bitcoin-dev
Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
Posted on: June 19, 2020 15:33 UTC
CoinSwap is a privacy-enhancing technology that allows users to swap one cryptocurrency for another without revealing their transaction details.
It involves multiple transactions routed through intermediaries, making it difficult for anyone to trace the source and destination of the coins involved. The protocol can be used today without any new soft forks and can be built into existing wallets. CoinSwap offers better privacy than current equal-output CoinJoin apps and is cheaper for the same level of privacy.The original CoinSwap protocol uses 2-of-2 multisig, but 2-party ECDSA can create 2-of-2 multisignature addresses that look like regular single-signature addresses. This method, along with multi-transaction CoinSwaps and routing CoinSwaps, can further enhance privacy by avoiding amount correlation and single points of trust. However, p2pkh, p2wpkh, and p2sh are vulnerable to a birthday attack if they encode a multisig policy. To reduce this vulnerability, a commitment round can be added to all public keys involved in the policy.Implementing CoinSwap alone cannot significantly improve privacy, so other building blocks are necessary to create a truly private system. A liquidity market for CoinSwap can be created similar to how JoinMarket works for CoinJoins, allowing users to create CoinSwaps for any size and time they want. Combining multi-transaction CoinSwaps with routing CoinSwaps creates a decentralized system where makers do not know the entire route of the CoinSwap, and each hop uses multiple transactions to prevent amount correlation.CoinSwap can be combined with CoinJoin, and to defend against attacks, we have Bob maintain a list of "decoy UTXOs", which are UTXOs that Bob found by scanning recent blocks. Private key handover is an observation that once the CoinSwap preimage is revealed, Alice and Bob don't have to sign each other's multisig spend, instead, they could hand over their private key to the other party. CoinSwap can support fidelity bonds and so can be made much more resistant to sybil attacks. In order to communicate, JoinMarket uses public IRC networks for communication. It is proposed that there be a small number of volunteer-operated HTTP servers run on Tor hidden services. Their URLs are included in the CoinSwap software by default. They can be called message board servers. Makers are also servers run on hidden services, and to advertise themselves they connect to these message board servers to post the makers' own .onion address.Takers connect to all these HTTP message boards and download the list of all known maker .onion addresses. They connect to each maker's onion to obtain parameters like offered coinswap fee and maximum coinswap size. Once takers have chosen which makers they'll do a CoinSwap with, they communicate with those maker again directly through their .onion address to transmit the data needed to create CoinSwaps. These HTTP message board servers can be run quite cheaply, which is required as they'd be volunteer-run. They shouldn't require much bandwidth or disk space, as they are well-protected from spam with the fidelity bond requirement.CoinSwap and Lightning Network have many similarities, but CoinSwap can be adopted unilaterally and is on-chain. Today we see some centralized exchange not supporting so-called ``privacy altcoins'' because of regulatory compliance concerns. It's possible that those exchanges will never adopt Lightning because of its privacy features.