|
| 1 | +Partially Blind Atomic Swap Using Adaptor Signatures |
| 2 | +=========================== |
| 3 | + |
| 4 | +In this scheme one of the participants of the swap does not learn which coins |
| 5 | +are being swapped. For example if Alice engages in a partially blind atomic |
| 6 | +swap with Bob and Carol, she would not be able to determine if a swapped output |
| 7 | +belongs to Bob or Carol (assuming the transaction amounts are identical or |
| 8 | +confidential). This property is very similar to |
| 9 | +[TumbleBit](https://eprint.iacr.org/2016/575.pdf) but in the form of a |
| 10 | +[scriptless |
| 11 | +script](https://github.com/apoelstra/scriptless-scripts/blob/master/md/atomic-swap.md) |
| 12 | +and therefore purely in the elliptic curve discrete logarithm setting. |
| 13 | + |
| 14 | +The basic idea is that the discrete logarithm of the auxiliary point `T` in the |
| 15 | +adaptor signature is not chosen uniformly at random by Alice. Instead, Bob |
| 16 | +computes `T = t*G` where `t` is a [blind Schnorr |
| 17 | +signature](https://blog.cryptographyengineering.com/a-note-on-blind-signature-schemes/) |
| 18 | +of Alice over a transaction spending the funding transaction without knowing `t` |
| 19 | +(similar to [Discreet Log Contracts](https://adiabat.github.io/dlc.pdf)). |
| 20 | + |
| 21 | +Protocol description |
| 22 | +--- |
| 23 | +Assume Alice has permanent pubkey `A = a*G` and ephemeral pubkey `A'`, Bob has |
| 24 | +two pubkeys `B1 = b1*G` and `B2 = b2*G` and `H` is a cryptographic hash |
| 25 | +function. The partially blind atomic swap protocol where Alice acts as a |
| 26 | +tumbler and proceeds as follows. |
| 27 | + |
| 28 | +1. Setup |
| 29 | + |
| 30 | + * Bob anonymously asks Alice to put coins into a key aggregated output O1 |
| 31 | + with public key `P1 = H(A,B1,A)*A + H(A,B1,B1)*B1` (following "Simpler |
| 32 | + Schnorr Multi-Signatures with Applications to Bitcoin" by Pieter Wuille, |
| 33 | + Greg Maxwell and Andrew Poelstra). |
| 34 | + * Bob puts coins into a key aggregated output O2 with `P2 = H(A',B2,A')*A' + |
| 35 | + H(A',B2,B2)*B2`. As usual, before sending coins Alice and Bob agree on |
| 36 | + timelocked refund transactions in case one party disappears. |
| 37 | +2. Blind signing |
| 38 | + |
| 39 | + Bob creates a transaction `tx_B` spending O1. Then Bob creates an auxiliary |
| 40 | + point `T = t*G` where `t` is a Schnorr signature over `tx_B` in the |
| 41 | + following way: |
| 42 | + |
| 43 | + * Bob asks Alice for nonce `Ra = ka*G` |
| 44 | + * Bob creates nonce `Rb = kb*G` |
| 45 | + * Bob computes |
| 46 | + * the combined nonce `R = Ra+Rb` |
| 47 | + * the "blinded" nonce `alpha,beta = rand, R' = R + alpha*G + beta*A` |
| 48 | + * the challenge `c1` as the Bellare-Neven style challenge hash of |
| 49 | + `tx_B` with respect to `P1` and input 0 for aggregated key `P1`: `c1 |
| 50 | + = H(P1, 0, R', tx_B)` |
| 51 | + * the challenge `c'` for `A` as part of `P1`: `c' = c1*H(A,B1,A)` |
| 52 | + * the blinded challenge `c = c'+beta` |
| 53 | + * and the blinded signature of A times `G`: `T = R + c*A` |
| 54 | + * Bob sends `c` to Alice |
| 55 | + * Alice replies with an adaptor signature over `tx_A` spending `O2` with |
| 56 | + auxiliary point `T = t*G, t = ka + c*a` where `a` is the discrete |
| 57 | + logarithm of A. |
| 58 | +3. Swap |
| 59 | + |
| 60 | + * Bob gives Alice his contribution to the signature over `tx_A`. |
| 61 | + * Alice adds Bob's contribution to her own signature and uses it to take |
| 62 | + her coins out of O2. |
| 63 | + * Due to previously receiving an adaptor signature Bob learns `t` from step (2). |
| 64 | +4. Unblinding |
| 65 | + |
| 66 | + * Bob unblinds Alice's blind signature `t` as `t' = t+alpha` resulting in a |
| 67 | + regular signature `(R', t')` of Alice over `tx_B`. |
| 68 | + * Bob adds his contribution to `t'` completing `(R', s), s = t' + kb + |
| 69 | + c1*H(A,B1,A)*b1)` which is a valid signature over `tx_B` spending O1: |
| 70 | + ``` |
| 71 | + s*G = (ka + (c'+beta)*a + alpha + kb + c1*H(A,B1,B1)*b1)*G |
| 72 | + = R + beta*A + alpha*G + c1*(H(A,B1,A)*a+*H(A,B1,B1)*b1)*G |
| 73 | + = R' + H(P1, 0, R', tx_B)*P1 |
| 74 | + ``` |
| 75 | + * Bob waits to increase his anonymity set and then publishes the signature |
| 76 | + to take his coins from O1 resulting in the following transaction graph: |
| 77 | + ``` |
| 78 | + +------------+ (R', s) +------------+ |
| 79 | + | O1 +----------->| ...| |
| 80 | + +------------+ +------------+ |
| 81 | + Alice's setup tx tx_B |
| 82 | +
|
| 83 | + +------------+ +------------+ |
| 84 | + | O2 +----------->| ...| |
| 85 | + +------------+ +------------+ |
| 86 | + Bob's setup tx tx_A |
| 87 | + ``` |
| 88 | +
|
| 89 | +As a result, Alice can not link Bob's original coins and his new coins. From |
| 90 | +Alice's perspective `tx_B` could have been just as well the result of a swap |
| 91 | +with someone else. |
| 92 | +
|
| 93 | +Blind Schnorr signatures suffer from a vulnerability known as "parallel attack" |
| 94 | +([Security of Blind Discrete Log Signatures Against Interactive Attacks, C. P. |
| 95 | +Schnorr](http://www.math.uni-frankfurt.de/~dmst/research/papers/schnorr.blind_sigs_attack.2001.pdf)) |
| 96 | +where the attacker collects a bunch of nonces `R` and sends specially crafted |
| 97 | +challenges `c`. The responses can be combined to create a signature forgery. |
| 98 | +Among proposed countermeasures is a simple, but currently unproven trick by |
| 99 | +Andrew Poelstra in which the signer randomly aborts after receiving a |
| 100 | +challenge. |
| 101 | +
|
| 102 | +Note that Bob can get a signature of A over anything including arbitrary |
| 103 | +messages. Therefore, the Blockchain this is used in must not allow spending |
| 104 | +more than one output with a single signature. The [SIGHASH_SINGLE |
| 105 | +bug](https://underhandedcrypto.com/2016/08/17/the-2016-backdoored-cryptocurrency-contest-winner/) |
| 106 | +for example would have been disastrous for this scheme. |
| 107 | +
|
| 108 | +Dealing with Aggregated Signatures |
| 109 | +--- |
| 110 | +The above scheme is broken by aggregated signatures, because they allow spending |
| 111 | +multiple inputs with a single signature. If Bob creates many funding txs with |
| 112 | +Alice, he can create a tx spending all of them, and prepares a message for Alice |
| 113 | +to sign which is her part of the aggregate signature of all the inputs. Alice |
| 114 | +just dumbly signs any blinded message, so can't decide if it's an aggregated |
| 115 | +sig or not. For example Bob may send Alice a challenge for an aggregate |
| 116 | +signature covering output 1 with pubkeys `L1 = {A, B1}` and output 2 with |
| 117 | +pubkeys `L2 = {A, B2}` as `c'=H(P1, 0, R', tx_B)*H(L1,A) + H(P2, 1, R', |
| 118 | +tx_B)*H(L2,A)`. |
| 119 | +
|
| 120 | +A simple solution would be for Alice to create different pubkeys for every swap |
| 121 | +instead of permanent pubkey `A`. Then in step 2 Alice sends one nonce (`Ra`) per |
| 122 | +pubkey to Bob. Bob computes auxiliary points `T` for each of them, including the |
| 123 | +one corresponding to A's pubkey he's really interested in - and requires an |
| 124 | +adapter signature for each `T`. |
| 125 | +* Note that simply sending multiple adaptor sigs is problematic. Say Alice |
| 126 | + sends one adaptor sig with auxiliary point `T1=t1*G` and one with aux |
| 127 | + point `T2=t2*G`. Then even without seeing the actual signature, by just |
| 128 | + subtracting the signatures Bob learns `t1 - t2`. Instead, Alice uses |
| 129 | + auxiliary points `H(T1)*t1*G and H(T2)*t2*G` revealing `H(T1)t1 - H(T2)t2` |
| 130 | + which is usually meaningless. |
| 131 | +
|
| 132 | +The downsides of this approach are increased communication and that Bob doesn't |
| 133 | +know the complete list of Alice's pubkeys, so Alice can only send half of the |
| 134 | +sigs, for example, reducing the anonymity set by 50% with 50% success |
| 135 | +probability. Moreover, Alice can send fake signatures (i.e. signatures not |
| 136 | +belonging to a legitimitate multi party output) such that Bob can not detemine |
| 137 | +his anonymity set. |
0 commit comments