Presentation is loading. Please wait.

Presentation is loading. Please wait.

Atomically Swapping Coins: for Privacy or Cross-Blockchain Trades

Published byMillicent Hubbard Modified over 6 years ago

Similar presentations

Presentation on theme: "Atomically Swapping Coins: for Privacy or Cross-Blockchain Trades"— Presentation transcript:

1 Atomically Swapping Coins: for Privacy or Cross-Blockchain Trades
Ethan Heilman, Nicolas Dorier

2 Both parties get coins back
Introduction Atomic Swaps: Enables Alice & Bob to trade cryptocurrency, e.g. Bitcoin, such that: Atomic: The trade happens or does not happen, neither party can cheat the other by taking coins without sending coins. Untrusted: No trusted third party is needed. Trade happens Alice Bob Alice Bob OR Both parties get coins back X …even if parties are malicious and try to cheat each other!

3 Uses: Cross-blockchain Trades and Privacy
Cross-chain Atomic Swaps: Alice has Litecoin, wants Bitcoin Bob has Bitcoin, wants Litecoin So… Alice trades Bob 2 LTC for 1 BTC Alice Bob Tx Tx Atomic Swaps for Privacy: To obfuscate their transaction graph Alice and Bob trade 1 BTC for 1 BTC ...thus, mixing their coins Alice Bob Tx Tx

4 Atomic Swaps within the same Blockchain
Bob, want to swap Bitcoins? Yes, I have coins in Transaction 2 Alice Bob Transaction 1 Transaction 2 APK BPK Tx 3 needs Alice and Bob’s signatures to spend Tx 1 and 2. Transaction 3 APK BPK Step 2: Alice signs Tx 3 and sends Bob the signature Step 3: Bob signs Tx 3 and posts Tx 3 to the blockchain Step 1: Alice creates Tx 3 and sends it Bob Step 4: Tx 3 is confirmed on the blockchain This is a simple form of a CoinJoin. We will return this protocol when talking about privacy Tx 3 is either confirmed on the blockchain or not → the trade happens atomically. However, we can not use this protocol if Tx 1 and Tx 2 are on different blockchains.

5 Non-Atomic Cross-Blockchain Trades
Bob, want to trade Litecoin for Bitcoin? Yes, send me Litecoin first and I’ll send you Bitcoin Hahaha, I stole Alice’s Litecoin!!! Alice Bob Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK Step 2: Bob waits for Tx 3 to be confirmed... We can prevent this with hashlocks! X Evil Step 3: Bob never signs or posts Tx 4! Step 3: Bob signs Tx 4 and posts it to Bitcoin’s blockchain Non-Atomic: Alice can’t cheat Bob, but Bob can cheat Alice … Alice must trust Bob!

6 Hashlocking Funds BPK , Y= H(?) Bσ, X Hashlocks:
Step 1: Alice chooses a random value X and hashes it to get Y. Transaction 1 BPK , Y= H(?) Step 2: Alice creates and posts a transaction which can be spent by Bob if Bob learns X Transaction 2 Bσ, X Step 3: Bob learns X and spends Tx 1. Hashlocks: To spend a Tx output the input you must provide a value X, such that H(X) = Y

7 Atomic Cross-Blockchain Trades
Bob Alice Transaction 1 BPK ,Y= H(?) Alice Bob Transaction 4 BPK Bσ, X Transaction 2 APK ,Y= H(?) Step 1: Alice chooses a random value X and hashes it to get Y and posts Tx 1. Step 2: Bob waits for Tx 1 to be confirmed and then posts Tx 2. Transaction 3 APK Aσ, X Step 3: Alice waits for Tx 2 to be confirmed and then posts Tx 3. Step 4: Bob learns X from Tx 3 and posts Tx 4. Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK X

8 Atomic Cross-Blockchain Trades
Bob Alice Transaction 1 BPK ,Y= H(?) Transaction 4 BPK Bσ, X Transaction 2 APK ,Y= H(?) Transaction 5 APK Transaction 3 APK Aσ, X Transaction 6 BPK X X This is the Tier Nolan Atomic Trade Protocol. What happens if Alice never posts Tx 3? Funds are unspendable! We add an additional spend condition, called a timelock, which refunds coins after a time limit has been reached. Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK X

9 Full Tier-Nolan Atomic Trade Protocol
Bob Alice Transaction 1 BPK ,Y= H(?) Transaction 4 BPK Bσ, X Transaction 2 APK ,Y= H(?) Transaction 5 APK Transaction 3 APK Aσ, X Transaction 6 BPK Refund Trade Happens! Refund Bitcoin has two timelock functions: absolute CLTV (BIP-65) and relative CSV (BIP-112) We will be using CLTV here. Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK X

10 Full Tier-Nolan Atomic Trade Protocol: Timing
Alice’s Refund unlocked Litecoin’s Blockchain Tx 1 Tx 3 Tx 4 Tx3: Alice sig & X Tx4: Bob sig & X Tx 5 Tx 6 Tx6: Bob sig Tx5: Alice sig Tx1 Spend Conditions: 1. Bob Sig & X Or 2. Alice Sig & LTC-Height>205 200 201 202 203 204 205 206 Alice’s timelock must greater than Bob’s ...or she can cheat! Bob’s Refund unlocked Bitcoin’s Blockchain Tx 2 300 301 302 303 304 305 306 Tx2 Spend Conditions: 1. Alice Sig & X Or 2. Bob Sig & BTC-Height>304 Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK X

11 Full Tier-Nolan Atomic Trade Protocol: Timing
Alice’s Refund unlocked Litecoin’s Blockchain Tx 1 Tx 4 Tx 5 Tx1 Spend Conditions: 1. Bob Sig & X Or 2. Alice Sig & LTC-Height>204 200 201 Tx5: Alice sig 202 203 204 205 206 Tx4: Bob sig & X Alice Hahaha, I stole Alice’s Litecoin!!! Alice’s timelock must greater than Bob’s ...or she can cheat! Bob’s Refund unlocked Bitcoin’s Blockchain Tx 3 Tx3: Alice sig & X Tx 2 300 301 302 303 304 305 306 Tx2 Spend Conditions: 1. Alice Sig & X Or 2. Bob Sig & BTC-Height>304 Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK X

12 Let’s perform A cross-chain atomic swap

13 Summary: Cross-Chain Atomic Swaps
Alice has Litecoin, wants Bitcoin Bob has Bitcoin, wants Litecoin So… Alice trades Bob 2 LTC for 1 BTC Alice Bob Tier-Nolan Atomic Trades: Enables two parties to trade cryptocurrencies Neither party can cheat each other Timelocks must be carefully selected to ensure Alice can’t cheat Works between any cryptocurrencies that support hashlocks and timelocks Fancier math can remove hashlock requirement Requires four on-blockchain transactions If Alice trusts Bob this can be reduced to two transactions

14 Privacy Tx Tx Atomic Swaps for Privacy: To obfuscate their transaction graph Alice and Bob trade 1 BTC for 1 BTC ...thus, mixing their coins Alice Bob Tx Tx The idea is to break linkages in the transaction graph We will briefly discuss two protocols: Single-transaction CoinJoin and Maxwell’s CoinSwap (Private Atomic Swaps)

15 Simple Two Party CoinJoin Protocol
Alice Bob Transaction 1 Transaction 2 APK BPK Transaction 3 A’PK B’PK Step 2: Alice signs Tx 3 and sends Bob the signature Step 3: Bob signs Tx 3 and posts Tx 3 to the blockchain Step 1: Alice creates Tx 3 and sends it Bob For privacy Alice and Bob use new public keys. Step 4: Tx 3 is confirmed on the blockchain Privacy Offered: ½ chance of guessing which Tx 3 pubkey is Alice

16 Private Atomic Swaps (Maxwell’s CoinSwap)
Transaction 1 Transaction 2 B’PK, A’PK B’’PK, A’’PK Transaction 6 APK Aσ, X Transaction 5 BPK Bσ, X Transaction 3 B’’σA’’σ Transaction 4 B’σA’σ A’’PK ,Y= H(?) B’PK Transaction 8 B’σA’σ B’PK Transaction 7 B’σA’σ A’’PK Refund Privacy Offered: Only Tx 1, Tx 2, Tx7, Tx8 show up on Blockchain, no linkage. Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK X

17 Privacy Summary Tx Tx Tx Tx Maxwell’s CoinSwaps make Cross-Chain Atomic Swaps indistinguishable ….from four multisig transactions on different blockchains. However they can be correlated by price, timing, network information,... There are several other Atomic Swap based privacy protocols Barber’s Fair Exchange/XIM TumbleBit ...

18 Questions Topics Discussed: Simple trading protocols
Trades that trust one party Atomic Trades that work across one blockchain Cross-Chain Atomic Swaps Hashlocks/Timelocks Tier Nolan Atomic Trade Protocol Privacy Two-party CoinJoin Making Atomic Trades Private

19 Backup slides

20 Backup slides

21 Full Tier-Nolan Atomic Trade Protocol
Bob Alice Transaction 1 BPK ,Y= H(?) Transaction 4 BPK Bσ, X Transaction 2 APK ,Y= H(?) Transaction 5 APK Transaction 3 APK Aσ, X Transaction 6 BPK Refund Trade Happens! Refund Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK X

22 Full Tier-Nolan Atomic Trade Protocol
Alice’s Refund unlocked Litecoin’s Blockchain Tx 1 Tx 3 Tx 4 Tx3: Alice sig & X Tx4: Bob sig & X Tx 5 Tx 6 Tx6: Bob sig Tx5: Alice sig Tx1 Spend Conditions: 1. Bob Sig & X Or 2. Alice Sig & LTC-Height>205 200 201 202 203 204 205 206 Bob’s Refund unlocked Bitcoin’s Blockchain Tx 2 300 301 302 303 304 305 306 Tx2 Spend Conditions: 1. Alice Sig & X Or 2. Bob Sig & BTC-Height>304 Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK X

23 Simple Two Party CoinJoin Protocol
Alice Bob Transaction 1 Transaction 2 APK BPK Transaction 3 A’PK B’PK Step 2: Alice signs Tx 3 and sends Bob the signature Step 3: Bob signs Tx 3 and posts Tx 3 to the blockchain Step 1: Alice creates Tx 3 and sends it Bob For privacy Alice and Bob use new public keys. Step 4: Tx 3 is confirmed on the blockchain Privacy Offered: ½ chance of guessing which Tx 3 pubkey is Alice

24 Barber Protocol B’PK, A’PK B’’PK, A’’PK APK Aσ, X BPK Bσ, X B’’σA’’σ
Transaction 1 Transaction 2 B’PK, A’PK B’’PK, A’’PK Transaction 6 APK Aσ, X Transaction 5 BPK Bσ, X Transaction 3 B’’σA’’σ Transaction 4 B’σA’σ A’’PK ,Y= H(?) B’PK Transaction 8 B’σA’σ B’PK Transaction 7 B’σA’σ A’’PK Refund Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK X

25 Barber et al’s Fair-Exchange Protocol
[0] “Bitter to Better —How to Make Bitcoin a Better Currency”, Barber et al. Transaction 1 Transaction 2 APK BPK Transaction 3 BPK Step 1: Alice signs Tx 3 and posts it to Litecoin’s blockchain Transaction 4 APK X

Download ppt "Atomically Swapping Coins: for Privacy or Cross-Blockchain Trades"

Similar presentations

Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.

Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
COMS 486 Iowa State University Introduction to Bitcoin A P2P Electronic Cash System.

COMS 486 Iowa State University Introduction to Bitcoin A P2P Electronic Cash System.
Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.

Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.
The world’s first decentralized digital currency Meni Rosenfeld Bitcoil 29/11/2012Written by Meni Rosenfeld1.

The world’s first decentralized digital currency Meni Rosenfeld Bitcoil 29/11/2012Written by Meni Rosenfeld1.
Bitcoin (what, why and how?)

Bitcoin (what, why and how?)
1 Bitcoin A Digital Currency. Functions of Money.

1 Bitcoin A Digital Currency. Functions of Money.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.

Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Section #9: Bitcoins. Digital currency Unique string of bits Use cryptography for security and privacy Not tied to names: hard to trace Finite set of.

Section #9: Bitcoins. Digital currency Unique string of bits Use cryptography for security and privacy Not tied to names: hard to trace Finite set of.
Bitcoin’s new Era OP_CSV, Segregated Witness And how it relates to Bitcoin at Visa’s scale.

Bitcoin’s new Era OP_CSV, Segregated Witness And how it relates to Bitcoin at Visa’s scale.
Blockchain Mechanics Terence Spies Crypto Geek HPE.

Blockchain Mechanics Terence Spies Crypto Geek HPE.
Block Chain 101 May 2017.

Block Chain 101 May 2017.
Motivation ✓ ✘ ? Bitcoin/Ideal Credit Card Works on Internet

Motivation ✓ ✘ ? Bitcoin/Ideal Credit Card Works on Internet
Virtual currency? Crypto-currency? Internet Money? Property?

Virtual currency? Crypto-currency? Internet Money? Property?
Bitcoin - a distributed virtual currency system

Bitcoin - a distributed virtual currency system
Distributed Systems for Information Systems Management

Distributed Systems for Information Systems Management
A private and secure cryptocurrency for mobile devices

A private and secure cryptocurrency for mobile devices
Anonymity vs. Privacy Campbell R. Harvey Duke University, NBER and

Anonymity vs. Privacy Campbell R. Harvey Duke University, NBER and

Similar presentations

Ads by Google