public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Chris Belcher <belcher@riseup•net>
To: bitcoin-dev@lists•linuxfoundation.org
Subject: Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
Date: Tue, 2 Jun 2020 23:24:19 +0100	[thread overview]
Message-ID: <cbf78f63-cf8c-c5d8-06ea-afc79aabc23c@riseup.net> (raw)
In-Reply-To: <VxL93WE7bDrK1riquTWTTEgJj9mDQ4W5CuhOgdnnDPeidw2ho6evVh4cLZLz0jEYMqejaD1tiLULVTXkNRbI5A7wSwV49qSwnXcTWCDJ96E=@protonmail.com>

Hello ZmnSCPxj,

On 31/05/2020 03:30, ZmnSCPxj via bitcoin-dev wrote:
> Good morning Ruben and Chris,

> I am not in fact convinced that PayJoin-with-CoinSwap adds *that* much privacy.
> 
> These transactions:
> 
>              +---+  +---+
>     Alice ---|   |--|   |--- Bob
>     Alice ---|   |  |   |
>       Bob ---|   |  +---+
>              +---+
> 
> Are not really much different in coin ownership analysis from these:
> 
>              +---+    +---+
>     Alice ---|   |----|   |--- Bob
>     Alice ---|   | +--|   |
>              +---+ |  +---+
>       Bob ---------+

The main benefit of PayJoin-with-CoinSwap is it breaks the
common-input-ownership heuristic, which is a major widely used
heuristic. It would be a big win if that heuristic could be broken.

PayJoin-with-CoinSwap would be useful if Alice is trying to recover some
privacy which was previously degraded, for example if she is spending
from a reused address or from an address linked to her identity. If she
does a PayJoin with the reused address then some other economic entity
would have his activity linked with Alice's.

Just the fact that PayJoin-with-CoinSwap exists would improve privacy
for people who don't use it, for example if someone buys bitcoin from an
exchange that knows their identity and then co-spends it with other
coins they obtained another way. The fact that PayJoin exists means an
adversary cannot assume for sure that this user really owns that other
address which was co-spent. This doesn't apply for regular CoinSwap,
which only ever breaks the transaction graph heuristic, so in our
example the destination the coins are sent *to* would be uncertain, but
that the co-spent inputs are owned by the same person would be certain
in a world where PayJoin didn't exist.

> It also removes the need for Bob to reveal additional UTXOs to Alice during the swap protocol; yes PoDLE mitigates the privacy probing attack that Alice can mount on Bob, but it is helpful to remember this is "only" a mitigation.

Opening up the possibility of spying for free is a real downside for
PayJoin-with-CoinSwap. Using decoy UTXOs as described in my design
document, rather than PoDLE, seems like a better way of resisting these
attacks. This is because at the cost of a little bit more bandwidth and
CPU its possible to make the probability of an attacker successfully
guessing the maker's real UTXOs to be as low as you want.

> But S6 has the mild advantage that all the funding transactions paying to 2-of-2s *can* appear on the same block, whereas chaining swaps will have a particular order of when the transactions appear onchain, which might be used to derive the order of swaps.
On the other hand, funds claiming in S6 is also ordered in time, so
someone paying attention to the mempool could guess as well the order of
swaps.

I think this is wrong, and that it's possible for the funding
transactions of chained/routed swaps to all be in the same block as well.

In CoinSwap it's possible to get DOS'd without the other side spending
money if you broadcast your funding transaction first and the other side
simply disappears. You'd get your money back but you have to waste time
and spend miner fees. The other side didn't spend money to do this, not
even miner fees.

From the point of view of us as a maker in the route, we know we won't
get DOS'd like this for free if we only broadcast our funding
transaction once we've seen the other side's funding transaction being
broadcast first. This should work as long as the two transactions have a
similar fee rate. There might be an attack involving hash power: If the
other side has a small amount of hash power and mines only their funding
transaction in a manner similar to a finney attack, then our funding
transaction should get mined very soon afterwards by another miner and
the protocol will continue as normal. If the other side has knowledge of
the preimage and uses it to do CPFP and take the money, then we can
learn that preimage and do our own CPFP to get our money back too.

So in a routed coinswap setup it should be possible for Alice the taker
to broadcast her funding transaction first, which will lead to all the
makers broadcasting their funding transactions as well once they see the
other side has broadcast first. Then it would be possible for all those
funding transactions to be confirmed in the same block.

I hope I haven't missed anything, because if this doesn't work and each
maker must wait for confirmations, then the UX of routed CoinSwap would
degrade: a CoinSwap route of 5 makers would require at least 5 blocks to
be mined.

Of course this setup can leak the ordering of the routes because the
funding transaction would appear in the mempool in that order, but this
could be beaten if some Alices choose to intentionally spread out the
funding transaction broadcasts among multiple blocks for privacy reasons.

An interesting tangent could be to see if it's possible to make private
key handover work with S6. A nice side-effect of private key handover is
that the transfer of possession of the coins happens off-chain, so then
paying attention to the mempool won't help an adversary much.


Regards,
Chris Belcher


  parent reply	other threads:[~2020-06-02 22:24 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-25 13:21 Chris Belcher
2020-05-30 16:00 ` Ruben Somsen
2020-05-31  2:30   ` ZmnSCPxj
2020-05-31 21:19     ` Ruben Somsen
2020-06-01  2:34       ` ZmnSCPxj
2020-06-01 10:19         ` Ruben Somsen
2020-06-02 22:24     ` Chris Belcher [this message]
2020-06-03  4:53       ` ZmnSCPxj
2020-06-03 14:50         ` ZmnSCPxj
2020-06-04 16:37           ` ZmnSCPxj
2020-06-05 22:39         ` Chris Belcher
2020-06-06  1:40           ` ZmnSCPxj
2020-06-06  3:59             ` ZmnSCPxj
2020-06-06  4:25               ` ZmnSCPxj
2020-06-10 10:15             ` Chris Belcher
2020-06-10 10:58               ` ZmnSCPxj
2020-06-10 11:19                 ` Chris Belcher
2020-06-10  0:43 ` Mr. Lee Chiffre
2020-06-10  0:46   ` Mr. Lee Chiffre
2020-06-10  7:09   ` ZmnSCPxj
2020-06-10 11:15   ` Chris Belcher
2020-06-19 15:33 ` Jonas Nick

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cbf78f63-cf8c-c5d8-06ea-afc79aabc23c@riseup.net \
    --to=belcher@riseup$(echo .)net \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox