From: Runchao Han <runchao.han@monash•edu>
To: Bitcoin Protocol Discussion
<bitcoin-dev@lists•linuxfoundation.org>,
ZmnSCPxj <ZmnSCPxj@protonmail•com>
Cc: "jiangshan.yu@monash•edu" <jiangshan.yu@monash•edu>
Subject: Re: [bitcoin-dev] OP_LOOKUP_OUTPUT proposal
Date: Sat, 10 Aug 2019 23:01:41 +1000 [thread overview]
Message-ID: <CABnocSBSKsmWeRCOZE6DHwPXc2rucQGkHvjd+wJ+9JAJOT5=QQ@mail.gmail.com> (raw)
In-Reply-To: <aJ7usJIj2_reg-36SKEUDRApK8AhsIm2esl-I1CJSxs8cZACAmuR0X1bBNDK_zlDOUlzUWD2n2pCnbYx20Jg8kvAyryKZ9mqe0OH2J0QivY=@protonmail.com>
[-- Attachment #1: Type: text/plain, Size: 9560 bytes --]
If I remember it right, Alice first signs the WJT transaction, sends it to
Bob, then Bob signs it and makes this transaction valid.
If so, there are two problems.
First, Bob gets the valid tx first, and he can choose not to send it to
Alice.
Second, even if Bob honestly sends Alice this tx, Alice cannot fully
control when to broadcast this to, as Bob also has this transaction.
If Bob first signs then Alice signs, Alice still has optionality, as she
can choose whether to publish this tx and preimage.
Runchao
On Sat, Aug 10, 2019 at 10:50 PM ZmnSCPxj <ZmnSCPxj@protonmail•com> wrote:
> Good morning Runchao,
>
>
>
>
> Sent with ProtonMail Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Saturday, August 10, 2019 1:44 PM, Runchao Han <runchao.han@monash•edu>
> wrote:
>
> > Hi ZmnSCPxj,
> >
> > Thanks for your reply.
> >
> > I agree with your opinions about OP_LOOKUP_OUTPUT.
> > Indeed, the pruning mechanism renders this opcode unrealistic for some
> nodes. Also, the execution of OP_LOOKUP_OUTPUT depends on the time of
> verifying this tx.
> >
> > However, I’m concerning of some security issues of your mentioned
> protocol (Alice pays the premium contingently on Bob participating).
> > If I understand it right, Alice and Bob should create a payment channel,
> and mutually construct the funding transaction that “Alice pays Bob 10,000
> WJT; Bob hash-timelocked pays Alice 1,000,000WJT”, where the time lock is
> T+24.
> > Here, Bob is responsible for broadcasting this tx after confirming
> Alice’s funding transaction on BTC blockchain.
>
> No, Bob is not.
>
> The signature exchange for the WJT-side funding tx is done by:
>
> 1. Alice waits for Bob to provide all its signatures for inputs that will
> fund the 1,000,000 WJT payout.
> 2. Alice signs its inputs that will fund the 10,000 WJT premium.
> 3. Alice broadacasts the completely signed funding tx.
>
> Alice is the one responsible for broadcasting the funding tx.
>
> If Bob stalls, it is not a Bob side option (i.e. Bob cannot stall then
> continue the protocol when the exchange rate moves to its favor) as Alice
> can refuse to sign and broadcast the funding tx once it has decided Bob is
> trolling it, thus Bob cannot force Alice to perform.
>
> If Alice stalls, Bob can double-spend one of its inputs at a low feerate.
> This either aborts the protocol, or if Alice then broadcasts the funding
> tx at the pre-agreed feerate and it is confirmed, the premium is now
> already paid to Bob.
>
> Regards,
> ZmnSCPxj
>
> > In this case, Bob can arbitrage by broadcasting this tx after T+24. In
> this way, Bob receives the 10,000WJT, but Alice cannot redeem 1,000,000WJT
> anymore.
> > If the premium (10,000WJT) is also hash-timelocked, Alice can keep
> unraveling the preimage, which makes the atomic swap still premium-free.
> >
> > In the original atomic swap, Bob is incentivised to broadcast his
> funding transaction, otherwise he may miss the opportunity to redeem
> Alice’s asset.
> > Also, Alice will lose nothing regardless of how Bob behaves, because
> Alice locks all her money by hashlock.
> > However, Alice cannot lock the premium using hashlock. This gives Bob
> opportunity to arbitrage Alice’s premium.
> >
> > What is implied here is that, where the premium should go strictly
> depends on where Bob’s asset goes.
> > If the Bitcoin’s timelock can be “relative” (e.g. the timestamp can be
> x+24 where x is the timestamp of the block with this transaction), I think
> this protocol works.
> > Unfortunately, the “x” here is also an external state according to your
> definition.
> >
> > In conclusion, I believe your comments on OP_LOOKUP_OUTPUT reasonable,
> but cannot make sure if the premium mechanism can be implemented by using
> HTLCs.
> >
> > Thanks,
> > Runchao
> >
> > > On 10 Aug 2019, at 12:29 am, ZmnSCPxj ZmnSCPxj@protonmail•com wrote:
> > > Good morning Haoyu LIN et al.,
> > >
> > > > We have investigated this problem in very detail. We analysed how
> profitable the arbitrage can be given the default timelock setting (24/48
> hrs). Our result shows that the profit can be approximately 1% ~ 2.3%,
> which is non-negligible compared with 0.3% for stock market. This can be
> attractive as it's totally risk-free. Please refer to our paper
> https://eprint.iacr.org/2019/896, and the related code
> https://github.com/HAOYUatHZ/fair-atomic-swap if interested.
> > > > Several studies have proposed for solving this problem e.g.,
> http://diyhpl.us/wiki/transcripts/scalingbitcoin/tokyo-2018/atomic-swaps/
> and https://coblox.tech/docs/financial_crypto19.pdf. Their basic idea is
> that, the transaction for the premium needs to be locked with the same
> secret hash but with a flipped payout, i.e. when redeemed with the secret,
> the money goes back to Alice and after timelock, the premium goes to Bob as
> a compensation for Alice not revealing the secret. However, this introduces
> a new problem: Bob can get the premium without paying anything, by never
> participating in.
> > > > To solve this, the transaction verifier needs to know the status of
> an dependent transaction. Unfortunately, Bitcoin does not support the
> stateful transaction functionalities. Therefore, we propose the new opcode:
> OP_LOOKUP_OUTPUT. It takes the id of an output, and produces the address of
> the output’s owner. With OP_LOOKUP_OUTPUT, the Bitcoin script can decide
> whether Alice or Bob should take the premium by `<output> OP_LOOKUP_OUTPUT
> <pubkeyhash> OP_EQUALVERIFY`.
> > >
> > > I believe an unsaid principle of SCRIPT opcode design is this:
> > >
> > > - No SCRIPT opcode can look at anything that is not in the
> transaction spending from the SCRIPT.
> > >
> > > This issue underlies the previous `OP_PUBREF` proposal also.
> > > The reason for this is:
> > >
> > > - We support a pruning mode, where in only the UTXO set is retained.
> > > If `OP_LOOKUP_OUTPUT` exists, we cannot prune, as
> `OP_LOOKUP_OUTPUT` might refer to a TXO that has been spent in very early
> historical blocks.
> > >
> > > - The SCRIPT interpreter is run only once, at the time the
> transaction enters the mempool.
> > > Thus it cannot get information about the block it is in.
> > > Instead, the SCRIPT interpreter can have as input only the
> transaction that is attempting to spend the SCRIPT.
> > >
> > >
> > > In any case:
> > >
> > > > However, this introduces a new problem: Bob can get the premium
> without paying anything, by never participating in.
> > >
> > > Premium payment can be made contingent on Bob participating.
> > > Of course, it does mean the premium is paid using the destination coin.
> > > It also requires the destination coin to support SegWit.
> > > Let me explain by this:
> > >
> > > 1. Alice and Bob agree on swap parameters:
> > >
> > > - Alice will exchange 1 BTC for 1,000,000 WJT from Bob.
> > > - Alice will pay 10,000 WJT as premium to Bob.
> > > - Alice will lock BTC for 48 hours.
> > > - Bob will lock WJT for 24 hours.
> > > - The protocol will start at particular time T.
> > >
> > > 2. Alice generates a preimage+hash.
> > > 3. Alice pays 1 BTC to a HTLC with hashlock going to Bob and
> timelocked at T+48 going to Alice.
> > > 4. Alice presents above UTXO to Bob.
> > > 5. Alice reveals the WJT UTXOs to be spent to pay for the 10,000 WJT
> premium to Bob.
> > > 6. Alice and Bob generate, but do not sign, a funding transaction
> spending some of Bob coin as well as the premium coin from Alice.
> > > This pays out to 1,010,000 WJT (the value plus the premium) HTLC.
> > > The hashlock branch requires not just Alice, but also Bob.
> > > The timelock branch at T+24 just requires Bob.
> > >
> > > 7. Alice and Bob generate the claim transaction.
> > > This spends the funding transaction HTLC output and pays out
> 1,000,000 WJT to Alice and 10,000 WJT to Bob.
> > >
> > > 8. Alice and Bob sign the claim transaction.
> > > This does not allow Bob to make the claim transaction valid by
> itself as it still requires the preimage, and at this point, only Alice
> knows the preimage.
> > >
> > > 9. Alice and Bob sign the funding transaction and broadcast it.
> > > 10. Alice completes the claim transaction by adding the preimage and
> broadcasts it.
> > > 11. Bob sees the preimage on the WJT blockchain and claims the BTC
> using the preimage.
> > >
> > > If Bob stalls at step 8, then there is no way to claim the premium, as
> the funding transaction (which is the source of the claim transaction that
> pays the premium) is not valid yet.
> > > After step 9, Bob has been forced to participate and cannot back out
> and claim the premium only.
> > > This is basically this proposal:
> https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-January/001798.html
> > > In addition, if you really want the premium to be denominated in BTC,
> I have a more complicated ritual:
> https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-January/001795.html
> > > The described ritual only sets up the American Call Option, but by the
> time it has been set up, the premium has been paid already and the rest of
> the execution is claiming the American Call Option.
> > > Thus, I believe there is no need to add `OP_LOOKUP_OUTPUT`.
> > > Regards,
> > > ZmnSCPxj
>
>
>
[-- Attachment #2: Type: text/html, Size: 11392 bytes --]
next prev parent reply other threads:[~2019-08-10 13:01 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-09 13:35 Haoyu LIN
2019-08-09 14:29 ` ZmnSCPxj
2019-08-10 5:46 ` Runchao Han
[not found] ` <ADA03200-1EED-4EAD-B320-3F2034F00954@monash.edu>
2019-08-10 12:50 ` ZmnSCPxj
2019-08-10 13:01 ` Runchao Han [this message]
2019-08-12 3:19 ` Runchao Han
2019-08-12 8:05 ` ZmnSCPxj
2019-08-12 9:22 ` Lloyd Fournier
2019-08-12 10:02 ` Runchao Han
2019-08-12 13:15 ` ZmnSCPxj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CABnocSBSKsmWeRCOZE6DHwPXc2rucQGkHvjd+wJ+9JAJOT5=QQ@mail.gmail.com' \
--to=runchao.han@monash$(echo .)edu \
--cc=ZmnSCPxj@protonmail$(echo .)com \
--cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
--cc=jiangshan.yu@monash$(echo .)edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox