From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 6AC71C002D for ; Fri, 9 Sep 2022 21:05:18 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 455BB61025 for ; Fri, 9 Sep 2022 21:05:18 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 455BB61025 Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=gDlrfc7r X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.102 X-Spam-Level: X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uk_LdtNWG9Qv for ; Fri, 9 Sep 2022 21:05:15 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 18C7760F3D Received: from mail-4318.protonmail.ch (mail-4318.protonmail.ch [185.70.43.18]) by smtp3.osuosl.org (Postfix) with ESMTPS id 18C7760F3D for ; Fri, 9 Sep 2022 21:05:15 +0000 (UTC) Date: Fri, 09 Sep 2022 21:05:07 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1662757511; x=1663016711; bh=TslMzmP4MwyLxEsDMsPQOqNlbj8V4bP9kCCz8fe6Jk4=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=gDlrfc7rxFyid5nDTIzPgyzSwvvU79ADPWEFDH69owkLMBu2iN6zWKq29b51j+INW DTBmpMmWbYVR+YooL4lV715dKM8X7Om0viZaFSNV96hZAtfo9znhySUVKaYWkGfESI yG/rT7hwUn6ACAp5sDehfdEcc8JqKTUd63Er/CPgVYT4+sVUHux5xNqFVNx4it1QZS JIr00+Wy6KKlRlC9aEJEb6A0xsaEL5fosEYpM/F/EynSx05GZvD/lz8uO/7ZTY4MLg +ELUTkIq8mviscKDSv/vSRqZCQgUapGaTUtNT8oCNBbM5JmrnzEgfF4dZy/40vLB8N wwq+Y6nuFctQQ== To: alicexbt , Bitcoin Protocol Discussion From: woltx Reply-To: woltx Message-ID: In-Reply-To: References: Feedback-ID: 48616983:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Fri, 09 Sep 2022 22:15:15 +0000 Subject: Re: [bitcoin-dev] joinstr: coinjoin implementation using nostr X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2022 21:05:18 -0000 Hi /dev/fd0, I've been reviewing joinstr, and if I understand the code correctly, the cr= yptographic scheme mentioned as an alternative to blind signatures isn't im= plemented yet, is it? Currently, it seems that anyone can submit unrelated = inputs and outputs. Perhaps PR #24058 (https://github.com/bitcoin/bitcoin/pull/24058) (basic su= pport BIP-322) can improve this scheme as it implements proof of ownership.= =20 Instead of clients sending descriptors to the relay and then verifying them= using `scantxoutset`, it can send `txid:out` with a message signed with th= e address, verify using `verifymessage` and then use `gettxout` to retrieve= the value. That way, only the owner can send the UTXO. I've done some tests connected to a node with BIP322 enabled: # to send input_txt: str =3D json.dumps(input) result =3D core.signmessage(wallet, input['address'], input_txt) input['signature'] =3D result['result'] nostr_interface.publish_input(input) # to receive def validate_input(input: dict[str, int, str, str]) -> bool: # ... result =3D core.verifymessage(address=3Dinput['address'], message=3Djso= n.dumps(message), signature=3Dinput['signature']) return result['error'] =3D=3D None and result['result'] =3D=3D True ------- Original Message ------- On Saturday, August 20th, 2022 at 1:52 PM, alicexbt via bitcoin-dev wrote: > Hi Max, >=20 > There a few DoS vectors that need to be fixed. Its just a proof of concep= t that I wanted to share with everyone to get feedback which could be impro= ved over time. There is also a warning at the bottom of README to not use t= his on mainnet as it might have bugs. >=20 > I will continue the development with coinjoin transactions on signet for = a few weeks until there is a stable release with no bugs. >=20 > I have a few ideas in mind for various relay types that might be used con= currently to prevent numerous problems. Custom