Topic: Atomic swaps using cut and choose - page 2. (Read 12138 times)

It seems cut & choose with a fee is an appropriate DE protocol for any proof-of-stake coins with frequent checkpoints (that don't support CLTV), which in NXT's case appears to be enforced by nodes that are always online and can form objective reality from the chain they've seen while being online. In other words (an issue which we have discussed and identified in the linked threads I mentioned in my prior post), NXT's 720 block rule is ambiguous to nodes who've recently come online (they don't know which chain was first to appear and can be lied to by a node that has always been online, i.e. propagation is not objective reality to offline nodes), but afaik with proof-of-stake typically there are a more permanent set of nodes (dictators or elected delegates in Bitshare's DPoS) who control the chain, i.e. the coins are essentially centralized. Yesterday monsterer pointed out how PoS can be controlled with even less than 50% of the hashrate, so kudos to monsterer for articulating our prior insight with more clarity on the weakness of PoS.

So an imperfect DE protocol is arguably appropriate for an imperfect deCentralized consensus algorithm. Seems befitting and allows you James to monetize your work, since PoS coins are still quite popular for the time being (and with hubris I will joke that they will need DE to trade for my superior consensus algorithm invisible vaporcoin).

So what I am saying is I think you can monetize. I don't know how to monetize with the dual CLTV technically sound protocol (with my suggested "coin age" filtering improvement to squelch jamming attacks), as it seems to not require a fee.

Cut & choose seems to be inappropriate for proof-of-work coins due to the longer-range lie-in-wait rented hashrate attack on the probabilistic longest-chain-rule (LCR), unless they too are essentially centralized and have some frequent checkpoints generated by some form (either concentrated hashrate in always online nodes/pools that enforce checkpoints or lead developers who release checkpoints frequently) of centralized control.

You mean that you could steal all trades that sell a particular altcoin by rewinding that altcoin?  That means that the altcoin probably has low hash protection. 

It is a good point though that rewind risk does need to be incorporated into the system.   The current implementation has steps that are zero-confirm, you wouldn't want to do that with high value trades.  It is slower, but worth it due to the higher risk.

A rule of thumb is that 1 block "costs" whatever the block reward is (inc fees).

At the moment, it costs 25 BTC to mine a bitcoin block.

You could set the minimum confirms to k * (trade_value) / (25 BTC).  The k parameter is some protection against multiple trades being attacked together.

With a k of 10, a 2.5BTC trade would have a min confirms of 1 block.  A 100 BTC trade would have a requirement of 40.

If the altcoin pays out 0.5BTC of value per block, then 50 confirms would be required on the altcoin.

This is an extra requirement.  There would be a minimum number of confirms, no matter how small the trade.

Since the fee can be done on bitcoin, which has strong protection, these confirms would be mostly for the altcoin confirm.

Another attack would be to stall the altcoin chain.  You could make blocks and push up the difficulty so it stalls.

I think these attacks mean that the altcoin is weakly protected already.  Even a centralised exchange could have problems.  They pay you in altcoins and the transaction gets rewound.  Having said that, they would probably refund the money.

They also do the "lots of confirms" thing.  For weak altcoins, exchanges require deposits to have lots of confirms.

So the issue is not time sequence, but the fact that it is hard to know if the weaker chain put the data in there as part of a consensus or as part of an attack?

If that is the issue, I am confused why we care so much about it? The metadata in the altcoin chain refers to the BTC data, so why does it matter who put it there? It either matches the BTC data or it doesnt. If it matches, it creates a verifiable time sequence. If it doesnt match, then it would be ignored. Could you make a simple example that shows how an attacker can bypass the BTC "clock" and double spend?

I dont think using bitcoin as the reference clock violates the CAP theorem as it defines the bitcoin data as definitive source of data, so Consistency is achieved, along with availability. [I dont want to get into whether bitcoin itself has done this or that with byzantine whatchamacallits]

Maybe to solve the Partition part, the metadata for the altcoin metadata needs to get back into the BTC chain. We are talking about a slow process, but even if it takes a day for all the back and forth, it seems that it isnt impossible. I just dont understand what exactly is needed.

Maybe it is like spontaneous creation of life from inert chemicals which is (nearly) impossible [please it is just an example, dont want to get into any creation/evolution debate either!], but once it is there, it is hard to stop it from replication. And kind of hard to deny that it exists. Since we now have bitcoin, maybe building on it allows to achieve the desired result (better altcoin security) without any violation of proven theorems by changing the problem.

James

P.S. CAP seems to vary from principle, conjecture, to theorem based on exact and precise definitions, I dont know if bitcoin is the exactly same behavior as in the proven CAP theorem, or if a bitcoin + extra is unable to change it to be beyond the confines of what is proven. I dont like to fight against math proofs, but if there is any level of abstraction in the proof then it is usually possible to "work around" it by transforming the problem to a different problem that isnt proven impossible. Since I am not trying to disprove the CAP theorem, but rather create a cross chain security mechanism that isnt covered by the CAP theorem proper

Apologies in advance to readers that I will spew a lot of words about the phrase, "kindergarten level questions". I just feel awkward because I don't desire to measure myself or others that way. My intent is all about maximizing production (of myself and others). And I have weaknesses and commit lapses of logic (or insufficient research) sometimes/often.

I didn't mean to belittle anyone's sincere inquiries. Apologies if that seemed to be my tone upthread. To any degree that I felt frustration upthread, it was due to for example when someone conflates 'theory' with "highly abstract mathematical structural fact" and my frustration being not with them (for how can they understand my confidence in some insight if I don't explain it to them) because it is my problem if I am too low on energy or time to explain that distinction. Again it isn't the fault of another person that sometimes I am thinking/articulating in abstractions. And I don't make any claim about relative knowledge or capabilities (except to trolls and intentionally condescending people who deserve to have a mirror put in their face, which is not you James). I just tend to think in abstractions often, but not always (obviously I also think in terms of implementation and example cases otherwise I wouldn't have also written 100,000+ lines of commercially successful code as you have James). I just grow weary sometimes, because verbiage on forums has to repeated over and over for each person. I have 10,000+ posts already on this site. Lol. James your effort on implementing DE is worthy of my reciprocal effort (as you know I've told you that I hope your DE is available for the altcoin I am working on). Apologies the past few days have been exhausting/distracting/struggle for me as I alluded to about my health. Also I am reasonably burned out from too many posts on these forums over the past 3 years in contagion with the chronic health debacle/suffering I've been battling. Again apologies if I don't always communicate with perfect attention to apparent tone and with careful/optimum eludication.


There is no way to prove that the consensus of the weaker block chain placed those meta-data records in the stronger block chain. There is some meta-data, but it is meaningless, because consensus is the entire challenge of decentralized protocols that require consensus.

Off topic note that per the CAP theorem, Bitcoin forsakes Partition tolerance in order to achieve Consistency and Availability of consensus. You can think of the other block chain as being another partition. We've been discussing these abstract theoretical issues over in the Altcoin Discussion forum in threads such as The Ethereum Paradox, DECENTRALIZED crypto currency (including Bitcoin) is a delusion (any solutions?), and Satoshi didn't solve the Byzantine generals problem. Also include some discussions between monsterer, smooth, and myself in my vaporcoin's thread. So I have the advantage of a few months of discussions about these abstract topics.

OK, so we are in agreement on most everything.

I want to better understand the above as it seems the main issue to prevent much stronger security. I apologize if I am asking kindergarten level questions on this, but I dont understand the external reference point impossibility. Please bear with me. I like concrete examples:

At noon, BTC block noon_txid appears. This is available to the entire bitcoin p2p network. At first it is a bit vulnerable to a reorg due to any pair of linked blocks would override it. After the next block, it would take 3 blocks to overtake, etc. So after 2 hours, we are past the timestamp variance and also have 10+ blocks protected by zillions of hashes.

ALL the altcoin chains can refer to this noon_txid. Let us call it noon_txid_inalt. I am pretty sure this is possible to do. And I am pretty sure that the presence of noon_txid_inalt proves that it came AFTER noon_txid. Please let us ignore odds of sha256 collisions.

In my previous post, I said bi-directional. So the BTC blockchain now gets the noon_txid_inalt and puts that into its blockchain (a bit past 2PM). call this the noon_altconfirm txid.

I claim that we now know that noon_txid happened before noon_txid_inalt which happened before noon_altconfirm txid. It looks like I can segregate blockchain events on different blockchains into definite categories of time ordering of "before" and "after"

What part of the above is insufficient to satisfy the requirements for the external reference?

