Author: Antoine Riard 2020-06-11 08:53:08
Published on: 2020-06-11T08:53:08+00:00
Gleb Naumenko and an unnamed collaborator are studying the privacy issues that arise from second-layer protocols on Bitcoin, such as Lightning Network and vaults. They aim to address privacy leaks from on-chain transactions of these protocols and protocol-specific metadata. They also want to establish a list of Bitcoin fingerprints and their severity to inform protocol designers and clarify threat models, as well as explore possible heuristics spies may use in the future.CoinPool is proposed as a solution to these problems. The motivation behind this proposal is cross-protocol privacy. It is a generic payment pool that can be wrapped around any other protocol. CoinSwaps and other CoinJoins could be used to mask cross-protocol on-chain transfers, but they depend on timelocking coins, extensive use of on-chain space, and paying fees to provide sufficient privacy.Instead of specialized high-latency, high-chain-use CoinJoin-style protocols, CoinPool is proposed as a low-latency, generic off-chain protocol that can improve on-chain privacy while avoiding latency and locked liquidity issues. CoinPool has three main features: non-interactive any-order withdrawal property, a Taproot output for the CoinPool UTXO, and two types of transactions that can spend the UTXO: Pool_Tx and Split_Tx.A Pool_Tx enables cooperative updates of the pool, such as a participant exiting or off-chain internal transfers, and requires exchanged signatures "on-demand" by parties involved. A Split_Tx enables a unilateral exit from the CoinPool and depends on what can be achieved with Bitcoin Script. Currently, spending a Split_Tx requires signatures from all pool participants, and parties are required to exchange signatures for any possible state of the pool in advance.CoinPool provides scalability benefits, such as reducing the UTXO set in size, committing fewer transactions on-chain through off-chain transfers, and batching activities from different users. Participants agree on a pool policy and commit inputs to a funding transaction by sending a corresponding signature. Updates can be made to the coin distribution within the pool tree, allowing participants to redirect coins to new pools or split leaves of the tree.Withdrawals can be made unilaterally or with the consent of all parties in the form of a Pool_Tx or Split_Tx. CoinPool provides privacy by breaking payment sender/receiver linkability for an on-chain observer, making common-input-ownership, address reuse, and change address heuristics irrelevant. Internal CoinPool transfers remain private. Limitations of the current mempool design should be taken into account while using CoinPools to avoid issues like mempool pinning.However, there are several challenges in deploying CoinPools, especially scalability, and making them practical requires introducing new on-chain primitives. The efficiency of on-chain privacy within a given CoinPool depends on intra-pool activities and exit activities. Sybil-resistance measures are necessary to prevent attackers from joining a pool, and participants have requirements for security and pool performance, which include persistent storage and hot access to signing keys.CoinSwap was proposed as a next step for on-chain bitcoin privacy, but it requires at least two on-chain transactions and is defined by fees and time-value parameters. In contrast, participation in a CoinPool costs a funding transaction fee shared across all participants and a cost of withdrawal. CoinPool is designed to be usable for daily activities and doesn't require paying fees or using on-chain space per activity. It is a UTXO representing a Taproot tree, and its long-term goal is to be a scalable, used-by-default privacy-enhancing technology.The proposal acknowledges the wider privacy-community's work on this topic and gives credit to Greg Maxwell and Dave Harding for suggesting payment pools.
Updated on: 2023-05-20T23:26:39.611969+00:00