I added some Q&As in the Dev's Corner (2nd post after OP). As I heard there are some fuds on the Supercoin recently, some people who have no knowledge at all on multisig are attacking Supercoin's multisig technology.
By looking at all questions, I found some are good questions (like some from fluffypony), so while ignoring all fuds, I try to answer these questions in Q&A, and we welcome all reasonable questions and I am willing to discuss all details with other qualified devs.
The multisig tech we are using is 100% sound. Other projects such as Open Bazaar (creating a p2p decentralized trustless marketplace) uses the same tech. Unfortunately I see some attacks on Supercoin are completely out of rack. These people with zero knowledge on multisig better find some basic tutorials to understand it before posting nonsense in some threads.
Our purpose is to advance the technologies for cryptocoin. The cryptocoin domain is very new, there will be inevitably mistakes here and there. Our goal is not to say our coin is the best, but to do our best with best technologies and advance our understanding onthe cryptocoin.
With this, here are the Q&As (I added it to Dev's Corner too).
Q1: Since in normal case, Guarantor does not participate in transaction, why we still need it?A: Guarantor is needed in case of dispute. For example, Mixer claims he sent the coins to destination, while Sender claims he does not see it. At this time, Guarantor is the one to decide whether to distribute the escrow fund as if the transaction completed, or the transaction cancelled.
Q2: Is Supersend with trustless system going to be slower than SuperSend Mixer (phase-1)?A: In our testing it is pretty fast, the anonymous p2p trustless transaction usually takes 20-40 seconds to complete. But since there are several transactions during the process, it will be a little slower than the SuperSend with centralized mixers.
Q3: Is there a fee to use trustless anonymous system?A: Yes. The service fee is 1% or 0.5 SUPER, whichever is bigger. The service fee will be shared equally by Mixer and Guarantor.
Q4: If you only use 1 mixer and 1 guarantor, what if I have so many nodes that I can send you a modified multisig transactions that actually sends the coin to another address instead? A: First of all, another node will have no idea on what is the escrow multisig address. It is not a public address. It is created on the fly with randomly selected public keys from each of the participating nodes. Other nodes will not receive any info on the public keys. Also, the system does broadcast any messages. Messages are point-2-point and not broadcasted.
Second, all communicated private messages are signed with each party's private key, and verified on arriving by the public key of that party. So another node can not forge a message from a participating party, not to say he has any way to get the message and know the id of transactions etc at all. So other nodes can can not forge messages.
Q5: If sender is only sending it to the mixer and then to the receiver, I can just analyze within X blocks for the same amount of coins and I will have a pretty high confidence level that the transaction belongs to the sender/receiver, especially if the amount is pretty unique?A: You can't analysis these for sure. The first step we send as one amount, the amount can easily be splitted into multiple amounts as we did in our phase-1 mixer scenario (amount splitted into random 2-4 parts). Moreover, there are many similar amount sent around. All escrow amounts are similar amounts, all you see is that 3-4 similar amounts sent around and you can't trace them as in/out addresses are not linked at all. It is also easy to split the sending amount (and all fund transfer in the transaction) into "canonical" values (meaning standard like 100, 50, 25, 10, 5, 2, 1 etc). These enhancements are very easy to do and we probably will do it in the next few releases.
Q6: The Guarantor is being trusted to do arbitration between the Sender and the Mixer. Therefore, given the nature of 2-of-3 multisig transactions, the Guarantor and the Mixer can sign the transaction, and then refuse to sign the cancellation transaction, leaving the Sender out of luck and out of funds?A: Yes this is true. However, the system assumes most people are good people. In any system, if majority are bad, then you can't do much, except to have a centralized trust system. This is similar to cryptocoin, if >50% are bad, then they will take over.
This is the same as in trustless distributed marketplace OpenBazaar (
https://openbazaar.org/) did. In this system, there are Buyer, Seller and Arbitrator. If both Buyer and Arbitrator are bad (and coordinated), then you can't do much. They published a nice paper to describe this system (
https://gist.github.com/dionyziz/e3b296861175e0ebea4b)
Q7: SuperSend Tustless uses TxIDs? With malleability what if the TxID changed?A: Malleability mainly caused by multiple possible signature format that is in the TxID. This issue mostly fixed in Bitcoin 0.9.0 by restrict to one "standard" format and not replaying any mutated transactions. This basically fixed the problem.
Moreover, we don't need to transfer TxID per se. Our purpose in the algorithm is to verify whether all deposits made correctly, and whether Mixer actually sent the amount to the distinations. There are ways to do this without using TxIDs. strasboug in this thread proposed some solutions:
https://bitcointalksearch.org/topic/supercoins-supersend-technology-the-true-p2p-decentralized-trustless-system-734578Since escrow is on the multisig address, and multisig address is broadcasted to all the related parties. Each party can verify the deposits by looking at the input on that address. For Mixer's sent tx it is also easy to verify based on the transaction after a given timestamp, and with Mixer's send wallet address. The solution is does not depend on TxIDs.
Last point I want to make on this is, even if in some very rare case (0.1%?, 0.01%? 0.001%?) the TxID changed, the worst is that the send transaction fails, all fund will be refunded to each party, there will be nothing lost.
Q8: Not all possible malleability vectors are "fixed" in 0.9.0, so transactions are still quite malleable and the transaction ID can still change. What do you do?A: As said above, TxIDs are not mandatory in the solution. There are other ways to do it. In the first release we use TxIDs, we will possibly switch to non-TxID solutions.
BTW, if you are telling me that Bitcoin is still very vulnerable, I agree. However, we here do not try to beat Bitcoin. If people can still steal Bitcoin with malleability, then they can steal any cryptocoins, SUPER included. I won't feel bad on that at all. This is not related to trustless system, even with rare malleability not yet fixed by Bitcoin, all parties participating trustless transaction will not lose anything.