DOS proofs for anti-DOS

[chris-belcher]

Although there are timeouts in coinswap, the failure/backout case still means miner fees and time are wasted, which is a DOS opportunity.

There is an observation I've been thinking about which could be useful: proof that a DOS happened.

If the coinswap server maker (Carol) has a long-running identity (e.g. with #51), it's possible to prove that Carol once DOS'd an Alice by not following the coinswap protocol and forcing Alice to use the timeout branch to get her coins back.

When Alice obtains Carol's public key and the refund transaction (TX-2/3 from the coinswap doc), Alice should also get a digital signature proving that Carol really owns the pubkey she gave.

A DOS proof is simply that proof that Carol owned a pubkey, plus proof on the blockchain that there was a 2-of-2 address paid into, plus a later transaction spending from that 2-of-2 address via the timeout branch. The proof could then be spread around to damage the reputation of Carol. Carol would then need a costly new identity to carry on DOSing.

This proof is compatible with pruning, because the transactions can be accompanied by merkle proofs which prove that they were mined into a block.

[chris-belcher]

Unfortunately I thought of a way to break this.

A malicious Alice wants to damage the reputation of Carol. Alice just sends money to a 2of2 address and then spends from it using the refund tx. Carol never had a chance to complete the coinswap protocol but Alice now has an unfair proof that Carol DOS'd. Alice only has to pay two miner fees to create this unfair proof.

[chris-belcher]

I thought of a way to fix the break above, which would allow true DOS proofs. The downside is it opens up a JoinMarket-Org/joinmarket#156 attack on coinswap (Which could be mitigated but not solved with podle commitments like joinmarket does).

Transactions are labeled using the same conventions as in the coinswap_new.pdf). Here's how it works:

1. Alice wants to do a coinswap with Carol for a given amount. Alice communicates with Carol and tells her the bitcoin amount to be coinswapped, and asks for a pubkey used for the 2of2 multisig and refund transaction.

2. When Alice obtains Carol's pubkey and refund transaction, she also obtains other things that make up the proof. Carol tells Alice the unsigned TX-1 she intends to use. Also a timeout before which TX-0 and TX-1 must be mined, and after which the proof becomes invalid. All of this information is signed with Carol's private key which is non-repudiable proof that Carol provided that information.

3. Alice then broadcasts TX-0 and waits for Carol to broadcast TX-1.

4. If Carol does not broadcast TX-1 then Alice publishes the DOS proof in public somewhere. The proof of DOS is made up of (Carol-pubkey, unsigned TX-1, timeout, signature, TX-0, 2of2 multisig redeem script containing Carol pubkey)

5. Anyone can check the proof, like this:

• Check that TX-0 has been mined into the blockchain before timeout, if not then the proof isn't valid.
• Check that the multisig redeem script contains Carol pubkey.
• Check that unsigned TX-1 didn't get mined (check that the input UTXOs are either unspent or were doublespent)
• Check that Carol's signature is valid, which proves that the pubkey and TX-1 really belong to her and that she agreed to the timeout.
• If all of the above check out then the proof is valid, and Carol really did DOS Alice.
• This proof can then lower the reputation of Carol.

A DOS can still happen after both TX-0 and TX-1 have been mined, but it will cost money. Carol can force Alice to waste miner fees on the refund transaction TX-2, but only by having herself waste miner fees on her TX-3. Therefore this is not a DOS problem because the cost is symmetric, DOS is only a problem if one side can force the other to waste resources at little cost to itself.

Obviously all mined transactions can be accompanied with merkle proofs, so a pruned full node can still be convinced that they exist.

The 156-style attack comes from the fact that Alice has information about some of Carol's UTXOs because she knows the unsigned TX-1, so Alice could halt the protocol after step 2 and use the information to unmix Carol's later coinswaps.