Published on: 2019-08-08T20:06:07+00:00
In a recent email exchange, the writer discusses the importance of the V^2 term in providing Sybil protection in JoinMarket coinjoin. They argue that consolidation into fewer makers is not as bad as having no Sybil protection, and the V^2 term penalizes sybil attacks and does more good than harm. The writer also addresses concerns about exchanges running makers and explains that the proposed fidelity bond scheme doesn't make it worse.The email exchange between Dmitry Petukhov and ZmnSCPxj discusses the anti-snitch protection of OP_CHECKSIGVERIFY and OP_CHECKSIG. It is suggested to change the MuSig(all_except_snitch) scheme to 1-of-n multisig construction to prevent issues with multiple snitches. Consolidation can be subsidized by paying rent to consolidators, and the lessee adds its rent payment in the same transaction that atomically instantiates the fidelity bond. Protection from multiple snitches is achieved by using a multitude of taproot leaves.In a recent Bitcoin-dev post, Dmitry Petukhov describes a shared ownership rent scheme where the 'TXO rentier' has a signed timelocked 'backout' transaction that spends the locked TXO and assigns the reward to the rentier. Any transaction that spends any TXO in the bond invalidates the bond when presented to takers. Takers can verify the transaction validity and mark the entire bond as revoked. Verification rules may need to be relaxed or dependent transactions checked to account for backout transactions that are not timelocked themselves.ZmnSCPxj raises concerns about the anti-snitch protection scheme in consolidated bonds in a recent discussion on Bitcoin's mailing list. The current scheme won't work if there are two snitches, and it is proposed to change it to 1-of-n multisig construction. The discussion also highlights the possibility of aggregation by off-blockchain agreements, which could be problematic for the system. Centralized exchanges and custodial services already control TXOs of their customers, which they can use to create fidelity bonds without consent. They may be willing to participate in deanonymization efforts to explain their participation in coinjoins to regulators.ZmnSCPxj proposes a solution to identify and punish snitches who report the consolidation scheme to takers. The participants in the consolidation scheme put up a fraction of the value into revocable bonds, and a punishment transaction divides it equally among the other participants. Participants provide adaptor signatures to their own participant_snitch_key, and if a participant snitches, their previously-shown adaptor signature can be used to reveal the private key behind their participant_snitch_key.The email discusses the problem of fidelity bonds, which are used to ensure makers on Lightning Network remain honest. Several schemes are proposed, including revocation of the whole bond by controlling even a single TXO, shared ownership rent schemes, and encryption with sequential operations. Aggregation is still possible through off-blockchain agreements, which could give entities like exchanges an undeservedly large weight in the fidelity bond system.Chris Belcher has discussed two schemes to prevent easy mindless renting of TXOs. One scheme allows revocation of the whole bond by controlling even a single TXO, while the other requires all locked TXOs to be spendable by any key that controls any TXO in the bond. However, both schemes have limitations and increase risk for the renter and co-rentiers.The email is a response to Chris Belcher's post on bitcoin-dev about the proposed JoinMarket fidelity bonds. ZmnSCPxj discusses the potential weaknesses of the V^2 proposal and suggests an alternative scheme using V^0.999. They also mention ongoing efforts to expand ECDSA to more than two-party n-of-n "true" multisignatures. The risks associated with custodial solutions and non-custodial renting of TXO signatures are also highlighted. The consolidation of makers due to renting TXOs is compared to sybil attacks, and the writer suggests that consolidation may be a lesser evil in terms of privacy-relevant information sharing.In a Bitcoin-dev mailing list, ZmnSCPxj warns about the pooling pressure to proof-of-work caused by tiny non-linearities in fidelity bond schemes. They suggest that any non-linearity exerts the same pooling pressure and propose using V^0.999 instead of V^2. The complexity of 2P-ECDSA is also mentioned, as well as the possibility of using transaction malleability as protection in bond transactions. The concept of "contract law" in the real world is explored as a form of smart contracts.Efforts are being made to expand ECDSA to enable more than two-party n-of-n "true" multisignatures. However, simply banning muSig or using transaction malleability as protection may not be sufficient.
Updated on: 2023-08-02T01:11:05.109132+00:00