mimblewimble team mailing list archive

Thread
Date

Re: Scriptless scripting and deniable swaps

To: John Tromp <john.tromp@xxxxxxxxx>
From: Andrew Poelstra <apoelstra@xxxxxxxxxxxxxx>
Date: Sun, 9 Apr 2017 14:54:12 +0000
Cc: mimblewimble@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CAOU__fw8zz8i05hywGL5F4DhR1THv+m_T-8BLAccep43r8CS-w@mail.gmail.com>
User-agent: Mutt/1.7.1 (2016-10-04)

On Tue, Mar 07, 2017 at 02:18:53PM -0500, John Tromp wrote:
> dear Andrew,
> 
> >> Pieter Wuille in particular has stressed to me what a great feature of MW it is
> >> that everything looks the same, and that breaking this property should be taken
> >> very seriously.
> 
> But with every kernel having both a fee and a locktime (which defaults
> to the last confirmed block at the time of signing), things are pretty
> uniform already.
> 
> > He also suggested the locktime should be cancellable and extendable by having
> > the would-be recipient reveal a key to the sender, but we didn't work out all
> > the details. If this works then we should be able to get the effect of a
> > relative lock-time, having indefinitely-open lightning channels, and so forth.
> > Exciting times.
> >
> > Therefore I revise my proposal again, to remove the explicit locktime, and
> > have only the fee.
> 
> "I send the coins to a 3-of-3 multisig: my key, his key, and a third
> key that I generate with some RSA timelock puzzle. Then I give him the
> corresponding pubkey and SNARK-prove to him that the privkey is a
> solution to the timelock puzzle."
> 
> This seems like quite a bit of complexity. What extra security
> assumptions are we relying on here?
> I don't see the downside of simply requiring a locktime on every kernel...
>

I was recently at Financial Crypto 2017 and I described Ethan's trick to about
half a dozen people independently. Exactly zero of them were comfortable with it
as the only way to do locktimes.

The main complaint was that it required the RSA grinding. I argued reusability
and outsourcing of the grinding, but people still felt that it was wasteful
and likely to vary in speed from user to user.

And of course, it's possible to do this even if the chain supports locktimes
explicitly, so...

I don't think I ever convinced Igno that we should have no kernel locktimes in
grin, but I retract this opinion. The locktimes cost four extra bytes per
kernel, are a very minor privacy hit, and give us a very simple mechanism for
doing reliable locktimes whose timeout is agreed upon by all validators.

Cheers
Andrew

-- 
Andrew Poelstra
Mathematics Department, Blockstream
Email: apoelstra at wpsoftware.net
Web:   https://www.wpsoftware.net/andrew

"A goose alone, I suppose, can know the loneliness of geese
 who can never find their peace,
 whether north or south or west or east"
       --Joanna Newsom

Attachment: signature.asc
Description: PGP signature

References

Scriptless scripting and deniable swaps
From: Andrew Poelstra, 2017-02-03
Re: Scriptless scripting and deniable swaps
From: Andrew Poelstra, 2017-03-07
Re: Scriptless scripting and deniable swaps
From: John Tromp, 2017-03-07