Author: German Luna 2020-04-22 18:42:18
Published on: 2020-04-22T18:42:18+00:00
The proposed solution aims to achieve traceless atomic swaps within the same chain. This effectively turns an entire chain into a mixer by default. The solution involves using schnorr signatures, similar to how atomic swaps would work with adaptor signatures. In place of the secret 't', a suitably chosen schnorr signature is used. When one counterparty claims their side of the funds, they can obtain the signature they're missing to claim the funds in the (schnorr) multisig that pays them. On-chain, this appears like two independent transactions, even though effectively the two parties have “exchanged” the history attached to the UTXOs. Unlike a mixing service, where all of the histories get merged, with this protocol histories can be pairwise swapped without anybody’s knowledge. The protocol description starts with Alice and Bob holding funds at UTXO1 and UTXO2 respectively, wishing to swap them. Alice provides Bob with a single public key P_A while Bob provides Alice two pubkeys P_B1 and P_B2. Bob and Alice construct the P2PKH addresses Addr1 and Addr2 where the UTXO1 and UTXO2 funds will be sent eventually. They then exchange time-locked refund transactions for the funding transactions sending the funds to Addr1 and Addr2 before submitting the funding transactions (Alice paying to Addr1 from UTXO1, and Bob paying to Addr2 from UTXO2).Alice sends Bob an adaptor signature which Bob verifies contains a valid signature for spending from Addr1 AND another valid signature for spending from Addr2, both signatures from Alice. Bob cannot separate out the two signatures and hence cannot claim any of the funds, provided H( r1 | m) != H( r2 | m') in the signature commitment. Bob then sends Alice the valid signature: r2 + H( r2 | m' )*x_b2. Alice can now add her signature to Bob's and get: r2 + H( r2| m' )*(x_b2 + x_a) which is a valid signature to spend the funding transaction sent to Addr2. Finally, Bob sees Alice claims the fund sent to Addr2 and uses that signature to subtract his own: r2 + H( r2 | m' )*(x_b2 + x_a) - (r2 + H( r2| m' )*x_b2) = H( r2 | m ')*x_a. Bob takes the original adaptor signature and subtracts the known quantity r2+ H( r2 | m' )*x_a, to get a valid signature: r1 + H( r1 | m )*x_a. Bob can now add to that valid signature, his own signature and retrieve the funds.It is possible for the counterparty to store copies of the signatures as proof that such a join has taken place. However, plausible deniability is available upon discarding signatures since the joint private keys (x_a + x_b*) are unavailable. The author invites feedback on this idea.
Updated on: 2023-06-14T00:51:54.103189+00:00