From 6d1d261919ca3d04b3c020948abf7ca54d3e8459 Mon Sep 17 00:00:00 2001 From: Max Hillebrand <30683012+MaxHillebrand@users.noreply.github.com> Date: Tue, 5 Nov 2019 09:29:10 +0100 Subject: [PATCH 1/9] Add high level description This is a high level summary and description of the partially blind swap protocol. It was discussed in person with @jonasnick and @AdamISZ. It does not cover the nuances of the musig creation and blinding, thus removing complexity and hopefully providing a more approachable explanation of the protocol. --- md/partially-blind-swap.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/md/partially-blind-swap.md b/md/partially-blind-swap.md index 044953f..2b614c1 100644 --- a/md/partially-blind-swap.md +++ b/md/partially-blind-swap.md @@ -18,6 +18,33 @@ signature](https://blog.cryptographyengineering.com/a-note-on-blind-signature-sc of Alice over a transaction spending the funding transaction without knowing `t` (similar to [Discreet Log Contracts](https://adiabat.github.io/dlc.pdf)). +High level description +--- +There is a central server (company service provider) that has many utxos, and +many users (Alice, Bob, Charlie) with their individual utxos. The two parties +can swap coins, so that the user knows the coins of the server, but the server +cannot link the pre to post swap coins of the users, with the anonymity set of +all users. An outside observer only sees regular public key and signatures and +no onchain scripts, all is "hidden" within these scriptless scripts public keys +and signatures, so it is unclear that these transactions are actually a swap. + + * User and server communicate to generate a musig public key with the + individual keys of server and user, and the users asks the server to fund + this output O1. + * They generates another musig and the user funds this output O2. + * They pre-sign timelocked refund transactions before funding the musigs, in + the case either party goes offline. + * User has nonce commitment R and public key P of the server coin O1, and + with this he can calculates the sum [(blinded spending signature O1) * G], + with this he can set up an adaptor signature so that the server needs to + reveal the blinded spending signature (the adaptor secret). + * Now the user gives his contribution to spending O2, and the server can + claim O2 only when providing his full real signature and publishing this + on-chain which reveals the adaptor secret (the blinded spending signature). + * The user can now unblinding the adaptor secret spending signature (revealed + by server claiming O2) and he can combine this with his own signature to + spend O1. + Protocol description --- Assume Alice has a permanent public key `A = a*G`, ephemeral pubkey `A1 = A + From bbc7050dc8a0f73fc5902f03d6431cf1f371b250 Mon Sep 17 00:00:00 2001 From: Max Hillebrand <30683012+MaxHillebrand@users.noreply.github.com> Date: Tue, 5 Nov 2019 09:56:01 +0100 Subject: [PATCH 2/9] Change `server` to `tumbler` So to be consistent with #14 --- md/partially-blind-swap.md | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/md/partially-blind-swap.md b/md/partially-blind-swap.md index 2b614c1..fe67d30 100644 --- a/md/partially-blind-swap.md +++ b/md/partially-blind-swap.md @@ -20,30 +20,31 @@ of Alice over a transaction spending the funding transaction without knowing `t` High level description --- -There is a central server (company service provider) that has many utxos, and -many users (Alice, Bob, Charlie) with their individual utxos. The two parties -can swap coins, so that the user knows the coins of the server, but the server -cannot link the pre to post swap coins of the users, with the anonymity set of -all users. An outside observer only sees regular public key and signatures and -no onchain scripts, all is "hidden" within these scriptless scripts public keys -and signatures, so it is unclear that these transactions are actually a swap. - - * User and server communicate to generate a musig public key with the - individual keys of server and user, and the users asks the server to fund - this output O1. +There is Alice as a central tumbler server who has many utxos, and many users +(Bob and Charlie) with their individual utxos. The two parties can swap coins, +so that the user knows the coins of the tumbler, but the tumbler cannot link +the pre to post swap coins of the users, with the anonymity set of all users +between the time of funding and retreaval. An outside observer only sees +regular public key and signatures and no onchain scripts, all is "hidden" +within these scriptless scripts public keys and signatures, so it is unclear +that these transactions are actually a swap. + + * User and tumbler communicate to generate a musig public key with the + individual keys of tumbler and user, and the users asks the tumbler to + fund this output O1. * They generates another musig and the user funds this output O2. * They pre-sign timelocked refund transactions before funding the musigs, in the case either party goes offline. - * User has nonce commitment R and public key P of the server coin O1, and + * User has nonce commitment R and public key P of the tumbler coin O1, and with this he can calculates the sum [(blinded spending signature O1) * G], - with this he can set up an adaptor signature so that the server needs to + with this he can set up an adaptor signature so that the tumbler needs to reveal the blinded spending signature (the adaptor secret). - * Now the user gives his contribution to spending O2, and the server can + * Now the user gives his contribution to spending O2, and the tumbler can claim O2 only when providing his full real signature and publishing this on-chain which reveals the adaptor secret (the blinded spending signature). * The user can now unblinding the adaptor secret spending signature (revealed - by server claiming O2) and he can combine this with his own signature to - spend O1. + by the tumbler claiming O2) and he can combine this with his own signature + to spend O1. Protocol description --- From cee59b5e75d05e3d7130868928c06fc986f8f5bc Mon Sep 17 00:00:00 2001 From: Max Hillebrand <30683012+MaxHillebrand@users.noreply.github.com> Date: Thu, 19 Dec 2019 08:51:55 +0100 Subject: [PATCH 3/9] typo fix Co-Authored-By: yahiheb <52379387+yahiheb@users.noreply.github.com> --- md/partially-blind-swap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/md/partially-blind-swap.md b/md/partially-blind-swap.md index fe67d30..a440706 100644 --- a/md/partially-blind-swap.md +++ b/md/partially-blind-swap.md @@ -30,7 +30,7 @@ within these scriptless scripts public keys and signatures, so it is unclear that these transactions are actually a swap. * User and tumbler communicate to generate a musig public key with the - individual keys of tumbler and user, and the users asks the tumbler to + individual keys of tumbler and user, and the user asks the tumbler to fund this output O1. * They generates another musig and the user funds this output O2. * They pre-sign timelocked refund transactions before funding the musigs, in From 85118fbf068e21f6d0f0ec437a37cf13f53e273d Mon Sep 17 00:00:00 2001 From: Max Hillebrand <30683012+MaxHillebrand@users.noreply.github.com> Date: Thu, 19 Dec 2019 08:52:04 +0100 Subject: [PATCH 4/9] typo fix Co-Authored-By: yahiheb <52379387+yahiheb@users.noreply.github.com> --- md/partially-blind-swap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/md/partially-blind-swap.md b/md/partially-blind-swap.md index a440706..1c2607b 100644 --- a/md/partially-blind-swap.md +++ b/md/partially-blind-swap.md @@ -32,7 +32,7 @@ that these transactions are actually a swap. * User and tumbler communicate to generate a musig public key with the individual keys of tumbler and user, and the user asks the tumbler to fund this output O1. - * They generates another musig and the user funds this output O2. + * They generate another musig and the user funds this output O2. * They pre-sign timelocked refund transactions before funding the musigs, in the case either party goes offline. * User has nonce commitment R and public key P of the tumbler coin O1, and From 0795bcb89af4a515d0a81315f7a330bbf14f3fb3 Mon Sep 17 00:00:00 2001 From: Max Hillebrand <30683012+MaxHillebrand@users.noreply.github.com> Date: Thu, 19 Dec 2019 08:52:16 +0100 Subject: [PATCH 5/9] typo fix Co-Authored-By: yahiheb <52379387+yahiheb@users.noreply.github.com> --- md/partially-blind-swap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/md/partially-blind-swap.md b/md/partially-blind-swap.md index 1c2607b..4a90fce 100644 --- a/md/partially-blind-swap.md +++ b/md/partially-blind-swap.md @@ -36,7 +36,7 @@ that these transactions are actually a swap. * They pre-sign timelocked refund transactions before funding the musigs, in the case either party goes offline. * User has nonce commitment R and public key P of the tumbler coin O1, and - with this he can calculates the sum [(blinded spending signature O1) * G], + with this he can calculate the sum [(blinded spending signature O1) * G], with this he can set up an adaptor signature so that the tumbler needs to reveal the blinded spending signature (the adaptor secret). * Now the user gives his contribution to spending O2, and the tumbler can From 86597a5de01c64d41ea967d7acef0641839ef8fc Mon Sep 17 00:00:00 2001 From: Max Hillebrand <30683012+MaxHillebrand@users.noreply.github.com> Date: Thu, 19 Dec 2019 08:52:28 +0100 Subject: [PATCH 6/9] typo fix Co-Authored-By: yahiheb <52379387+yahiheb@users.noreply.github.com> --- md/partially-blind-swap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/md/partially-blind-swap.md b/md/partially-blind-swap.md index 4a90fce..2cde1c3 100644 --- a/md/partially-blind-swap.md +++ b/md/partially-blind-swap.md @@ -42,7 +42,7 @@ that these transactions are actually a swap. * Now the user gives his contribution to spending O2, and the tumbler can claim O2 only when providing his full real signature and publishing this on-chain which reveals the adaptor secret (the blinded spending signature). - * The user can now unblinding the adaptor secret spending signature (revealed + * The user can now unblind the adaptor secret spending signature (revealed by the tumbler claiming O2) and he can combine this with his own signature to spend O1. From b1d260a8e66420a2fe9d3e8c7568acb5827c8b91 Mon Sep 17 00:00:00 2001 From: Max Hillebrand <30683012+MaxHillebrand@users.noreply.github.com> Date: Thu, 19 Dec 2019 08:52:40 +0100 Subject: [PATCH 7/9] typo fix Co-Authored-By: yahiheb <52379387+yahiheb@users.noreply.github.com> --- md/partially-blind-swap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/md/partially-blind-swap.md b/md/partially-blind-swap.md index 2cde1c3..1e93287 100644 --- a/md/partially-blind-swap.md +++ b/md/partially-blind-swap.md @@ -24,7 +24,7 @@ There is Alice as a central tumbler server who has many utxos, and many users (Bob and Charlie) with their individual utxos. The two parties can swap coins, so that the user knows the coins of the tumbler, but the tumbler cannot link the pre to post swap coins of the users, with the anonymity set of all users -between the time of funding and retreaval. An outside observer only sees +between the time of funding and retrieval. An outside observer only sees regular public key and signatures and no onchain scripts, all is "hidden" within these scriptless scripts public keys and signatures, so it is unclear that these transactions are actually a swap. From a7d89f06e98457f1e959d31466fe0ec33eb64beb Mon Sep 17 00:00:00 2001 From: Max Hillebrand <30683012+MaxHillebrand@users.noreply.github.com> Date: Thu, 19 Dec 2019 08:52:52 +0100 Subject: [PATCH 8/9] typo fix Co-Authored-By: yahiheb <52379387+yahiheb@users.noreply.github.com> --- md/partially-blind-swap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/md/partially-blind-swap.md b/md/partially-blind-swap.md index 1e93287..a20ba2e 100644 --- a/md/partially-blind-swap.md +++ b/md/partially-blind-swap.md @@ -25,7 +25,7 @@ There is Alice as a central tumbler server who has many utxos, and many users so that the user knows the coins of the tumbler, but the tumbler cannot link the pre to post swap coins of the users, with the anonymity set of all users between the time of funding and retrieval. An outside observer only sees -regular public key and signatures and no onchain scripts, all is "hidden" +regular public key and signatures and no on-chain scripts, all is "hidden" within these scriptless scripts public keys and signatures, so it is unclear that these transactions are actually a swap. From b77ffbd0732dfb05a5e2a235389cc13c44d84542 Mon Sep 17 00:00:00 2001 From: Max Hillebrand <30683012+MaxHillebrand@users.noreply.github.com> Date: Thu, 19 Dec 2019 08:55:15 +0100 Subject: [PATCH 9/9] add clarification --- md/partially-blind-swap.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/md/partially-blind-swap.md b/md/partially-blind-swap.md index a20ba2e..85c95ae 100644 --- a/md/partially-blind-swap.md +++ b/md/partially-blind-swap.md @@ -36,9 +36,10 @@ that these transactions are actually a swap. * They pre-sign timelocked refund transactions before funding the musigs, in the case either party goes offline. * User has nonce commitment R and public key P of the tumbler coin O1, and - with this he can calculate the sum [(blinded spending signature O1) * G], - with this he can set up an adaptor signature so that the tumbler needs to - reveal the blinded spending signature (the adaptor secret). + with this the user can calculate the commitment s*G where s is a blinded + signature of the tumbler over a transaction sending coins from O1 to the user. + With this he can set up an adaptor signature so that the tumbler needs to + reveal the blinded spending signature when spending O2 (the adaptor secret). * Now the user gives his contribution to spending O2, and the tumbler can claim O2 only when providing his full real signature and publishing this on-chain which reveals the adaptor secret (the blinded spending signature).