1 / 25

Atomically Swapping Coins : for Privacy or Cross-Blockchain Trades

Atomically Swapping Coins : for Privacy or Cross-Blockchain Trades. Ethan Heilman, Nicolas Dorier. Introduction. Atomic Swaps: Enables Alice & Bob to trade cryptocurrency, e.g. Bitcoin, such that:

virginiaf
Download Presentation

Atomically Swapping Coins : for Privacy or Cross-Blockchain Trades

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Atomically Swapping Coins: for Privacy or Cross-Blockchain Trades Ethan Heilman, Nicolas Dorier

  2. Introduction Atomic Swaps: Enables Alice & Bob to trade cryptocurrency, e.g. Bitcoin, such that: • Atomic: The trade happens or does not happen, neither party can cheat the other by taking coins without sending coins. • Untrusted: No trusted third party is needed. Bob Bob Alice Alice • X OR Trade happens Both parties get coins back …even if parties are malicious and try to cheat each other!

  3. Uses: Cross-blockchain Trades and Privacy Cross-chain Atomic Swaps: Alice has Litecoin, wants BitcoinBob has Bitcoin, wants LitecoinSo…Alice trades Bob 2 LTC for 1 BTC Bob Bob Alice Alice Tx Tx Tx Tx Tx Atomic Swaps for Privacy:To obfuscate their transaction graph Alice and Bob trade 1 BTC for 1 BTC ...thus, mixing their coins Tx Tx Tx Tx Tx Tx

  4. Atomic Swaps within the same Blockchain Bob, want to swap Bitcoins? Yes, I have coins in Transaction 2 Transaction 2 Transaction 1 Tx 3 needs Alice and Bob’s signatures to spend Tx 1 and 2. APK BPK BPK Bob Alice Step 1: Alice creates Tx 3 and sends it Bob Step 3: Bob signs Tx 3 and posts Tx 3 to the blockchain Transaction 3 Bσ Aσ Step 2: Alice signs Tx 3 and sends Bob the signature Step 4: Tx 3 is confirmed on the blockchain This is a simple form of a CoinJoin. We will return this protocol when talking about privacy APK Tx 3 is either confirmed on the blockchain or not → the trade happens atomically. However, we can not use this protocol if Tx 1 and Tx 2 are on different blockchains.

  5. Non-Atomic Cross-Blockchain Trades Hahaha, I stole Alice’s Litecoin!!! Yes, send me Litecoin first and I’ll send you Bitcoin Bob, want to trade Litecoin for Bitcoin? Transaction 2 Transaction 1 APK BPK BPK APK Bob Alice Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Step 2: Bob waits for Tx 3 to be confirmed... • X Transaction 3 Evil Step 3: Bob never signs or posts Tx 4! Step 3: Bob signs Tx 4 and posts it to Bitcoin’s blockchain Transaction 4 We can prevent this with hashlocks! Non-Atomic: Alice can’t cheat Bob, but Bob can cheat Alice … Alice must trust Bob!

  6. Hashlocking Funds Step 1: Alice chooses a random value X and hashes it to get Y. Transaction 1 BPK , Y= H(?) Step 2: Alice creates and posts a transaction which can be spent by Bob if Bob learns X Bσ, X Step 3: Bob learns X and spends Tx 1. Transaction 2 Hashlocks: To spend a Tx output the input you must provide a value X, such that H(X) = Y

  7. Atomic Cross-Blockchain Trades Transaction 1 BPK ,Y= H(?) Transaction 2 APK BPK APK BPK Step 1: Alice chooses a random value X and hashes it to get Y and posts Tx 1. Step 2: Bob waits for Tx 1 to be confirmed and then posts Tx 2. APK ,Y= H(?) Bob Bob Alice Alice Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Aσ, X Bσ, X Transaction 3 Step 3: Alice waits for Tx 2 to be confirmed and then posts Tx 3. Transaction 4 Transaction 3 APK Step 4: Bob learns X from Tx 3 and posts Tx 4. Transaction 4 BPK Transaction 2 Transaction 1 • X

  8. Atomic Cross-Blockchain Trades Transaction 1 BPK ,Y= H(?) Transaction 2 APK BPK APK BPK APK ,Y= H(?) Bob Alice Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain • X • X Aσ, X Bσ, X Bσ Aσ This is the Tier Nolan Atomic Trade Protocol. Transaction 3 Transaction 5 Transaction 4 Transaction 6 Transaction 4 Transaction 3 APK BPK BPK APK What happens if Alice never posts Tx 3? Funds are unspendable! We add an additional spend condition, called a timelock, which refunds coins after a time limit has been reached. Transaction 2 Transaction 1 • X

  9. Full Tier-Nolan Atomic Trade Protocol Transaction 1 BPK ,Y= H(?) Transaction 2 APK BPK APK BPK APK ,Y= H(?) Bob Alice Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Bσ, X Aσ, X Bσ Aσ Transaction 3 Transaction 5 Transaction 4 Transaction 6 Transaction 4 Transaction 3 APK BPK BPK APK Refund Trade Happens! Refund Bitcoin has two timelock functions: absolute CLTV (BIP-65) and relative CSV (BIP-112) We will be using CLTV here. Transaction 2 Transaction 1 • X

  10. Alice’sRefund unlocked Full Tier-Nolan Atomic Trade Protocol: Timing Litecoin’s Blockchain Tx 1 Tx 4 Tx 5 202 203 204 205 206 200 201 APK APK BPK BPK Tx4: Bob sig & X Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Tx1 Spend Conditions:1. Bob Sig & XOr 2. Alice Sig & LTC-Height>205 Alice’s timelock must greater than Bob’s...or she can cheat! Bob’sRefund unlocked Transaction 3 Bitcoin’s Blockchain Transaction 4 Tx 3 Tx 2 Tx 6 300 301 302 303 304 305 306 Tx2 Spend Conditions:1. Alice Sig & XOr 2. Bob Sig & BTC-Height>304 Tx3: Alice sig & X Tx6: Bob sig Tx5: Alice sig Transaction 2 Transaction 1 • X

  11. Alice’sRefund unlocked Full Tier-Nolan Atomic Trade Protocol: Timing Litecoin’s Blockchain Tx 5 Tx 1 Tx 4 202 203 204 205 206 200 201 APK APK BPK BPK Hahaha, I stole Alice’s Litecoin!!! Tx4: Bob sig & X Alice Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Tx1 Spend Conditions:1. Bob Sig & XOr 2. Alice Sig & LTC-Height>204 Tx5: Alice sig Alice’s timelock must greater than Bob’s...or she can cheat! Bob’sRefund unlocked Transaction 3 Bitcoin’s Blockchain Transaction 4 Tx 3 Tx 2 300 301 302 303 304 305 306 Tx2 Spend Conditions:1. Alice Sig & XOr 2. Bob Sig & BTC-Height>304 Tx3: Alice sig & X Transaction 2 Transaction 1 • X

  12. Let’s perform A cross-chain atomic swap

  13. Summary: Cross-Chain Atomic Swaps Cross-chain Atomic Swaps: Alice has Litecoin, wants BitcoinBob has Bitcoin, wants LitecoinSo… Alice trades Bob 2 LTC for 1 BTC Tier-Nolan Atomic Trades: • Enables two parties to trade cryptocurrencies • Neither party can cheat each other • Timelocks must be carefully selected to ensure Alice can’t cheat • Works between any cryptocurrencies that support hashlocks and timelocks • Fancier math can remove hashlock requirement • Requires four on-blockchain transactions • If Alice trusts Bob this can be reduced to two transactions Bob Alice

  14. Privacy • The idea is to break linkages in the transaction graph • We will briefly discuss two protocols: • Single-transaction CoinJoin • and Maxwell’s CoinSwap (Private Atomic Swaps) Atomic Swaps for Privacy:To obfuscate their transaction graph Alice and Bob trade 1 BTC for 1 BTC ...thus, mixing their coins Bob Alice Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx

  15. Simple Two Party CoinJoin Protocol Transaction 2 Transaction 1 APK BPK B’PK Bob Alice Step 1: Alice creates Tx 3 and sends it Bob Step 3: Bob signs Tx 3 and posts Tx 3 to the blockchain Transaction 3 Bσ Aσ Step 2: Alice signs Tx 3 and sends Bob the signature Step 4: Tx 3 is confirmed on the blockchain For privacy Alice and Bob usenew public keys. A’PK Privacy Offered: ½ chance of guessing which Tx 3 pubkey is Alice

  16. Private Atomic Swaps (Maxwell’s CoinSwap) Transaction 1 Transaction 2 B’’PK, A’’PK B’PK, A’PK Refund Refund APK BPK APK BPK A’’PK B’PK ,Y= H(?) ,Y= H(?) Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 3 Transaction 4 B’’σA’’σ B’σA’σ B’σA’σ B’σA’σ Aσ, X Bσ, X Transaction 3 Transaction 8 Transaction 7 Transaction 4 Transaction 6 APK B’PK A’’PK Transaction 5 Refund BPK Refund Privacy Offered: Only Tx 1, Tx 2, Tx7, Tx8 show up on Blockchain, no linkage. Transaction 2 Transaction 1 • X

  17. Privacy Summary • Maxwell’s CoinSwaps make Cross-Chain Atomic Swaps indistinguishable ….from four multisig transactions on different blockchains. • However they can be correlated by price, timing, network information,... • There are several other Atomic Swap based privacy protocols • Barber’s Fair Exchange/XIM • TumbleBit • ... Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx

  18. Questions Topics Discussed: • Simple trading protocols • Trades that trust one party • Atomic Trades that work across one blockchain • Cross-Chain Atomic Swaps • Hashlocks/Timelocks • Tier Nolan Atomic Trade Protocol • Privacy • Two-party CoinJoin • Making Atomic Trades Private

  19. Backup slides

  20. Backup slides

  21. Full Tier-Nolan Atomic Trade Protocol Transaction 1 BPK ,Y= H(?) Transaction 2 BPK BPK APK APK APK ,Y= H(?) Bob Alice Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Aσ, X Aσ Bσ, X Bσ Transaction 3 Transaction 5 Transaction 4 Transaction 6 Transaction 4 Transaction 3 APK BPK BPK APK Refund Trade Happens! Refund Transaction 2 Transaction 1 • X

  22. Alice’sRefund unlocked Full Tier-Nolan Atomic Trade Protocol Litecoin’s Blockchain Tx 1 Tx 4 Tx 5 202 203 204 205 206 200 201 BPK BPK APK APK Tx4: Bob sig & X Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Tx1 Spend Conditions:1. Bob Sig & XOr 2. Alice Sig & LTC-Height>205 Bob’sRefund unlocked Transaction 3 Bitcoin’s Blockchain Transaction 4 Tx 3 Tx 2 Tx 6 300 301 302 303 304 305 306 Tx2 Spend Conditions:1. Alice Sig & XOr 2. Bob Sig & BTC-Height>304 Tx3: Alice sig & X Tx5: Alice sig Tx6: Bob sig Transaction 2 Transaction 1 • X

  23. Simple Two Party CoinJoin Protocol Transaction 2 Transaction 1 APK BPK B’PK Bob Alice Step 1: Alice creates Tx 3 and sends it Bob Step 3: Bob signs Tx 3 and posts Tx 3 to the blockchain Transaction 3 Bσ Aσ Step 2: Alice signs Tx 3 and sends Bob the signature Step 4: Tx 3 is confirmed on the blockchain For privacy Alice and Bob usenew public keys. A’PK Privacy Offered: ½ chance of guessing which Tx 3 pubkey is Alice

  24. Barber Protocol Transaction 1 Transaction 2 B’’PK, A’’PK B’PK, A’PK Refund Refund BPK APK APK BPK B’PK A’’PK ,Y= H(?) ,Y= H(?) Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 3 Transaction 4 B’’σA’’σ B’σA’σ B’σA’σ B’σA’σ Bσ, X Aσ, X Transaction 3 Transaction 8 Transaction 7 Transaction 4 Transaction 6 APK B’PK A’’PK Transaction 5 Refund BPK Refund Transaction 2 Transaction 1 • X

  25. Barber et al’s Fair-Exchange Protocol APK BPK BPK APK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 3 Transaction 4 [0] “Bitter to Better —How to Make Bitcoin a Better Currency”, Barber et al. Transaction 2 Transaction 1 • X

More Related