Re: [bitcoin-dev] Detailed protocol design for routed multi-transaction CoinSwap

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: ZmnSCPxj <ZmnSCPxj@protonmail•com>
To: Antoine Riard <antoine.riard@gmail•com>
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Detailed protocol design for routed multi-transaction CoinSwap
Date: Sat, 05 Sep 2020 02:29:18 +0000	[thread overview]
Message-ID: <HY0TQs10f6EP6tpw4gaY4W68m1vmn7zGY2EYa_jqMEN3ofSvyQgBGGIDotcAPmRNPg7oFteTugWFOwI9avdtLN0YVOZNiF9HrxnKtycVPG0=@protonmail.com> (raw)
In-Reply-To: <CALZpt+F0LDTERsPv7nZuuc34oyCPN-gMPspfxTM5kKqz4mSJqg@mail.gmail.com>

Good morning Antoine,

> > This can be arranged by having one side offer partial signatures for the transaction of the other, and once completing the signature, not sharing it with the other until we are ready to actually broadcast the transaction of our own volition.
> > There is no transaction that both participants hold in completely-signed form
>
> I don't think that's different from the current model where you have either a valid HTLC-timeout or HTLC-Sucess tx to solve a HTLC output but never full witness material to build both ?

It is different in that the current (actually, now *previous*) model looks like this:

    funding out ->  contract tx -->  HTLC-timeout
                                         OR
                                     HTLC-success

Whereas what I am describing looks like this:

    funding out ->  HTLC-timeout
                        OR
                    HTLC-success

The attack being described has to do with the fact that, after private key turnover (i.e. after hash-lock resolution), the contract tx can be used to at least annoy the supposed new owner of the funding out, since the contract tx deducts fees from its input to pay for itself.
And at the end of the swap (after private key turnover) the one who funded the funding outpoint (and swapped its control for this outpoint already, for a different outpoint) can at least try to broadcast the contract tx for a *chance* that the HTLC-timeout becomes valid and it can steal the coin even after taking the swapped coin on the other side of the swap.

Chris recently described a different technique, which has different contract txes, with the contract tx held by the offerrer of the HTLC (who can otherwise later annoy the acceptor of the HTLC once the HTLC has been hash-resolved) costing the offerrer of the HTLC some coins if it is published after swap completion.

> > To reduce this risk, A can instead first swap A->B->A, then when that completes, A->C->A.
> This limits its funding lockup to 1 week.
>
> Okay I think I understand your point. So by intermediating the chain with the taker you ensure that in case of previous hop failure, taker funds are only timelocked for the delta of this faulting hop not the whole route. But still not anchoring onchain the next route segment means that any moment the next maker can exit from the proposed position ?
>
> That's interesting, so a) you require all takers to lock their funds onchain before initiating the whole routing and you will pay more in service fees or b) you only lock them step by step but you increase risk of next hop default and thus latency. Roughly.
>  
> It might be an interesting construction to explore on its own, minus the downside of producing weird spend patterns due to next hop maker bidding with another party.
>

Correct, a taker can pay higher fees for lots of smaller swaps that reduce its lockup risk, or pay less (with similar privacy bought) but with greater total lockup risk.

Regards,
ZmnSCPxj

next prev parent reply	other threads:[~2020-09-05  2:29 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-11 12:05 Chris Belcher
2020-08-20 11:17 ` ZmnSCPxj
2020-08-20 15:28   ` Nadav Kohen
2020-08-20 21:38     ` ZmnSCPxj
2020-08-20 22:37       ` Chris Belcher
2020-08-20 22:15   ` Chris Belcher
2020-08-21  4:20     ` ZmnSCPxj
2020-08-21  9:47       ` Chris Belcher
2020-08-22  1:09         ` ZmnSCPxj
2020-08-24 19:30 ` Antoine Riard
2020-08-25  3:16   ` ZmnSCPxj
2020-09-03  9:00     ` Chris Belcher
2020-09-03  9:45       ` ZmnSCPxj
2020-09-03 10:50         ` Chris Belcher
2020-09-03 23:39           ` ZmnSCPxj
2020-09-05  2:45             ` ZmnSCPxj
2020-09-05  1:10     ` Antoine Riard
2020-09-05  2:29       ` ZmnSCPxj [this message]
2020-08-29 22:03   ` Chris Belcher
2020-08-30 13:38     ` ZmnSCPxj
2020-09-05  1:07     ` Antoine Riard
2020-09-06  3:06       ` seid Mohammed
2020-10-03 10:36 ` [bitcoin-dev] Detailed protocol design for routed multi-transaction CoinSwap appendium Chris Belcher
2020-10-03 13:31   ` ZmnSCPxj

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='HY0TQs10f6EP6tpw4gaY4W68m1vmn7zGY2EYa_jqMEN3ofSvyQgBGGIDotcAPmRNPg7oFteTugWFOwI9avdtLN0YVOZNiF9HrxnKtycVPG0=@protonmail.com' \
    --to=zmnscpxj@protonmail$(echo .)com \
    --cc=antoine.riard@gmail$(echo .)com \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox