[bitcoin-dev] Hiding CoinSwap Makers Among Custodial Services
ZmnSCPxj
ZmnSCPxj at protonmail.com
Thu Jun 11 11:51:03 UTC 2020
Good morning Chris, and bitcoin-dev (but mostly Chris),
I made a random comment regarding taint on bitcoin-dev recently: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-June/017961.html
> For CoinSwap as well, we can consider that a CoinSwap server could make multiple CoinSwaps with various clients.
> This leads to the CoinSwap server owning many small UTXOs, which it at some point aggregates into a large UTXO that it then uses to service more clients (for example, it serves many small clients, then has to serve a single large client that wants a single large UTXO for its own purposes).
> This aggregation again leads to spreading of taint.
I want to propose some particular behaviors a SwapMarket maker can engage in, to improve the privacy of its customers.
Let us suppose that individual swaps use some variant of Succinct Atomic Swap.
Takers take on the role of Alice in the SAS description, makers take on the role of Bob.
We may be able to tweak the SAS protocol or some of its parameters for our purposes.
Now, what we will do is to have the maker operate in rounds.
Suppose two takers, T1 and T2, contact the sole maker M in its first ever round.
T1 and T2 have some coins they want to swap.
They arrange things all the way to confirmation of the Alice-side funding tx, and pause just before Bob creates its own funding tx for their individual swaps.
The chain now shows these txes/UTXOs:
42 of T1 ---> 42 of T1 & M
50 of T2 ---> 50 of T2 & M
100 of T1 ---> 100 of T1 & M
200 of M -
Now the entire point of operating in rounds is precisely so that M can service multiple clients at the same time with a single transaction, i.e. batching.
So now M provides its B-side tx and complete the SAS protocols with each of the takers.
SAS gives unilateral control of the outputs directly to the takers, so we elide the fact that they are really 2-of-2s below:
42 of T1 ---> 42 of T1 & M
50 of T2 ---> 50 of T2 & M
100 of T1 ---> 100 of T1 & M
200 of M +--> 11 of M
+--> 140 of T1
+--> 49 of T2
(M extracted 1 unit from each incoming coin as fee; they also live in a fictional universe where miners mine transactions out of the goodness of their hearts.)
Now in fact the previous transactions are, after the SAS, solely owned by M the maker.
Now suppose on the next round, we have 3 new takers, T3, T4, and T5, who offer some coins to M to CoinSwap, leading to more blockchain data:
42 of T1 ---> 42 of T1 & M
50 of T2 ---> 50 of T2 & M
100 of T1 ---> 100 of T1 & M
200 of M -+-> 11 of M
+-> 140 of T1
+-> 49 of T2
22 of T3 ---> 22 of T3 & M
90 of T3 ---> 90 of T3 & M
11 of T4 ---> 11 of T4 & M
50 of T4 ---> 50 of T4 & M
20 of T5 ---> 20 of T5 & M
In order to service all the new takers of this round, M takes the coins that it got from T1 and T2, and uses them to fund a new combined CoinSwap tx:
42 of T1 ---> 42 of T1 & M -+--+-> 110 of T3
50 of T2 ---> 50 of T2 & M -+ +-> 59 of T4
100 of T1 ---> 100 of T1 & M -+ +-> 14 of T5
+-> 9 of M
200 of M -+-> 11 of M
+-> 140 of T1
+-> 49 of T2
22 of T3 ---> 22 of T3 & M
90 of T3 ---> 90 of T3 & M
11 of T4 ---> 11 of T4 & M
50 of T4 ---> 50 of T4 & M
15 of T5 ---> 15 of T5 & M
That transaction, we can observe, looks very much like a batched transaction that a custodial service might produce.
Now imagine more rounds, and I think you can begin to imagine that the magic of transaction batching, ported into SwapMarket, would help mitigate the blockchain size issues that CoinSwap has.
Makers are expected to adopt this technique as this reduces the overall cost of transactions they produce, thus they are incentivized to use this technique to increase their profitability.
At the same time, it spreads taint around and increases the effort that chain analysis must go through to identify what really happened.
Regards,
ZmnSCPxj
More information about the bitcoin-dev
mailing list