bitcoin-dev

Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

Original Postby Ruben Somsen

Posted on: May 31, 2020 21:19 UTC

Ruben proposed using the MuSig key-combination protocol for the non-timelocked SAS output, which doesn't require multisig for one of the two outputs and a single key will suffice.

Ruben also suggested avoiding adding a transaction that undoes the PayJoin in case the swap gets aborted with SAS, allowing only one transaction if successful and no timelock (instant settlement). ZmnSCPxj was not convinced that PayJoin-with-CoinSwap adds much privacy but it does remove the need for Bob to reveal additional UTXOs to Alice during the swap protocol. If Alice is paying some exact amount to Carol and Alice wants to dissociate her funds from the payment, then PayJoin on the second-layer transaction is useful as it correlates the Alice change with Bob inputs and Carol outputs. However, if Alice always has a policy that all sends are via CoinSwap, then the above two trees are not much different for Alice in practice. Ruben also tried to apply SAS to partially blind swaps but ran into likability issues. SAS cannot be made to work with S6 due to the secret being transported being a private key that protects a specific UTXO and it's not possible to safely use the same secret across more than two parties.