Skip to content

Commit 94a4e2f

Browse files
authored
Merge pull request #1 from jonasnick/blind-swaps
Add partially blind swaps writeup
2 parents e369afd + 46eb506 commit 94a4e2f

File tree

1 file changed

+129
-0
lines changed

1 file changed

+129
-0
lines changed

md/partially-blind-swap.md

+129
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,129 @@
1+
Partially Blind Atomic Swap Using Adaptor Signatures
2+
===========================
3+
4+
In this scheme one of the participants of the swap does not learn which coins
5+
are being swapped. For example if Alice engages in a partially blind atomic
6+
swap with Bob and Carol, she would not be able to determine if a swapped output
7+
belongs to Bob or Carol (assuming the transaction amounts are identical or
8+
confidential). This property is very similar to
9+
[TumbleBit](https://eprint.iacr.org/2016/575.pdf) but in the form of a
10+
[scriptless
11+
script](https://github.com/apoelstra/scriptless-scripts/blob/master/md/atomic-swap.md)
12+
and therefore purely in the elliptic curve discrete logarithm setting.
13+
14+
The basic idea is that the discrete logarithm of the auxiliary point `T` in the
15+
adaptor signature is not chosen uniformly at random by Alice. Instead, Bob
16+
computes `T = t*G` where `t` is a [blind Schnorr
17+
signature](https://blog.cryptographyengineering.com/a-note-on-blind-signature-schemes/)
18+
of Alice over a transaction spending the funding transaction without knowing `t`
19+
(similar to [Discreet Log Contracts](https://adiabat.github.io/dlc.pdf)).
20+
21+
Protocol description
22+
---
23+
Assume Alice has a permanent public key `A = a*G`, ephemeral pubkey `A1 = A +
24+
h*G` and ephemeral pubkey `A2`, Bob has two pubkeys `B1 = b1*G` and `B2 = b2*G`
25+
and `H` is a cryptographic hash function. Public key aggregation in "2-of-2"
26+
scripts is achieved with [MuSig](https://eprint.iacr.org/2018/068.pdf) and the
27+
signature scheme is adapted from
28+
[Bellare-Neven](https://cseweb.ucsd.edu/~mihir/papers/multisignatures-ccs.pdf).
29+
The partially blind atomic swap protocol where Alice acts as a tumbler works as
30+
follows.
31+
32+
1. Setup
33+
34+
* Bob anonymously asks Alice to put coins into a key aggregated output O1
35+
with public key `P1 = H(A1,B1,A1)*A1 + H(A1,B1,B1)*B1`.
36+
* Bob puts coins into a key aggregated output O2 with `P2 = H(A2,B2,A2)*A2 +
37+
H(A2,B2,B2)*B2`. As usual, before sending coins Alice and Bob agree on
38+
timelocked refund transactions in case one party disappears.
39+
2. Blind signing
40+
41+
Bob creates a transaction `tx_B` spending O1. Then Bob creates an auxiliary
42+
point `T = t*G` where `t` is a Schnorr signature over `tx_B` in the
43+
following way:
44+
45+
* Bob asks Alice for nonce `Ra = ka*G`
46+
* Bob creates nonce `Rb = kb*G`
47+
* Bob computes
48+
* the combined nonce `R = Ra+Rb`
49+
* the "blinded" nonce `alpha,beta = rand, R' = R + alpha*G + beta*A`
50+
* the challenge `c1` as the Bellare-Neven style challenge hash of
51+
`tx_B` with respect to `P1` and input 0 for aggregated key `P1`: `c1
52+
= H(P1, 0, R', tx_B)`
53+
* the challenge `c'` for `A1` as part of `P1`: `c' = c1*H(A1,B1,A1)`
54+
* the blinded challenge `c = c'+beta`
55+
* and the blinded signature of A times `G`: `T = R + c*A`
56+
* Bob sends `c` to Alice
57+
* Alice replies with an adaptor signature over `tx_A` spending `O2` with
58+
auxiliary point `T = t*G, t = ka + c*a` where `a` is the discrete
59+
logarithm of permanent key `A`.
60+
3. Swap
61+
62+
* Bob gives Alice his contribution to the signature over `tx_A`.
63+
* Alice adds Bob's contribution to her own signature and uses it to take
64+
her coins out of O2.
65+
* Due to previously receiving an adaptor signature Bob learns `t` from step (2).
66+
4. Unblinding
67+
68+
* Bob unblinds Alice's blind signature `t` as `t' = t + alpha + c'*h` where
69+
c' is the unblinded challenge `h` is the tweak for `A1`. This results in a
70+
regular signature `(R', t')` of Alice (`A1`) over `tx_B`.
71+
* Bob adds his contribution to `t'` completing `(R', s), s = t' + kb +
72+
c1*H(A1,B1,B1)*b1` which is a valid signature over `tx_B` spending O1:
73+
```
74+
s*G = t' + kb + c1*H(A1,B1,B1) * b1
75+
= (ka + (c'+beta)*a + alpha + c'*h + kb + c1*H(A1,B1,B1) * b1)*G
76+
= R + beta*A + alpha*G + c1*(H(A1,B1,A1) * (a+h) + H(A1,B1,B1) * b1)*G
77+
= R' + H(P1, 0, R', tx_B)*P1
78+
```
79+
* Bob waits to increase his anonymity set and then publishes the signature
80+
to take his coins from O1 resulting in the following transaction graph:
81+
```
82+
+------------+ (R', s) +------------+
83+
| O1 +----------->| ...|
84+
+------------+ +------------+
85+
Alice's setup tx tx_B
86+
87+
+------------+ +------------+
88+
| O2 +----------->| ...|
89+
+------------+ +------------+
90+
Bob's setup tx tx_A
91+
```
92+
93+
As a result, Alice can not link Bob's original coins and his new coins. From
94+
Alice's perspective `tx_B` could have been just as well the result of a swap
95+
with someone else.
96+
97+
Blind Schnorr signatures suffer from a vulnerability known as "parallel attack"
98+
([Security of Blind Discrete Log Signatures Against Interactive Attacks, C. P.
99+
Schnorr](http://www.math.uni-frankfurt.de/~dmst/research/papers/schnorr.blind_sigs_attack.2001.pdf))
100+
where the attacker collects a bunch of nonces `R` and sends specially crafted
101+
challenges `c`. The responses can be combined to create a signature forgery.
102+
Among proposed countermeasures is a simple, but currently unproven trick by
103+
Andrew Poelstra in which the signer randomly aborts after receiving a
104+
challenge.
105+
106+
107+
A simpler scheme that would be broken by Aggregated Signatures
108+
---
109+
Note that Bob can get a signature of A over anything including arbitrary
110+
messages. Therefore, Alice must only use fresh ephemeral keys `A1` when
111+
creating outputs. This complicates the protocol because at the same time Alice
112+
must not be able to determine for which exact input she signs. As a result,
113+
It's Bob's job to apply tweak `h` to convert a signature of `A` to `A1`.
114+
115+
A simpler protocol where Alice uses `A` instead of `A1` is broken by aggregated
116+
signatures because it allows spending multiple inputs with a single signature.
117+
If Bob creates many funding txs with Alice, he can create a tx spending all of
118+
them, and prepares a message for Alice to sign which is her part of the
119+
aggregate signature of all the inputs. Alice just dumbly signs any blinded
120+
message, so can't decide if it's an aggregated sig or not. For example Bob may
121+
send Alice a challenge for an aggregate signature covering output 1 with
122+
pubkeys `L1 = {A, B1}` and output 2 with pubkeys `L2 = {A, B2}` as `c'=H(P1, 0,
123+
R', tx_B)*H(L1,A) + H(P2, 1, R', tx_B)*H(L2,A)`.
124+
125+
Similarly, the [SIGHASH_SINGLE
126+
bug](https://underhandedcrypto.com/2016/08/17/the-2016-backdoored-cryptocurrency-contest-winner/)
127+
for example would have been disastrous for this scheme. In general, the
128+
Blockchain this is used in must not allow spending more than one output with a
129+
single signature.

0 commit comments

Comments
 (0)