📅 Original date posted:2019-07-30
📝 Original message:On 27/07/2019 20:34, David A. Harding wrote:
>
> Timelocking bitcoins, especially for long periods, carries some special
> risks in Bitcoin:
>
> 1. Inability to sell fork coins, also creating an inability to influence
> the price signals that help determine the outcome of chainsplits.
>
> 2. Possible inability to transition to new security mechanisms if
> a major weakness is discovered in ECC or a hash function.
>
Far future locks are problematic. In my proposal I've only considered
locked coins for only 6 months because of exactly these reasons. The
market competition between airdrops should still exist after 6 months so
lockers will still get a chance to sell their airdrops. And any
ECC-alternative or hash-function-alternative fork will probably take a
couple of months to be designed, implemented and deployed as well,
giving a chance for lockers to move coins.
> An alternative to timelocks might be coin age---the value of a UTXO
> multiplied by the time since that UTXO was confirmed. Coin age may be
> even harder for an attacker to acquire given that it is a measure of
> past patience rather than future sacrifice. It also doesn't require
> using any particular script and so is flexible no matter what policy the
> coin owner wants to use (especially if proof-of-funds signatures are
> generated using something like BIP322).
I'm becoming more and more convinced that coin age is also a valid
method of proving a sacrifice. Using coin age also has a benefit that
less block space is used, because using timelocks requires a new
on-chain transaction to be made every 6 months or whatever the locking
period is.
Perhaps JoinMarket should accept all three methods of proving a
sacrifice: burning, timelocking and aging. I could imagine that makers
would first lock coins for 6 months to create a fidelity bond they could
immediately use, and after the timelock expires leave that coin unspent
and use its age as the fidelity bond.
For what its worth, I mostly considered burning coins because the maths
for it is easy (the value of such a bond is just V^2), and because it
provides a boundary condition (locking up coins for infinity time is the
same as burning them). I doubt anybody will actually do it in practice.
> - BIP158 users who have saved their past filters to disk can use them to
> determine which blocks subsequent to the one including the UTXO may
> contain a spend from it. However, since a UTXO can be spent in the
> same block, they'd always need to download the block containing the
> UTXO (alternatively, the script could contain a 1-block CSV delay
> ensuring any spend occurred in a later block). If BIP158 filters
> become committed at some point, this mechanism is upgraded to SPV-level
> security.
This scheme could be attacked using address reuse. An attacker could
create an aged coin on a heavily-reused address, which would force an
SPV client using this scheme to download all the blocks which contain
this reused address which could result in many gigabytes of extra
download requirement.
So to fix this: a condition for aged coins is that their address has not
been reused, if the coin is on a reused address then the value of the
fidelity bond becomes zero.
Chris Belcher [ARCHIVE] /
npub1ek…lnm2u
2023-06-07 20:19:44
in reply to nevent1q…kzsa
Author Public Key
npub1ekvnqhww3aagwuj9t55dgj5y29u8cxdjllfv3vgppt8vc0zljhrs6lnm2uSeen on
wss://relay.noswhere.comPublished at
2023-06-07 20:19:44Event JSON
{
"id": "95d8f12385ce3c314ce2626b272c898140cd754d707b905179af2ff0d75c3079",
"pubkey": "cd99305dce8f7a8772455d28d44a8451787c19b2ffd2c8b1010acecc3c5f95c7",
"created_at": 1686161984,
"kind": 1,
"tags": [
[
"e",
"e5951fd065af963dd1caf477c2dc7ac75e75b8c5de9df2bf7554616176c13878",
"",
"root"
],
[
"e",
"89688edac51023a334a371f70ff1b17e5c7347be6d48bd49675ae710bc92f156",
"",
"reply"
],
[
"p",
"c632841665fccdabf021322b1d969539c9c1f829ceed38844fea24e8512962d7"
]
],
"content": "📅 Original date posted:2019-07-30\n📝 Original message:On 27/07/2019 20:34, David A. Harding wrote:\n\u003e \n\u003e Timelocking bitcoins, especially for long periods, carries some special\n\u003e risks in Bitcoin:\n\u003e \n\u003e 1. Inability to sell fork coins, also creating an inability to influence\n\u003e the price signals that help determine the outcome of chainsplits.\n\u003e \n\u003e 2. Possible inability to transition to new security mechanisms if\n\u003e a major weakness is discovered in ECC or a hash function.\n\u003e \n\nFar future locks are problematic. In my proposal I've only considered\nlocked coins for only 6 months because of exactly these reasons. The\nmarket competition between airdrops should still exist after 6 months so\nlockers will still get a chance to sell their airdrops. And any\nECC-alternative or hash-function-alternative fork will probably take a\ncouple of months to be designed, implemented and deployed as well,\ngiving a chance for lockers to move coins.\n\n\n\u003e An alternative to timelocks might be coin age---the value of a UTXO\n\u003e multiplied by the time since that UTXO was confirmed. Coin age may be\n\u003e even harder for an attacker to acquire given that it is a measure of\n\u003e past patience rather than future sacrifice. It also doesn't require\n\u003e using any particular script and so is flexible no matter what policy the\n\u003e coin owner wants to use (especially if proof-of-funds signatures are\n\u003e generated using something like BIP322).\n\nI'm becoming more and more convinced that coin age is also a valid\nmethod of proving a sacrifice. Using coin age also has a benefit that\nless block space is used, because using timelocks requires a new\non-chain transaction to be made every 6 months or whatever the locking\nperiod is.\n\nPerhaps JoinMarket should accept all three methods of proving a\nsacrifice: burning, timelocking and aging. I could imagine that makers\nwould first lock coins for 6 months to create a fidelity bond they could\nimmediately use, and after the timelock expires leave that coin unspent\nand use its age as the fidelity bond.\n\nFor what its worth, I mostly considered burning coins because the maths\nfor it is easy (the value of such a bond is just V^2), and because it\nprovides a boundary condition (locking up coins for infinity time is the\nsame as burning them). I doubt anybody will actually do it in practice.\n\n\n\u003e - BIP158 users who have saved their past filters to disk can use them to\n\u003e determine which blocks subsequent to the one including the UTXO may\n\u003e contain a spend from it. However, since a UTXO can be spent in the\n\u003e same block, they'd always need to download the block containing the\n\u003e UTXO (alternatively, the script could contain a 1-block CSV delay\n\u003e ensuring any spend occurred in a later block). If BIP158 filters\n\u003e become committed at some point, this mechanism is upgraded to SPV-level\n\u003e security.\n\nThis scheme could be attacked using address reuse. An attacker could\ncreate an aged coin on a heavily-reused address, which would force an\nSPV client using this scheme to download all the blocks which contain\nthis reused address which could result in many gigabytes of extra\ndownload requirement.\n\nSo to fix this: a condition for aged coins is that their address has not\nbeen reused, if the coin is on a reused address then the value of the\nfidelity bond becomes zero.",
"sig": "6d72f42761dd280e9d16ffa0fda03805f82fd3344cd7024eacc0d65227a8ed4cb2ebf9b4ea2c505c0c67caa57764edf66ff7b24d3604dcf3613cc0c2dd891c13"
}