Atomically Swapping Coins: for Privacy or Cross-Blockchain Trades Ethan Heilman, Nicolas Dorier

Both parties get coins back Introduction Atomic Swaps: Enables Alice & Bob to trade cryptocurrency, e.g. Bitcoin, such that: Atomic: The trade happens or does not happen, neither party can cheat the other by taking coins without sending coins. Untrusted: No trusted third party is needed. Trade happens Alice Bob Alice Bob OR Both parties get coins back X …even if parties are malicious and try to cheat each other!

Uses: Cross-blockchain Trades and Privacy Cross-chain Atomic Swaps: Alice has Litecoin, wants Bitcoin Bob has Bitcoin, wants Litecoin So… Alice trades Bob 2 LTC for 1 BTC Alice Bob Tx Tx Atomic Swaps for Privacy: To obfuscate their transaction graph Alice and Bob trade 1 BTC for 1 BTC ...thus, mixing their coins Alice Bob Tx Tx

Atomic Swaps within the same Blockchain Bob, want to swap Bitcoins? Yes, I have coins in Transaction 2 Alice Bob Transaction 1 Transaction 2 APK BPK Tx 3 needs Alice and Bob’s signatures to spend Tx 1 and 2. Transaction 3 APK BPK Step 2: Alice signs Tx 3 and sends Bob the signature Aσ Bσ Step 3: Bob signs Tx 3 and posts Tx 3 to the blockchain Step 1: Alice creates Tx 3 and sends it Bob Step 4: Tx 3 is confirmed on the blockchain This is a simple form of a CoinJoin. We will return this protocol when talking about privacy Tx 3 is either confirmed on the blockchain or not → the trade happens atomically. However, we can not use this protocol if Tx 1 and Tx 2 are on different blockchains.

Non-Atomic Cross-Blockchain Trades Bob, want to trade Litecoin for Bitcoin? Yes, send me Litecoin first and I’ll send you Bitcoin Hahaha, I stole Alice’s Litecoin!!! Alice Bob Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK Step 2: Bob waits for Tx 3 to be confirmed... We can prevent this with hashlocks! X Evil Step 3: Bob never signs or posts Tx 4! Step 3: Bob signs Tx 4 and posts it to Bitcoin’s blockchain Non-Atomic: Alice can’t cheat Bob, but Bob can cheat Alice … Alice must trust Bob!

Hashlocking Funds BPK , Y= H(?) Bσ, X Hashlocks: Step 1: Alice chooses a random value X and hashes it to get Y. Transaction 1 BPK , Y= H(?) Step 2: Alice creates and posts a transaction which can be spent by Bob if Bob learns X Transaction 2 Bσ, X Step 3: Bob learns X and spends Tx 1. Hashlocks: To spend a Tx output the input you must provide a value X, such that H(X) = Y

Atomic Cross-Blockchain Trades Bob Alice Transaction 1 BPK ,Y= H(?) Alice Bob Transaction 4 BPK Bσ, X Transaction 2 APK ,Y= H(?) Step 1: Alice chooses a random value X and hashes it to get Y and posts Tx 1. Step 2: Bob waits for Tx 1 to be confirmed and then posts Tx 2. Transaction 3 APK Aσ, X Step 3: Alice waits for Tx 2 to be confirmed and then posts Tx 3. Step 4: Bob learns X from Tx 3 and posts Tx 4. Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK X

Atomic Cross-Blockchain Trades Bob Alice Transaction 1 BPK ,Y= H(?) Transaction 4 BPK Bσ, X Transaction 2 APK ,Y= H(?) Transaction 5 APK Aσ Transaction 3 APK Aσ, X Transaction 6 BPK Bσ X X This is the Tier Nolan Atomic Trade Protocol. What happens if Alice never posts Tx 3? Funds are unspendable! We add an additional spend condition, called a timelock, which refunds coins after a time limit has been reached. Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK X

Full Tier-Nolan Atomic Trade Protocol Bob Alice Transaction 1 BPK ,Y= H(?) Transaction 4 BPK Bσ, X Transaction 2 APK ,Y= H(?) Transaction 5 APK Aσ Transaction 3 APK Aσ, X Transaction 6 BPK Bσ Refund Trade Happens! Refund Bitcoin has two timelock functions: absolute CLTV (BIP-65) and relative CSV (BIP-112) We will be using CLTV here. Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK X

Full Tier-Nolan Atomic Trade Protocol: Timing Alice’s Refund unlocked Litecoin’s Blockchain Tx 1 Tx 3 Tx 4 Tx3: Alice sig & X Tx4: Bob sig & X Tx 5 Tx 6 Tx6: Bob sig Tx5: Alice sig Tx1 Spend Conditions: 1. Bob Sig & X Or 2. Alice Sig & LTC-Height>205 200 201 202 203 204 205 206 Alice’s timelock must greater than Bob’s ...or she can cheat! Bob’s Refund unlocked Bitcoin’s Blockchain Tx 2 300 301 302 303 304 305 306 Tx2 Spend Conditions: 1. Alice Sig & X Or 2. Bob Sig & BTC-Height>304 Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK X

Full Tier-Nolan Atomic Trade Protocol: Timing Alice’s Refund unlocked Litecoin’s Blockchain Tx 1 Tx 4 Tx 5 Tx1 Spend Conditions: 1. Bob Sig & X Or 2. Alice Sig & LTC-Height>204 200 201 Tx5: Alice sig 202 203 204 205 206 Tx4: Bob sig & X Alice Hahaha, I stole Alice’s Litecoin!!! Alice’s timelock must greater than Bob’s ...or she can cheat! Bob’s Refund unlocked Bitcoin’s Blockchain Tx 3 Tx3: Alice sig & X Tx 2 300 301 302 303 304 305 306 Tx2 Spend Conditions: 1. Alice Sig & X Or 2. Bob Sig & BTC-Height>304 Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK X

Let’s perform A cross-chain atomic swap

Summary: Cross-Chain Atomic Swaps Alice has Litecoin, wants Bitcoin Bob has Bitcoin, wants Litecoin So… Alice trades Bob 2 LTC for 1 BTC Alice Bob Tier-Nolan Atomic Trades: Enables two parties to trade cryptocurrencies Neither party can cheat each other Timelocks must be carefully selected to ensure Alice can’t cheat Works between any cryptocurrencies that support hashlocks and timelocks Fancier math can remove hashlock requirement Requires four on-blockchain transactions If Alice trusts Bob this can be reduced to two transactions

Privacy Tx Tx Atomic Swaps for Privacy: To obfuscate their transaction graph Alice and Bob trade 1 BTC for 1 BTC ...thus, mixing their coins Alice Bob Tx Tx The idea is to break linkages in the transaction graph We will briefly discuss two protocols: Single-transaction CoinJoin and Maxwell’s CoinSwap (Private Atomic Swaps)

Simple Two Party CoinJoin Protocol Alice Bob Transaction 1 Transaction 2 APK BPK Transaction 3 A’PK B’PK Step 2: Alice signs Tx 3 and sends Bob the signature Aσ Bσ Step 3: Bob signs Tx 3 and posts Tx 3 to the blockchain Step 1: Alice creates Tx 3 and sends it Bob For privacy Alice and Bob use new public keys. Step 4: Tx 3 is confirmed on the blockchain Privacy Offered: ½ chance of guessing which Tx 3 pubkey is Alice

Private Atomic Swaps (Maxwell’s CoinSwap) Transaction 1 Transaction 2 B’PK, A’PK B’’PK, A’’PK Transaction 6 APK Aσ, X Transaction 5 BPK Bσ, X Transaction 3 B’’σA’’σ Transaction 4 B’σA’σ A’’PK ,Y= H(?) B’PK Transaction 8 B’σA’σ B’PK Transaction 7 B’σA’σ A’’PK Refund Privacy Offered: Only Tx 1, Tx 2, Tx7, Tx8 show up on Blockchain, no linkage. Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK X

Privacy Summary Tx Tx Tx Tx Maxwell’s CoinSwaps make Cross-Chain Atomic Swaps indistinguishable ….from four multisig transactions on different blockchains. However they can be correlated by price, timing, network information,... There are several other Atomic Swap based privacy protocols Barber’s Fair Exchange/XIM TumbleBit ...

Questions Topics Discussed: Simple trading protocols Trades that trust one party Atomic Trades that work across one blockchain Cross-Chain Atomic Swaps Hashlocks/Timelocks Tier Nolan Atomic Trade Protocol Privacy Two-party CoinJoin Making Atomic Trades Private

Backup slides

Backup slides

Full Tier-Nolan Atomic Trade Protocol Bob Alice Transaction 1 BPK ,Y= H(?) Transaction 4 BPK Bσ, X Transaction 2 APK ,Y= H(?) Transaction 5 APK Aσ Transaction 3 APK Aσ, X Transaction 6 BPK Bσ Refund Trade Happens! Refund Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK X

Full Tier-Nolan Atomic Trade Protocol Alice’s Refund unlocked Litecoin’s Blockchain Tx 1 Tx 3 Tx 4 Tx3: Alice sig & X Tx4: Bob sig & X Tx 5 Tx 6 Tx6: Bob sig Tx5: Alice sig Tx1 Spend Conditions: 1. Bob Sig & X Or 2. Alice Sig & LTC-Height>205 200 201 202 203 204 205 206 Bob’s Refund unlocked Bitcoin’s Blockchain Tx 2 300 301 302 303 304 305 306 Tx2 Spend Conditions: 1. Alice Sig & X Or 2. Bob Sig & BTC-Height>304 Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK X

Simple Two Party CoinJoin Protocol Alice Bob Transaction 1 Transaction 2 APK BPK Transaction 3 A’PK B’PK Step 2: Alice signs Tx 3 and sends Bob the signature Aσ Bσ Step 3: Bob signs Tx 3 and posts Tx 3 to the blockchain Step 1: Alice creates Tx 3 and sends it Bob For privacy Alice and Bob use new public keys. Step 4: Tx 3 is confirmed on the blockchain Privacy Offered: ½ chance of guessing which Tx 3 pubkey is Alice

Barber Protocol B’PK, A’PK B’’PK, A’’PK APK Aσ, X BPK Bσ, X B’’σA’’σ Transaction 1 Transaction 2 B’PK, A’PK B’’PK, A’’PK Transaction 6 APK Aσ, X Transaction 5 BPK Bσ, X Transaction 3 B’’σA’’σ Transaction 4 B’σA’σ A’’PK ,Y= H(?) B’PK Transaction 8 B’σA’σ B’PK Transaction 7 B’σA’σ A’’PK Refund Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK X

Barber et al’s Fair-Exchange Protocol [0] “Bitter to Better —How to Make Bitcoin a Better Currency”, Barber et al. Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK X