ZmnSCPxj [ARCHIVE] on Nostr: 📅 Original date posted:2020-05-12 📝 Original message:Good morning Ruben, > ...
📅 Original date posted:2020-05-12
📝 Original message:Good morning Ruben,
> >Would this not work?
>
> I considered and rejected that model for the following reason: there are moments where both Alice and Bob can claim the BTC. If they both attempt to do so, it also reveals both secrets, causing the LTC to also be claimable by both parties. This chaotic scenario is a failure mode that did not seem acceptable to me. The revoke transaction was specifically added to mitigate that issue (invalidating any attempt of Bob to claim the coins and reveal his secret). That said, it doesn't particularly seem in either party's interest wait until a moment where two timelocks become valid, so maybe it is not quite as bad as I thought. However, it still means that the incompetence/malevolence of one party can lead to losses for both parties. I have my doubts a gain in privacy in the uncooperative case is worth that risk.
>
> Of course it also reverts the protocol to 3 transactions, instead of 2, but regardless, not having to watch the chain is probably more practical in many cases. As an aside, if both chains support timelocks then we can ensure that the more expensive chain only receives one transaction.
If the shortened refund transaction exists (labeled "refund transaction #1" in the SVG) then the same issue still occurs: after 1 day it is possible for either success or refund#1 to be broadcasted, leading to revelation of both secrets, leading to the same failure mode you described.
Without the refund#1 in your proposal, Bob refusing cooperation after Alice puts the BTC into lock for 3 days and 2 further onchain transactions (with the refund#2 transaction being relative-locked, meaning it cannot be used to CPFP the revoke transaction; my formulation allows any of the result transactions to be CPFP directly by their beneficiaries).
It seems to me that there is still an onlineness requirement in case Bob does not complete the protocol: once the revoke tx becomes valid an online Bob can cheat an offline Alice by broadcasting the revoke tx (which, if my understanding of the protocol is correct, the signatures are shared to both Alice and Bob).
So Alice needs to be online starting at 2 days to 3 days in order to ensure it reclaims it funds.
I have not seen the 2-tx variant video yet, as I prefer to read than listen, but I will also check it if I can find an opportunity.
Regardless, the overall protocol of using 3 clauses in the swap, and reusing the privkey as the payment secret demanded by the pointlocks, is still a significant innovation.
In the context of CoinSwap, a proposal is that a CoinSwap server would provide swapping service to incoming clients.
Using my counterproposal, the Bob position can be taken by the server and the Alice position taken by the client.
In this context, the L1 can be made reasonably close in the future and L2 far in the future, in which case Alice the client can be "weakly offline" most of the time until L2, and even in a protocol abort would be able to recover its funds.
If the protocol completes, the server Bob can claim its funds before L1, and (with knowledge of Alice[0]) can immediately put it in a new funding tx for a new incoming client before L1, which is a fine tradeoff for server Bob since presumably Bob is always online.
Regards,
ZmnSCPxj
📝 Original message:Good morning Ruben,
> >Would this not work?
>
> I considered and rejected that model for the following reason: there are moments where both Alice and Bob can claim the BTC. If they both attempt to do so, it also reveals both secrets, causing the LTC to also be claimable by both parties. This chaotic scenario is a failure mode that did not seem acceptable to me. The revoke transaction was specifically added to mitigate that issue (invalidating any attempt of Bob to claim the coins and reveal his secret). That said, it doesn't particularly seem in either party's interest wait until a moment where two timelocks become valid, so maybe it is not quite as bad as I thought. However, it still means that the incompetence/malevolence of one party can lead to losses for both parties. I have my doubts a gain in privacy in the uncooperative case is worth that risk.
>
> Of course it also reverts the protocol to 3 transactions, instead of 2, but regardless, not having to watch the chain is probably more practical in many cases. As an aside, if both chains support timelocks then we can ensure that the more expensive chain only receives one transaction.
If the shortened refund transaction exists (labeled "refund transaction #1" in the SVG) then the same issue still occurs: after 1 day it is possible for either success or refund#1 to be broadcasted, leading to revelation of both secrets, leading to the same failure mode you described.
Without the refund#1 in your proposal, Bob refusing cooperation after Alice puts the BTC into lock for 3 days and 2 further onchain transactions (with the refund#2 transaction being relative-locked, meaning it cannot be used to CPFP the revoke transaction; my formulation allows any of the result transactions to be CPFP directly by their beneficiaries).
It seems to me that there is still an onlineness requirement in case Bob does not complete the protocol: once the revoke tx becomes valid an online Bob can cheat an offline Alice by broadcasting the revoke tx (which, if my understanding of the protocol is correct, the signatures are shared to both Alice and Bob).
So Alice needs to be online starting at 2 days to 3 days in order to ensure it reclaims it funds.
I have not seen the 2-tx variant video yet, as I prefer to read than listen, but I will also check it if I can find an opportunity.
Regardless, the overall protocol of using 3 clauses in the swap, and reusing the privkey as the payment secret demanded by the pointlocks, is still a significant innovation.
In the context of CoinSwap, a proposal is that a CoinSwap server would provide swapping service to incoming clients.
Using my counterproposal, the Bob position can be taken by the server and the Alice position taken by the client.
In this context, the L1 can be made reasonably close in the future and L2 far in the future, in which case Alice the client can be "weakly offline" most of the time until L2, and even in a protocol abort would be able to recover its funds.
If the protocol completes, the server Bob can claim its funds before L1, and (with knowledge of Alice[0]) can immediately put it in a new funding tx for a new incoming client before L1, which is a fine tradeoff for server Bob since presumably Bob is always online.
Regards,
ZmnSCPxj