Author: Nadav Kohen 2020-08-20 15:28:56
Published on: 2020-08-20T15:28:56+00:00
A developer named Nadav raised a concern regarding the proposed CoinSwap protocol on bitcoin-dev mailing list, stating that he does not fully understand how signatures can be generated for HTLCs from the pubkey used in bitcoin transaction. He suggested using either Zero Knowledge Proof of Knowledge (ZKPoK) or a different key as is done in MuSig. The email also discussed the advantage of direct connections to Alice over CoinJoin and potential leaks in CoinSwap. In terms of miner fees, makers have no incentive to pay any fees, so takers will pay all the fees, and takers should set limits on how large the maker's transactions are. Contract transactions are those which may spend from the 2-of-2 multisig outputs, they transfer the coins into a contract where the coins can be spent either by waiting for a timeout or providing a hash preimage value. Timelocks are staggered so that if a malicious party uses the preimage to take coins then the right people will learn the preimage and have enough time to get their coins back. Finally, the email mentions using the EC tweak trick to reduce one round trip when agreeing on public keys for a 2-of-2 multisig address.The email thread discusses a proposed Coinswap protocol and its potential deviations. The protocol involves two parties exchanging coins via an atomic swap using a 2-of-2 multisig. The parties generate private keys and public keys, which are used to create a pubkey for the Bitcoin transaction. The protocol is analyzed step-by-step, including reactions to possible deviations from the protocol. One potential deviation scenario involves broadcasting an htlc contract tx, in which case the affected party responds by broadcasting their own htlc tx, and the other parties do nothing. In case of a DOS attack, the victimized party can retaliate by DOSing the previous maker in the route, as this produces a concrete cost every time a DOS happens. The multisig outputs of the funding transactions can stay unspent indefinitely, but the parties must always be watching the network and ready to respond with their own sweep using a preimage because the other party still possesses a fully-signed contract tx.
Updated on: 2023-06-14T03:13:57.276711+00:00