relays are supported by Nost= r. Examples include paying a fee to register for a round, subscribing with = a time limit, or using invite-only relays. I will run a free and open nostr= relay for this project and try to fix the Dos issues before a mainnet vers= ion is released for python script(for nerds) and android app (for all users= ). >=20 > Related links: >=20 > https://github.com/fiatjaf/relayer > https://github.com/fiatjaf/expensive-relay > https://github.com/fiatjaf/relayer/tree/master/whitelisted >=20 > /dev/fd0 >=20 >=20 > Sent with Proton Mail secure email. >=20 >=20 > ------- Original Message ------- > On Saturday, August 20th, 2022 at 10:04 AM, Max Hillebrand max@towardslib= erty.com wrote: >=20 >=20 >=20 > > Great to see an implementation of the idea. > >=20 > > Maybe I misunderstand, but isn't there a vulnerability of denial of ser= vice here? > >=20 > > A user who registers one input will receive the round secret identifier= , and this is all the information required for output registration. However= , that malicious user can now register multiple outputs, providing the same= secret, and nobody can link the malicious outputs to any specific input. T= herefor there cannot be a blame round where the malicious input is removed,= and thus there can be a ongoing free denial of service attack without attr= ibution or defense. > >=20 > > Skol > > Max > >=20 > > On August 20, 2022 10:20:00 AM GMT+02:00, alicexbt via bitcoin-dev bitc= oin-dev@lists.linuxfoundation.org wrote: > >=20 > > > Hi Bitcoin Developers, > > >=20 > > > I have written a python script as proof of concept for the coinjoin i= mplementation using nostr. I used a lot of Python scripts created by others= in school, so it feels nice to offer something that could be useful to oth= ers. > > >=20 > > > The implementation uses Bitcoin Core wallet and RPCs: `listunspent`, = `getnewaddress`, `scantxoutset`, `createpsbt`, `combinepsbt`, `finalizepsbt= ` and `sendrawtransaction`. It requires python-nostr library because nostr = is used for coordination between peers. Nostr is a decentralized network ba= sed on cryptographic keypairs. It is not peer-to-peer however simple and sc= alable. > > >=20 > > > Every step is published as an event using a nostr relay and 5 peers c= oordinate to create, sign and broadcast a coinjoin transaction. I need to w= rite a NIP that would be an alternative to blind signatures. Relay will sha= re a random secret with clients for one round which should be present in ou= tput registration request although never gets published. If someone tries t= o register an output without registering any inputs, request would not have= the number initially shared with inputs so request would get rejected or p= ublished as unverified. Relay would not be able to link inputs and outputs = as the number is same for all inputs in a round and they get registered at = different times with new keys and IP address. Clients can use multiple rela= ys at the same time to avoid trusting one relay. This would result in diffe= rent shared secret number but same process. If a relay tries to cheat, user= s will not sign the transaction and avoid using it in future. > > >=20 > > > Usage: > > >=20 > > > 1)Run `python coinjoin.py` and enter descriptor for one of the inputs= . > > > 2)Script will check inputs for this round in every 30 seconds and reg= ister a new adddress for output once 5 inputs are registered. > > > 3)Similar check happens every 30 seconds for outputs. Last peer shoul= d create a PSBT. > > > 4)Unsigned PSBT will be