't work with fiat accounts. A "100% reserve" company could issue fiat tokens. The exchange could then trade those tokens. This eliminates the counter-party risk for the exchange. If the exchange dies, you still have your (alt)coins and also fiat tokens. There is still risk that the token company could go bankrupt though. This could be mitigated by that company requiring only "cashing out" tokens to accounts which have been verified. The company could set up a blockchain where it signed the blocks rather than mining and could get money from transaction fees and also minting fees (say it charges 1% for minting new tokens) I wonder what how the law would work for that. It isn't actually doing trading, it is just issuing tokens and redeeming them. [-- Attachment #2: Type: text/html, Size: 1030 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2016-08-08 11:02 UTC | newest] Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-08-03 18:16 [bitcoin-dev] BIP clearing house addresses Matthew Roberts 2016-08-03 21:13 ` Troy Benjegerdes 2016-08-03 23:55 ` Tier Nolan 2016-08-04 2:07 ` Matthew Roberts 2016-08-04 3:27 ` Luke Dashjr 2016-08-04 3:49 ` Andrew Johnson 2016-08-04 4:53 ` Matthew Roberts 2016-08-04 12:43 ` Erik Aronesty 2016-08-06 10:39 ` s7r 2016-08-06 11:13 ` Tier Nolan 2016-08-07 5:35 ` Matthew Roberts 2016-08-07 22:59 ` Erik Aronesty 2016-08-08 0:48 ` Matthew Roberts 2016-08-08 9:56 ` Tier Nolan 2016-08-08 10:09 ` Erik Aronesty 2016-08-08 11:01 ` Tier Nolan
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox