|
| 1 | +--- |
| 2 | +title: 'Bitcoin Optech Newsletter #62' |
| 3 | +permalink: /en/newsletters/2019/09/04/ |
| 4 | +name: 2019-09-04-newsletter |
| 5 | +slug: 2019-09-04-newsletter |
| 6 | +type: newsletter |
| 7 | +layout: newsletter |
| 8 | +lang: en |
| 9 | +--- |
| 10 | +This week's newsletter relays a security announcement for LN |
| 11 | +implementations, describes a non-interactive coinjoin proposal, and |
| 12 | +notes a few changes in popular Bitcoin infrastructure projects. |
| 13 | + |
| 14 | +{% comment %}<!-- include references.md below the fold but above any Jekyll/Liquid variables-->{% endcomment %} |
| 15 | +{% include references.md %} |
| 16 | + |
| 17 | +## Action items |
| 18 | + |
| 19 | +- **Upgrade LN implementations:** one or more issues that are scheduled |
| 20 | + to be disclosed at the end of this month affect older LN |
| 21 | + implementations. If you are using any of the following software |
| 22 | + versions, upgrading to a more recent version is [strongly |
| 23 | + recommended][cve ln]: |
| 24 | + |
| 25 | + - C-Lightning < 0.7.1 |
| 26 | + - LND < 0.7 |
| 27 | + - Eclair <= 0.3 |
| 28 | + |
| 29 | +## News |
| 30 | + |
| 31 | +- **SNICKER proposed:** Adam Gibson [posted][snicker email] to the Bitcoin-Dev mailing |
| 32 | + list with a [proposal][snicker] for *Simple Non-Interactive Coinjoin |
| 33 | + with Keys for Encryption Reused* (SNICKER), a method for |
| 34 | + allowing wallets to create coinjoins non-interactively in two steps, a |
| 35 | + *proposer step* and a *receiver step*. In the proposer step, |
| 36 | + Alice's wallet uses the block chain and UTXO set to find UTXOs for |
| 37 | + which she knows (or can infer) the owner's public key. |
| 38 | + She selects one of those UTXOs whose value is less than the amount |
| 39 | + controlled by her wallet and creates a proposed coinjoin between that |
| 40 | + UTXO and her wallet's UTXOs, producing three outputs: |
| 41 | + |
| 42 | + 1. Coinjoin output to Alice |
| 43 | + |
| 44 | + 2. Coinjoin output to the owner of the selected UTXO (Bob). Both |
| 45 | + coinjoin outputs pay the same amount to make them indistinguishable |
| 46 | + to third parties looking at the block chain |
| 47 | + |
| 48 | + 3. Change output to Alice returning any of her money in excess of the |
| 49 | + coinjoin amount |
| 50 | + |
| 51 | + Addresses that already have transaction history can't be reused or the |
| 52 | + privacy benefits of coinjoin are lost, so Alice generates new unique |
| 53 | + addresses for her two outputs. However, Bob has no way in this |
| 54 | + non-interactive protocol to tell Alice what addresses to use for his |
| 55 | + output. Instead, Alice can use Bob's public key and [Elliptic Curve |
| 56 | + Diffie-Hellman][ECDH] (ECDH) to derive a shared secret that Bob will |
| 57 | + also be able to derive from Alice's public key. With the shared |
| 58 | + secret and Bob's public key, Alice is able to create a new public key |
| 59 | + that only Bob can sign for. That new public key is used to create the |
| 60 | + new address for Bob's coinjoin output. No one besides Alice and Bob |
| 61 | + can tell the difference between the addresses, ensuring privacy for |
| 62 | + the coinjoin. |
| 63 | + |
| 64 | + With information about the inputs and the outputs, Alice creates a |
| 65 | + [BIP174][] Partially-Signed Bitcoin Transaction (PSBT) containing the |
| 66 | + signatures for her UTXO or UTXOs. She can then upload this PSBT to a |
| 67 | + public server (and she can encrypt it so that only Bob can decrypt it). |
| 68 | + This completes the proposer step in SNICKER. |
| 69 | + |
| 70 | + If Bob participates in the scheme, his wallet can begin the |
| 71 | + receiver step by periodically checking the server to see if |
| 72 | + anyone like Alice has sent him a proposed PSBT. If so, Bob can |
| 73 | + evaluate the PSBT to ensure it's correct, add his signature for his |
| 74 | + UTXO to finalize it, and broadcast the transaction to complete the |
| 75 | + coinjoin. |
| 76 | + |
| 77 | + The key advantage of this proposal is that no interaction is required |
| 78 | + between Alice and Bob. They each perform their steps independently |
| 79 | + and aren't limited by having each other as potential partners. Alice |
| 80 | + can create as many proposals as she wants at no cost (except server |
| 81 | + storage space) and Bob can receive multiple proposals from different |
| 82 | + people via a variety of servers, selecting whichever proposal he |
| 83 | + prefers (or none at all). Either party can also spend their UTXO |
| 84 | + normally at any time, automatically invalidating any pending proposals |
| 85 | + without any harm done. The PSBTs can be exchanged using any medium that doesn't require users to identify themselves, |
| 86 | + such as a via a simple FTP server over Tor, making it easy for anyone to host a |
| 87 | + SNICKER exchange server. |
| 88 | + |
| 89 | + The main downside of the proposal is that it requires the proposer |
| 90 | + (Alice) know the public key of the receiver (Bob). Almost all |
| 91 | + transaction outputs today pay addresses that don't directly include public keys, |
| 92 | + although that may change if the proposed [taproot][bip-taproot] |
| 93 | + soft fork is activated and becomes widely adopted. In the meantime, |
| 94 | + the SNICKER proposal suggests scanning for reused addresses where public keys |
| 95 | + have been revealed via the block chain, or by using a public key |
| 96 | + from the input of a transaction that creates a UTXO. For a more |
| 97 | + detailed overview of the proposal, see [Gibson's blog post][snicker |
| 98 | + blog]. |
| 99 | + |
| 100 | +## Notable code and documentation changes |
| 101 | + |
| 102 | +*Notable changes this week in [Bitcoin Core][bitcoin core repo], |
| 103 | +[LND][lnd repo], [C-Lightning][c-lightning repo], [Eclair][eclair repo], |
| 104 | +[libsecp256k1][libsecp256k1 repo], [Bitcoin Improvement Proposals |
| 105 | +(BIPs)][bips repo], and [Lightning BOLTs][bolts repo].* |
| 106 | + |
| 107 | +- [C-Lightning #3002][] makes several small changes to comply with |
| 108 | + recent updates to the [LN specification][BOLTs], including the |
| 109 | + [BOLT4][] update to remove the `final_expiry_too_soon` error message |
| 110 | + as described in [last week's newsletter][bolts608]. |
| 111 | + |
| 112 | +- [Eclair #899][] implements extended queries as proposed in [BOLTs |
| 113 | + #557][], allowing an LN node to request only gossip updates that |
| 114 | + arrived after a certain time or which have a different checksum than |
| 115 | + those the node has already seen. |
| 116 | + |
| 117 | +- [Eclair #954][] adds a sync whitelist. If empty, the node will sync |
| 118 | + its gossip store with any peer. If not empty, the node will only sync |
| 119 | + with the specified peers. |
| 120 | + |
| 121 | +{% include linkers/issues.md issues="3002,899,557,954" %} |
| 122 | + |
| 123 | +[cve ln]: https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-August/002130.html |
| 124 | +[bolts608]: /en/newsletters/2019/08/28/#bolts-608 |
| 125 | +[bolts]: https://github.com/lightningnetwork/lightning-rfc/ |
| 126 | +[snicker]: https://gist.github.com/AdamISZ/2c13fb5819bd469ca318156e2cf25d79 |
| 127 | +[ecdh]: https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman |
| 128 | +[snicker email]: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-September/017283.html |
| 129 | +[snicker blog]: https://joinmarket.me/blog/blog/snicker/ |
0 commit comments