Hi ZmnSCPxj,

>If the shortened refund transaction exists (labeled "refund transaction #1" in the SVG) then the same issue still occurs 

Yes, but there is one crucial difference: at that point in the protocol (Bob has the success transaction and then stops cooperating) Alice and Bob both had the opportunity not to take that path. Bob could have sent the success transaction, and Alice could have waited and sent the revoke transaction. They would essentially be "colluding" to fail.

>Without the refund#1 in your proposal, Bob refusing cooperation after Alice puts the BTC into lock for 3 days and 2 further onchain transactions

I'm not sure if I correctly understood what you're saying, but it's as follows:

Refund #1 can only safely be used before the signed success tx is given to Bob. The cost to Alice at this point if Bob aborts is two on-chain transactions while Bob hasn't put anything on-chain yet.

Refund #2 needs to be used after Bob receives the signed success tx. The cost to Alice is now three transactions, but Bob also went-on-chain by this point, so causing this wasn't costless to Bob and is thus a similar failure mode.

>my formulation allows any of the result transactions to be CPFP directly by their beneficiaries  

Yes, that is indeed very nice. The way I set it up, insufficient fees can unfortunately cause delays, but they should not be able to cause losses.

>there is still an onlineness requirement in case Bob does not complete the protocol

Yes, that is very much the design. Alice needs to be on time with claiming her refund (and revealing her secret), otherwise Bob takes it.

>I have not seen the 2-tx variant video yet, as I prefer to read than listen

The video is not required, it just restates what is in the write-up. I personally find it easier to understand concepts from video, but I seem to be in the minority when I ask other devs about this. But let me reiterate one part you might be confused about (though you probably mostly get it already):

The online requirement I was alluding to doesn't expire, and is specifically how the 2 tx SAS protocol is performed. Bob never broadcasts the success transaction (unless he prefers not to have to be online, i.e. the 3 tx SAS protocol) and instead Alice and Bob swap their keys: first Bob hands over secretAlice, then Alice hands over her key. Now the swap is complete, but Bob has to remain online to make sure Alice never attempts to broadcast her refund tx. It doesn't expire either because of the relative timelocks.

Just take a look at the slide 6m8s into the video: https://youtu.be/TlCxpdNScCA?t=6m8s

I also agree with your observation that alternatively Bob can just spend before the timelock expires.

>Regardless, the overall protocol of using 3 clauses in the swap, and reusing the privkey as the payment secret demanded by the pointlocks, is still a significant innovation.

I'm glad you like it :) 

>In the context of CoinSwap, a proposal is that a CoinSwap server would provide swapping service to incoming clients.

That is an excellent use case that takes good advantage of the asymmetry of SAS. I completely agree with your observation that the "Bob" side is perfect for servers (online and/or spending again soon) and the "Alice" side is perfect for clients (settled in 1 tx). I similarly hope that this may pave the way for a practical implementation of Payswap between merchants and customers!

Cheers,
Ruben

On Tue, May 12, 2020 at 5:06 PM ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
Good morning Ruben,

> >Would this not work?
>
> I considered and rejected that model for the following reason: there are moments where both Alice and Bob can claim the BTC. If they both attempt to do so, it also reveals both secrets, causing the LTC to also be claimable by both parties. This chaotic scenario is a failure mode that did not seem acceptable to me. The revoke transaction was specifically added to mitigate that issue (invalidating any attempt of Bob to claim the coins and reveal his secret). That said, it doesn't particularly seem in either party's interest wait until a moment where two timelocks become valid, so maybe it is not quite as bad as I thought. However, it still means that the incompetence/malevolence of one party can lead to losses for both parties. I have my doubts a gain in privacy in the uncooperative case is worth that risk.
>
> Of course it also reverts the protocol to 3 transactions, instead of 2, but regardless, not having to watch the chain is probably more practical in many cases. As an aside, if both chains support timelocks then we can ensure that the more expensive chain only receives one transaction.

If the shortened refund transaction exists (labeled "refund transaction #1" in the SVG) then the same issue still occurs: after 1 day it is possible for either success or refund#1 to be broadcasted, leading to revelation of both secrets, leading to the same failure mode you described.

Without the refund#1 in your proposal, Bob refusing cooperation after Alice puts the BTC into lock for 3 days and 2 further onchain transactions (with the refund#2 transaction being relative-locked, meaning it cannot be used to CPFP the revoke transaction; my formulation allows any of the result transactions to be CPFP directly by their beneficiaries).

It seems to me that there is still an onlineness requirement in case Bob does not complete the protocol: once the revoke tx becomes valid an online Bob can cheat an offline Alice by broadcasting the revoke tx (which, if my understanding of the protocol is correct, the signatures are shared to both Alice and Bob).
So Alice needs to be online starting at 2 days to 3 days in order to ensure it reclaims it funds.

I have not seen the 2-tx variant video yet, as I prefer to read than listen, but I will also check it if I can find an opportunity.

Regardless, the overall protocol of using 3 clauses in the swap, and reusing the privkey as the payment secret demanded by the pointlocks, is still a significant innovation.



In the context of CoinSwap, a proposal is that a CoinSwap server would provide swapping service to incoming clients.
Using my counterproposal, the Bob position can be taken by the server and the Alice position taken by the client.
In this context, the L1 can be made reasonably close in the future and L2 far in the future, in which case Alice the client can be "weakly offline" most of the time until L2, and even in a protocol abort would be able to recover its funds.
If the protocol completes, the server Bob can claim its funds before L1, and (with knowledge of Alice[0]) can immediately put it in a new funding tx for a new incoming client before L1, which is a fine tradeoff for server Bob since presumably Bob is always online.

Regards,
ZmnSCPxj