'%3e%3crect%20x='109.185'%20y='253.397'%20width='350.859'%20height='857.656'%20fill='white'/%3e%3cpath%20d='M274.77%20708.572H233.194V888.205H286.632C302.651%20888.205%20314.635%20883.711%20322.461%20875.088C330.287%20866.465%20334.322%20851.404%20334.322%20830.149V779.138C334.322%20752.539%20329.797%20734.2%20320.382%20723.997C310.966%20713.795%20295.681%20708.451%20274.77%20708.451V708.572Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M310.966%20610.558C320.015%20601.206%20324.539%20585.295%20324.539%20563.19V530.518C324.539%20490.559%20308.887%20470.519%20277.705%20470.033H232.949V624.768H269.512C287.977%20624.768%20302.039%20619.91%20311.088%20610.436L310.966%20610.558Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M277.582%200C124.362%200%200%20123.399%200%20275.704V1069.3C0%201221.48%20124.239%201345%20277.582%201345C430.803%201345%20555.165%201221.6%20555.165%201069.3V275.704C555.165%20123.52%20430.926%200%20277.582%200ZM426.523%20833.064C426.523%20878.367%20414.539%20912.739%20390.817%20936.423C375.898%20951.241%20356.7%20961.322%20333.221%20966.909V987.677C333.221%201002.5%20320.993%201014.64%20306.075%201014.64C291.156%201014.64%20278.805%201002.5%20278.805%20987.677V971.888H232.949V987.677C232.949%201002.5%20220.721%201014.64%20205.803%201014.64C190.884%201014.64%20178.655%201002.5%20178.655%20987.677V971.888H170.218C150.53%20971.888%20140.625%20962.05%20140.625%20942.496V415.743C140.625%20396.188%20150.53%20386.35%20170.218%20386.35H178.655V357.201C178.655%20342.383%20190.884%20330.238%20205.803%20330.238C220.721%20330.238%20232.949%20342.383%20232.949%20357.201V386.35H278.805V357.201C278.805%20342.383%20291.034%20330.238%20306.075%20330.238C321.115%20330.238%20333.221%20342.383%20333.221%20357.201V388.78C333.221%20389.994%20332.977%20391.087%20332.855%20392.18C354.499%20397.524%20371.863%20406.512%20384.703%20419.386C406.469%20441.491%20417.597%20475.377%20417.597%20521.045V544.364C417.597%20604.363%20397.42%20642.743%20357.556%20659.14V660.719C403.656%20676.265%20426.646%20717.074%20426.646%20782.782V833.064H426.523Z'%20fill='%23FF5C00'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_1_174'%3e%3crect%20width='555'%20height='1345'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Understanding the challenges of other advanced confidentiality techniques
Secret transfers of ownership
- The coinswap
- Adaptor Signatures
- Atomic swap
- Is it really useful?
Another of Bitcoin's confidentiality techniques is the secret transfer of ownership. This method aims to transfer ownership of Bitcoins from one person to another, and vice versa, without the transaction being explicitly visible on the blockchain. Let's examine the various techniques available, along with their advantages and disadvantages.
The coinswap
Coinwap is based on a relatively simple concept: it utilizes smart contracts to facilitate the transfer of bitcoin ownership between two users, eliminating the need for trust and making this transfer invisible on the blockchain.
Let's imagine a simple example with Alice and Bob. Alice holds 1 BTC secured with private key
However, this naive method presents a high risk in terms of trust. There's nothing to stop Alice from keeping a copy of the
Furthermore, there is no guarantee that Alice, once she has received Bob's private key
To solve these problems and enable exchanges between parties that don't trust each other, we will use smart contract systems instead. A smart contract is a program that executes automatically when predefined conditions are met. In our case, this ensures that the exchange of property occurs automatically, without requiring mutual trust.
This can be achieved using HTLC (Hash Time-Locked Contracts) or PTLC (Point Time-Locked Contracts). These two protocols operate in a similar manner, utilizing a time-locking system that ensures the exchange is either completed successfully or canceled entirely, thereby protecting the integrity of both parties' funds. The main difference between HTLC and PTLC is that HTLC utilizes hashes and preimages to secure the transaction, whereas PTLC employs Adaptor Signatures.
In a coinswap scenario using HTLC or PTLC between Alice and Bob, the exchange takes place securely: either it succeeds and each receives the other's BTC, or it fails and each keeps their own BTC. This makes it impossible for either party to cheat or steal the other's BTC.
HTLC is also the mechanism used to securely route payments through the Lightning Network's bidirectional channels The use of Adaptor Signatures is particularly interesting in this context, as it makes it possible to dispense with traditional scripts (a mechanism sometimes referred to as "scriptless scripts"). This feature reduces the costs associated with exchange. Another major advantage of Adaptor Signatures is that they do not require the use of a common hash for both parties to the transaction, thus avoiding the need to reveal a direct link between them in certain types of exchange.
Adaptor Signatures
Adaptor Signatures are a cryptographic method that integrates a valid signature with an additional signature, called the "adaptor signature", to reveal secret data. This mechanism is designed in such a way that knowledge of two of the three following elements — a valid signature, an adaptor signature, and a secret — allows us to deduce the missing third element. An interesting property of this method is that, if we know our peer's adaptor signature and the specific point on the elliptic curve associated with the secret used to calculate that adaptor signature, we can derive our own adaptor signature that will be compatible with that same secret, without ever having direct access to the secret itself.
In a coinswap, the use of Adaptor Signatures enables the simultaneous disclosure of two pieces of sensitive information between participants, thus avoiding the need for mutual trust. Let's take an example to illustrate this process with Alice and Bob, who wish to exchange possession of 1 BTC each, but don't trust each other. They use Adaptor Signatures to eliminate the need for trust in this exchange. Here's how they do it:
- Alice initiates the exchange by creating a
transaction that sends 1 BTC to Bob. She generates a signature , which validates this transaction, using her private key ( ), a nonce ( ) and a secret ( ):
- Alice calculates the adaptor signature
by subtracting the secret from its true signature :
- Alice sends Bob her signature adaptor
, her unsigned transaction , the point corresponding to the secret ( ), and the point corresponding to the nonce ( ). These elements constitute what is known as an "adaptor". It's important to note that, with only this information, Bob can't recover Alice's BTC. - However, Bob can check that Alice is not trying to steal from him. To do this, he checks whether Alice's adaptor signature
actually corresponds to the proposed transaction . If the following equation is correct, then he can be sure that Alice's signature adaptor is valid:
- This verification provides Bob with sufficient guarantees that he can continue the exchange in complete confidence. He then creates his own transaction
, intended to send 1 BTC to Alice, and generates his adaptor signature , which will also be linked to the same secret . At this stage, only Alice knows the value of ; Bob only knows the corresponding point that Alice has transmitted to him:
- Bob sends Alice his adaptor signature
, his unsigned transaction , as well as the point corresponding to the secret ( ) and the point corresponding to the nonce ( ). Alice, who knows the secret , can now combine Bob's adaptor signature with this secret to generate a valid signature for the transaction that will transfer Bob's BTC to her:
- Alice broadcasts this signed
transaction on the Bitcoin blockchain to retrieve the BTC promised by Bob. When Bob sees this transaction on the blockchain, he can extract the signature . With this information, Bob is then able to isolate the famous secret he needed:
- And this secret
was the only element missing for Bob to generate the valid signature from Alice's adaptor signature . This signature validates the transaction, which sends a BTC from Alice to Bob. Bob then calculates and broadcasts the transaction on the blockchain:
Let's summarize how an Adaptor Signature works in a coinswap. Initially, Alice sends Bob an unsigned transaction accompanied by an adaptor, enabling Bob to verify that the secret revealed later will give him access to bitcoins. In return, Bob sends Alice his own unsigned transaction and adaptor. Alice can then finalize Bob's transaction and retrieve the bitcoins by broadcasting a valid transaction thanks to the secret. When this transaction is published on the blockchain, Bob has the ability to extract the secret and thus unlock Alice's transaction. Consequently, if Alice initiates a transfer of Bob's bitcoin, Bob can, in turn, access Alice's bitcoin without requiring mutual trust.
Note that coinswaps were first proposed by Gregory Maxwell in October 2013 on BitcoinTalk.
Atomic swap
Similar to coinswap and using the same types of smart contracts, it is also possible to carry out atomic swaps. An atomic swap enables the direct exchange of different cryptocurrencies, such as BTC and XMR, between two users without requiring trust or the intervention of an intermediary. These exchanges are termed "atomic" because they have only two possible outcomes: either the swap is successful and both parties are satisfied, or it fails and each retains their original cryptocurrencies, eliminating the need to trust the other party.
Atomic swap and coinswap share a similar process and offer the same advantages and disadvantages in terms of confidentiality. Indeed, from Bitcoin's perspective, an atomic swap is comparable to a coinswap carried out in two stages. First, we exchange our BTC for another cryptocurrency, then this cryptocurrency can be exchanged for other BTC. In the end, we recover another user's BTC. This is why, in the analysis of confidentiality issues, I group these two protocols under the category of proprietary secret exchanges.
Beware, however, that unlike coinswap, atomic swap can have imbalances in terms of available liquidity, particularly in BTC/XMR exchanges. It's generally easier to swap bitcoins for altcoins, as there's strong demand for bitcoins, which keeps premiums low for this conversion direction. However, exchanging altcoins for BTC can be more complex due to lower demand, often resulting in very high premiums.
Finally, when an atomic swap involves on-chain bitcoins and bitcoins on the Lightning Network, it is referred to as a "submarine swap."
Is it really useful?
Secret transfers of ownership, such as coinswaps and atomic swaps, have the advantage of evading chain analysis heuristics. These methods can suggest that the transactions involve the same user, whereas the actual ownership has changed hands. However, the main drawback of these methods is that they are very risky without the use of an additional technique to break the coin's history.
Indeed, when Alice performs a coinswap or atomic swap with Bob, she exchanges possession of her bitcoins with those of Bob. In the case of an atomic swap, the exchange includes an altcoin, but the principle remains the same. Thus, Alice ends up with the
From Alice's point of view, the risk is that the history of the
Inevitably, confidentiality methods such as coinswaps or atomic swaps are favoured by criminals whose funds are under surveillance by the authorities. These protocols enable them to dispose of their bitcoins under surveillance in exchange for perfectly fungible bitcoins. It also enables them to create a diversion by directing the authorities towards other users. So there's a double purpose for these people.
With coinjoin, even if your coin is mixed with monitored bitcoins, the coin's history is broken, providing a form of plausible deniability that is non-existent in secret ownership transfer protocols like coinswap or atomic swap.
If Alice wishes to avoid any risk, she must necessarily use a method to break the history of the
For secret ownership transfer methods to be truly effective and avoid the risk of linking the history of an
Up to now, we have primarily studied confidentiality methods at the transaction level. In the next chapter, we examine issues at the network level and transaction propagation.
Quiz
Quiz1/5
btc2046.4
What is the main goal of a coinswap?