@@ -8,8 +8,8 @@ layout: newsletter
88lang : en
99---
1010This week's newsletter relays a security announcement for LN
11- implementations and notes a few changes in popular Bitcoin
12- Infrastructure projects.
11+ implementations, describes a non-interactive coinjoin proposal, and
12+ notes a few changes in popular Bitcoin Infrastructure projects.
1313
1414{% comment %}<!-- include references.md below the fold but above any Jekyll/Liquid variables-->
1515{% include references.md %}
@@ -28,9 +28,78 @@ Infrastructure projects.
2828
2929## News
3030
31- * None this week besides the above LN security announcement. Instead,
32- we extend our best wishes for safe travels and informative presentations
33- at Scaling Bitcoin Tel Aviv next week.*
31+ - ** SNICKER proposed:** Adam Gibson posted to the Bitcoin-Dev mailing
32+ list with a [ proposal] [ snicker ] for * Simple Non-Interactive Coinjoin
33+ with Keys for Encryption Reused* (SNICKER), a two-step method for
34+ allowing wallets to create coinjoins non-interactively. In the first
35+ step---the * proposer* step--Alice's wallet uses the block chain to
36+ create a map of addresses to public keys. The wallet then checks the
37+ UTXO set to determine whether any of those addresses have a current
38+ balance smaller than the amount Alice controls. If a satisfactory
39+ UTXO is found, Alice creates a proposed coinjoin moving funds from
40+ that address's UTXO and one or more of Alice's UTXOs to three outputs:
41+
42+ 1 . Coinjoin output to Alice
43+
44+ 2 . Coinjoin output to the owner of the selected UTXO (Bob). Both
45+ coinjoin outputs pay the same amount to make them indistinguishable
46+ to third parties looking at the block chain
47+
48+ 3 . Change output to Alice returning any of her money in excess of the
49+ coinjoin amount
50+
51+ Addresses that already have transaction history can't be reused or the
52+ privacy benefits of coinjoin are lost, so Alice generates new unique
53+ addresses for her two outputs. However, Bob has no way in this
54+ non-interactive protocol to tell Alice what addresses to use for his
55+ output. Instead, Alice can use Bob's public key and [ Elliptic Curve
56+ Diffie-Hellman] [ ECDH ] (ECDH) to derive a shared secret that Bob will
57+ also be able to derive from Alice's public key. With the shared
58+ secret and Bob's public key, Alice is able to create a new public key
59+ that only Bob can sign for. That new public key is used to create the
60+ new address for Bob's coinjoin output. Nobody besides Alice and Bob
61+ can tell the difference between the addresses, ensuring privacy for
62+ the coinjoin.
63+
64+ {% comment %}<!-- Note: the proposal as written assumes the PSBT will
65+ be encrypted. However, I (harding) chatted with Gibson and arubi on
66+ IRC about making the PSBTs unencrypted as part of a mechanism to avoid
67+ server spam, so the text says "perhaps encrypted" below to leave open
68+ both possibilities.-->{% endcomment %}
69+
70+ With information about the inputs and the outputs, Alice creates a
71+ [ BIP174] [ ] Partially-Signed Bitcoin Transaction (PSBT) containing the
72+ signatures for her UTXO or UTXOs. She can then upload this PSBT to a
73+ public server, perhaps encrypted so that only Bob can decrypt it.
74+ This completes the proposer step in SNICKER.
75+
76+ If Bob participates in the scheme, his wallet can begin the second
77+ step (* receiver* step) by periodically checking the server to see if
78+ anyone like Alice has sent him a proposed PSBT. If so, Bob can
79+ evaluate the PSBT to ensure it's correct, add his signature for his
80+ UTXO to finalize it, and broadcast the transaction to complete the
81+ coinjoin.
82+
83+ The key advantage of this proposal is that no interaction is required
84+ between Alice and Bob. They each perform their steps independently
85+ and aren't limited by having each other as potential partners. Alice
86+ can create as many proposals as she wants at no cost (except server
87+ storage space) and Bob can receive multiple proposals from different
88+ people via a variety of servers, selecting whichever proposal he
89+ prefers (or none at all). Either party can also spend their UTXO
90+ normally at any time, automatically invalidating any pending proposals
91+ without any harm done. The PSBTs can be exchanged using any medium,
92+ such as a via a simple FTP server, making it easy for anyone to host a
93+ SNICKER exchange server.
94+
95+ The main downside of the proposal is that it requires the proposer
96+ (Alice) know the public key of the receiver (Bob). Almost all
97+ transactions today pay an address that doesn't include a public key,
98+ although that may to change if the proposed [ taproot] [ bip-taproot ]
99+ soft fork is activated and becomes widely adopted. In the meantime,
100+ the SNICKER proposal suggests using reused addresses where public keys
101+ have been revealed via the block chain, or by using a public key
102+ from the input of a transaction that creates a UTXO.
34103
35104## Notable code and documentation changes
36105
@@ -58,3 +127,5 @@ at Scaling Bitcoin Tel Aviv next week.*
58127[ cve ln ] : https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-August/002130.html
59128[ bolts608 ] : /en/newsletters/2019/08/28/#bolts-608
60129[ bolts ] : https://github.com/lightningnetwork/lightning-rfc/
130+ [ snicker ] : https://gist.github.com/AdamISZ/2c13fb5819bd469ca318156e2cf25d79#storage-of-keys
131+ [ ecdh ] : https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman
0 commit comments