printed and signed by wallet with `walletproc= esspsbt` RPC. > > > 5)Script will check signed PSBTs and last peer to sign should finaliz= e coinjoin transaction once 5 signed PSBTs are received. > > > 6)Coinjoin transaction will be broadcasted and txid will printed. > > >=20 > > > Example: > > >=20 > > > ``` > > > List of utxos in wallet: > > >=20 > > > wpkh([53830dca/84'/1'/0'/0/0]02449be5fb74725255eeeb50eba930fa87705f21= e99d13cd710cf2c1f21153c808)#x2hyyeg5 > > >=20 > > > Enter descriptor for the input registration: wpkh([53830dca/84'/1'/0'= /0/0]02449be5fb74725255eeeb50eba930fa87705f21e99d13cd710cf2c1f21153c808)#x2= hyyeg5 > > >=20 > > > event id: bcbbe62d75d99fed73f1e50ac58a38d1840b658951893e63c0322b378d7= d56f0 > > >=20 > > >=20 > > > tb1qhxrp4zl54ul0twtyz0gury5399q7z0kvqqrl6m registered for output > > >=20 > > > event id: 9449c9065bef356d21507a98f88b028b17fc1c49eb195c8d4420604fcaa= ef041 > > >=20 > > > Unsigned PSBT: cHNidP8BAP1yAQIAAAAFtMaoJYcXvOG5L3Yaz3YyS7gIt4h5/zzOrR= RS3hrVvwoAAAAAAP////+o83geaSm4L76KToIUl5MiZqLAUbIDJLq6DWrjP/3b8AEAAAAA/////= zEF3CXIvVHpIa7No1s1yg+KtyOfXTRSyWnOdXMfzcDwAQAAAAD/////wMa4XAgnU+39Ien+KG9r= Ytv8bLMNYakmZyY/QFfwLRcAAAAAAP/////5M42ID6uLmQTb2tnFHnN7UMpnDD25uN8ZX7A+GNS= M3QEAAAAA/////wV4xwEAAAAAABYAFLmGGov0rz71uWQT0cGSkSlB4T7MeMcBAAAAAAAWABSc0/= FM6Hdbdxh10IJkYOklVFWqjnjHAQAAAAAAFgAUPSZKe/w6PT6qIF+WhL4wHaFymjd4xwEAAAAAA= BYAFMx0rxYlpPWB3NFry4Ctk2eVi/UNeMcBAAAAAAAWABSzc4xK0VTfvjK0MHXrAUFLYgYnOgAA= AAAAAAAAAAAAAAAAAA=3D=3D > > >=20 > > > event id: 976744b38fa9343fb79e1b5215512ead6ee08e5890d79a201fc5b872f6d= e4eba > > >=20 > > > Signed PSBT: cHNidP8BAP1yAQIAAAAFtMaoJYcXvOG5L3Yaz3YyS7gIt4h5/zzOrRRS= 3hrVvwoAAAAAAP////+o83geaSm4L76KToIUl5MiZqLAUbIDJLq6DWrjP/3b8AEAAAAA/////zE= F3CXIvVHpIa7No1s1yg+KtyOfXTRSyWnOdXMfzcDwAQAAAAD/////wMa4XAgnU+39Ien+KG9rYt= v8bLMNYakmZyY/QFfwLRcAAAAAAP/////5M42ID6uLmQTb2tnFHnN7UMpnDD25uN8ZX7A+GNSM3= QEAAAAA/////wV4xwEAAAAAABYAFLmGGov0rz71uWQT0cGSkSlB4T7MeMcBAAAAAAAWABSc0/FM= 6Hdbdxh10IJkYOklVFWqjnjHAQAAAAAAFgAUPSZKe/w6PT6qIF+WhL4wHaFymjd4xwEAAAAAABY= AFMx0rxYlpPWB3NFry4Ctk2eVi/UNeMcBAAAAAAAWABSzc4xK0VTfvjK0MHXrAUFLYgYnOgAAAA= AAAQBxAgAAAAG+qpMXZCy6tBuUlgo8JD0GVXKp60FkhwDeg2sF1fkFkwMAAAAA/f///wLo9wEAA= AAAABYAFFfLA5xarC/w/SxeMDQ5tuXrYJLUWwMAAAAAAAAWABRfPf//hwMjHB4OKj87cU19XOSh= 7yOWAQABAR/o9wEAAAAAABYAFFfLA5xarC/w/SxeMDQ5tuXrYJLUAQhrAkcwRAIgOIhLoC5348U= 8YkEr4GU1K4yWskIOEXgW4Wsk/W2cR7ICIEJXqtOuDJ5CkwrSuwJLWtzab4dslbN3KuL/pyooMn= OCASECRJvl+3RyUlXu61DrqTD6h3BfIemdE81xDPLB8hFTyAgAAAAAACICA77Cnd6o3kr0yc+91= eabpOn5igs/MUMbudNYSS6oyMWMGFODDcpUAACAAQAAgAAAAIAAAAAAFAAAAAAAAAAA > > >=20 > > > event id: 5846b6e6902f3c5a43496d7d9785ed62444aa74963f03c33d637d8b09ee= 7a139 > > >=20 > > > Coinjoin tx: 75e490b10b15a6a0422f25ff66ad98ef70390c8fecaac02712705dce= 8cc3564b > > >=20 > > > event id: 9b5d4bf279b59e2b6e539e683fba83da72dce2b640360aa95db1b1400be= 93190 > > > ``` > > >=20 > > > There are lot of things that could be improved and a few suggestions = are in the gist that described the idea. I would love read to any opinions = about this experiment and will start working on creating an Android app for= joinstr next week. > > >=20 > > > Credits: > > >=20 > > > - fiatjaf (Nostr) > > > - Andrew Chow (PSBT) > > > - Jeff Thibault (python-nostr) > > > - Existing coinjoin implmentations > > >=20 > > > /dev/fd0 > > >=20 > > > Sent with Proton Mail secure email. > > >=20 > > > bitcoin-dev mailing list > > > bitcoin-dev@lists.linuxfoundation.org > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >=20 > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev