3

Say you would like to atomically swap Bitcoins with a counterparty, without an obvious on-chain link such as a hash pre-image used in an HTLC-like Bitcoin Script.

The constructions I am aware of proceed to fund two 2-of-2 multisig outputs that will later be claimed by the respective counterparty, with some magic to make the claiming of the two outputs atomic.

A common property of such constructions is that they need "deep" access to the private keys involved:

  • In the case of CoinSwap, the private keys are exchanged between counterparties (in the privacy-preserving case where the hash pre-image never hits the blockchain)

  • In the case of Adaptor Signatures, access to the raw private keys is also necessary to compute the adaptor signature offsets (s = s' - t in the linked document)

Are there any similar protocols that can work if the private keys are inaccessible and only the public keys and signatures over provided messages are available, think a hardware wallet?

In the case of asymmetric protocols, it would already be interesting if only one of the two parties needs access to raw private keys.

Vojtěch Strnad
  • 5,623
  • 1
  • 8
  • 31
Dominik Spicher
  • 205
  • 1
  • 4

1 Answers1

1

From what it sounds like you are asking for a protocol that doesn't require the output to be locked to a key specific to the (current) protocol users (so it is locked to a proof that has no concept of a third or secret shared key at least).

I believe the reason this does not exist comes down to a few factors:

  1. It would force the UTXO to be locked to a preimage in which anyone who knows could spend, instead of this being locked to a preimage in which only the receiving public key (who has learned the new preimage) can spend. (atomic double-spend attack vector, can be 'swapped' with anyone at the same time)
  2. It would force the hardware wallet user to use private key data from their real private key instead of a temporary one which is generally used for the atomic swaps (like coinswap). This means if the protocol they use is insecure they could leak their real private key. (maybe a bit of a stretch I guess)
  3. Secret sharing is how the atomicity is preserved. If there is no secret to be shared from my perspective there is no way for a party to convince you that they cannot cheat. If they remain in control of the secret knowledge and require you to spend with just one proof of that secret, it is highly possible for them to generate more valid proofs which could then be used to spend regardless if you have one valid signature for it.

You need an extra DL that is specific to the current swap or else such a signature could be reused by anyone knowing their own keys. If, for example, you reuse the same DL for two different swaps you open up tons of double spend vectors to your counter-parties as soon as they see the same proof hit the blockchain again.

Another note: your hardware wallet does not necessarily need to hold on to these keys at any point it really just needs to sign a transaction that proves one of the keys. Generally all of the transaction metadata is not held on the HW anyway, so in this case the extra private key is just transaction metadata in some sense.

Poseidon
  • 599
  • 2
  • 20