James

Users typically can't make such settings from any knowledgeable stance. They are ignorant of the tradeoffs and technical issues. I firmly believe you must make this decision for them (at least the default), because I believe they will blame you (the decentralized exchange concept) for any failure. I speak from decades of experience of making B2C (not B2B) commercial software for customers.


That seems reasonable since checkpoints are required in PoS due to people selling their stake and then doing a long-range attack with stake they no longer own based on reorganization of historical transactions that create stake. Anyone who is buying NXT should hopefully understand the tradeoffs of a PoS system (centralized governance, advantage of less electrical consumption, my arguments against PoS in my prior post, etc).


I assume you mean writing some meta-data into the stronger block chain, that the weaker block chain could refer to as evidence. The hindrance is that decentralized block chains have no external reference point. There is no way to enforce that a particular block in one chain came before a block (nor within some # of blocks after a block) on another chain. Block chains are self-referential, and that is precisely why we need CLTV to implement decentralized exchange. It is also why Blockstream's side chains have security which is as weak as the weakest side chain (because a reorganization in one chain erases coins that have already been reserved in other chains for maintaining the one-to-one exchange peg), which is btw why afaics Side chains are implausible (hopefully this post won't get deleted by the moderator, hehe).


I have agreed. Remember what I wrote upthread:

---

---

Thanks to TierNolan et al, we already have a solution employing CLTV on both chains and even squelched the hypothetical jamming with "coin age" filtering. I even wrote that I am excited about you implementing it.

I think you are trying to argue for cut & choose, but that is not the only way to do DE. We already have a technically sound solution for DE as stated.

I have also stated that the (innovative and clever but yet still economically) technically flawed cut & choose protocol variant might be acceptable if the user understands the risks.


Seems to me the problem of financially incentivizing long-range chain reorganizations by enabling the attacker to steal coins from the 2 of 2 multisig, will infect every coin. Similarly to how Side chains devolves to the security of the weakest chain. However, a key distinction is that Side chains depend on a fungible one-to-one peg, so the catastrophe is much more pervasive because the failure isn't isolated to the participants to the exchange between chains but to the value of all the coins on the chains.


Much better altcoins are forced to add CLTV and do DE correctly. Why encourage them to be lazy. Let them die with CE (centralized exchange) if they are too damn lazy to implement CLTV.

You do what ever you want, but you open Pandora's box. If you need to support Nxt, then I say go ahead. But generally supporting DE via the flawed cut & choose seems unsavory to me, but it is of course your decision.

I think we should celebrate TierNolan's original protocol, the implementation of CLTV in Bitcoin recently, and now my added improvement of "Coin Days Destroyed" to squelch jamming. DE can be a reality! Hooray! I am excited about you implementing this. All altcoins that are excited too, need to implement CLTV.

---

I am making a mathematical asymptotic argument similar conceptually to the arguments about Big O and Big Theta computational complexity classes (wherein at any particular/small values the conclusion might be opposite of the asymptotic reality). The point is mathematical structure in that stake only has to be purchased once, whereas electricity has to be paid continuously. Thus in terms of mathematical structure (all other variables the same, e.g. market cap, etc), then hashrate will be structurally more expensive than stake. Stake is not as secure as hashrate because stake is paid once for an eternal attack and hashrate must be paid continuously else the attack ends (is finite in duration). In short, stake enables an infinite duration attack (at no extra cost) and thus stake is free and hashrate is finite and thus it is not free. If you don't believe that, then just consider that one can short a PoS coin (thus recovering the cost of the stake making it less than free) and the market is likely to sell off the coin during any stake-based attack because the market understands the only way to overcome the attack is to fork the coin. Whereas with PoW, the market may ignore the attack because it will be ephemeral unless the attacker can profit from the attack enough to pay for the ongoing cost of the electricity.

This is the fundamental reason that PoS is not secure. Apparently some PoS coins have been attacked with stake, and the common case are the exchanges which control huge amounts of stake.


I presume I did not adequately explain the economic argument. The point is that once you incentivize profitable PoW attacks, the attacker can now sustain an attack indefinitely (or the DE is abandoned). Thus there is no longer period of time which is sufficient (from a mathematical structural perspective, although there might be particular cases that are secure, you can't state them with equations that enable reliable decisions). I understand you want to find some reasonable middle ground, but I presume you would play with fire if you pursued this similar to those who argued that PoS was an acceptable middle ground (yet even today we see that Bitshares' DPOS is probably controlled by a few exchanges and I think someone told me Nxt is controlled by a dictator).

I comprehend and am aware of the stance that says nothing is perfect and choose some practical middle ground. But I argue we can do better than some muddled middle ground where for example Bitcoin is already controlled by a Chinese mining cartel that has 65% of the hashrate and is provably lying about the Great Firewall of China being a hindrance for them (their motivation is obviously to make higher profits with higher transaction fees by constraining block size). This outcome I predicted in 2013, even I nailed in 2013 the block size as the specific failure mode, and everyone was arguing at that time that I was loony. Their % of the hashrate will increase on the next block reward halving this year, because the marginally profitable miners are the first to go (and I suspect the Chinese mining cartel is getting subsidized electricity with political connections/corruption).

You can make the reasonable argument that the insecurity of the proposed cut & choose algorithm only impacts those altcoins without CLTV and thus it is better than no DE for those coins. In that case, maybe I can agree with that. But do fully acknowledge the Pandora's box security threat so enabled (but at least isolated to those who trade for those altcoins). Thus I don't think it will be a very popular case, if proper disclosures are made. Who would trade BTC for an altcoin where they might lose their funds due to an attack (particularly even a long-range lie-in-wait attack) and where the developers of that altcoin are unable to add the CLTV op code.


Of course there are scenarios where a PoW coin pays less % of debasement to mining thus requires less cost for a short-term attack than a PoS coin with a huge market cap. This is primarily because Satoshi's PoW design is incorrect. I have a solution to this by making mining unprofitable so that no debasement is paid for mining.

Both the current PoS and PoW designs are flawed. That is one of the major innovations I am working on.


The generative essence statement I made upthread was referring to the fact that given no reference point, DE would not be secure,. Without a reference point, nothing can be proven about crypto currency (e.g. double-spends can't be prevented, etc), thus the requirement for a reference point is essential (even Satoshi's PoW suffers from the fact that it is probabilistic and didn't solve the Byzantine General's Problem because it can't identify an attack from a non-attack because the longest chain rule is self-referential). I can make such a general statement and be 100% certain there is no possible exception, because it is a fundamental inviolable mathematical structural issue.

The reference points are provided by my upthread "Coin Days Destroyed" suggestion a few days ago and the point yesterday in this thread about hard-coding the destination addresses in the CLTV. In order words, those reference points do not depend on future confirmations, but are past history (the age of the UXTOs being spent) and future invariants (the hard-coded destinations).

I was just starting treatment for fatty liver disease over the past 2 days (along with running around getting a diagnosis and other foggy brain matters) so apologies that only this morning did I feel alert enough to write a coherent explanation such as this.


There is a distinction between theory and inviolable mathematical structure. I will give you another example that I learned when I started to teach myself cryptography over the past 3 years. That is zero knowledge proofs are impossible without an asymmetric trap door function, i.e. they can't be done with hash functions. That is not theory. It is an inviolable fact due to the mathematical structure.

Yes scrutiny leads to progress.

"stake costs less than hashrate" this appears to be the same as saying donuts cost less than springs.

Sometimes the stake required to attack will cost more than hashrate and vice versa. So it all depends on the specific coins being talked about.

And I am not thinking it is so easy to cause deep reorgs at will. It could be that the DE for low security coins needs to be done over longer periods of time and in small increments, ie overlapped micropayment channels.

I am not conviced by general statements, especially when they have counterexamples that prove they are incorrect. I can easily name many PoS coins that are more expensive to obtain stake enough to attack against a set of PoW coins whose hashrate is lower.

Sorry, general scare statements dont work on me. Only specific failure cases, which can then be generalized and solutions usually devised. I know that if I just say, sure in theory it wont work and dont push for a solution, then it would limit things to BTC <-> LTC and gradually more and more, so at worst it is a slow process, but we dont have to outrun the bear, we just need to be more secure than a CE.

James

Unlike hashrate (electricity), stake only has to be purchased once and attack forever, so therefor rental prices for stake should be much lower (since stake costs less than hashrate).

---

I think we solved the jamming problem with CLTV version of DE. So there was a positive outcome from this thread. I am happy that DE can work.

Just trying to calibrate things. If need be there can be a global tracking of pending trades relative to hashrates. And until there are much larger number of active trades, at any given time odds are that there wont be that many trades involving a specific coin. Even on high volume exchanges like btc38, often hours can go by without any trade for a specific coin.

Also, how can a PoS coin be attacked using this? Does this mean that PoS coins are more secure as atomic altcoins than PoW?

I dont want to start a holy war re PoS vs PoW, just trying to quantify risks. If indeed an attacker can spawn 100BTC worth of swaps, use funds to buy hashrate to reverse tx, then indeed this needs to be addressed. Tracking pending trades or limiting to PoS coins comes to mind, but I am tired and that is just the initial reaction, there should be more potential solutions

James

Why do you assume only one DE transaction will be ongoing on a block chain simultaneously. And why do you assume that DE transactions will be limited to 1 BTC.

I understand hashrate is rentable.

Please explain how a 1BTC value for atomic swap is financing a 51% attack. How many coins can be attacked with 1BTC of hashrate? and realistically how many blocks can be reorged

we are not talking about doing 100BTC swaps as the norm. Most will be 1BTC worth or less

James

I don't want to repeat myself. You will destroy the security of the coin by enabling the hashrate attacker to steal other people's coins. This was not possible before (rather before an attacker could only attempt to double-spend his own coins), thus such an attack was not well funded. You are proposing to fund 51% attacks. I hope you understand that hashrate is rentable and the implications of that. Especially when you are proposing to exchange between altcoins which have very low hashrate security (note Alice's multi-sig occurs on the altcoin not on Bitcoin).

Sorry the cut & choose proposal must be scrapped.

Stick with the CLTV on both block chains where the destination addresses are hard-coded and thus can't be stolen by a hashrate attacker. That is technically sound.

I deleted the prior version of this post a few moments after posting it, because I realized I had an error and I wanted to take a moment to think about it before reposting. I didn't realize jl777 has already replied within those few moments, until I had already deleted it and saw his post when the page reloaded.


The insoluble flaw will always remain (no matter how you structure the deposit) that either Alice can refuse to do the succeeding transaction and thus Bob loses his deposit (and if the deposit is paid to Alice then she steals this amount), or if you allow Bob to refund the deposit, then Bob can refuse to do the next step after Alice issues her transaction and thus Alice will lose her funds. Or as I wrote days ago (see self quotes below), the private keys get revealed and anyone can spend a transaction to themselves.


I now understand the intent of the cut & choose that Alice is 99.9% certain (precise % depends on number of key pairs in the challenge session of step #1) that is signable with bob_priv_n, so that when Bob releases bob_priv_n before step #4 to refund his deposit, then Alice is sure she can sign for Bob's transaction in order to spend it back to herself. At that point Bob doesn't have Alice's private key, and Alice never releases this private key, thus only she can sign back her transaction to herself.

Whereas if Bob issues the reciprocal payment to Alice in step #4, Alice releases her private key (so she can claim Bob's payment from step #4) then Bob can sign using his private key (which remains private until he issues the refund for his deposit) to spend Alice's payment from step #3.

But the problem remains that when private keys are revealed, then anyone can spend the payment from Alice. One might argue that Bob will wait to refund the deposit until after the payment from Alice to Bob has been confirmed spent by Bob, but an attacker with sufficient hashrate can revert the order of the transactions and steal Bob's payment. Remember you are proposing to have many of these DE transactions occurring simultaneously and you are thus incentivizing someone to attack the block chain with hashrate to steal value. Normally even a 51% attacker can't steal someone else's coins (only double-spend their own coins), yet you are proposing to open a new attack vector funding 51% attacks with other people's coins! That is a non-starter, because it weakens the entire coin's security (because adds a new source of funding for 51% attacks). Perhaps you have just identified a reason that multi-sig transactions should always have their destination address hard-coded. I think you've identified a security hole in the current OP code for multi-sig.

Even if it were possible to structure a Bitcoin transaction such that Bob signs for his refund instead of releasing the private key, that wouldn't help you, because then Alice couldn't refund herself when Bob fails to do step #4.

As I wrote many moons ago in this thread, there is simply no way to do DE unless both block chains support CLTV. I told you the generative essence reason is because there is no reference point: