How does the cut & choose exchange prove that Bob's has provided a hash of a private key and not a hash of something else
However, the only way to spend that output is to provide the private key.
To spend the output he signs it using
HASH160 hashes his private key and then EQUALVERIFY verifies that it matches
If Alice watches the network, then she will be able to obtain this information and so will get Bob's private key, as promised.
And so will everyone else get Bob's private key and a miner who wins the block can spend his output before his transaction is confirmed on the block chain.
There is no way to know for sure that the hash of the privkey was provided until it works when it is revealed. That is why the fee is required, so that any attack by cheating has a negative expected return.
I changed to 2000 keypairs, so with a 1/777 fee, the expected return is a loss of about 20%. This presupposes there are anywhere near 2000 trades that can be done. Since newbie accounts will only be traded with reluctantly, it will take time to build up an account with 1000+ trades.
And what is achieved? You have lost 1000+ fees, you steal from who you traded with (worth 777 fees), still you lost 200+ fees. The account you built up is blacklisted and the victim is compensated from the fees that have been paid by the attacker. Any balance is forfeited. So any cut and choose attacker will be helping the InstantDEX bank account and the victim would just need to wait a bit extra before being reimbursed. No financial harm to the victim, financial gain to InstantDEX, financial loss to the attacker.
Another point. The 2000 keypairs acts as PoW. It takes several seconds to calculate them all, so you would need one CPU core per attack. Its not like you can simply notify 2000 other peers that you want to start a trade. The initiator has to calculate all the keypairs upfront.
Only if a node decides to accept this incoming offer, will the similar calcs need to be done on the receiving side. Due to the time it takes, probably need to put in some checks for the desirability of the initiating side, but that is for later.
I have a strong feeling that losing 20% will be a pretty strong deterrent, in fact I am hoping we will get a bunch of idealogical cut and choose attackers who want to disrupt the DE without regard to losing money. I can then use those funds to pay for bots that will be making bids, just waiting to be cheated on. In fact, this could create a massive positive feedback loop and the net result is that the DE is unusable by people, but the bots make the attacker pay thousands of BTC in fees, forever.
Not a great result, but I think I can live with that.
James