WIP: Creating 'Eliminating finalize' RFC #59
Conversation
|
What is the purpose of proof_nonce? |
|
I actually think we can get rid of By hashing the sender's and receiver's public_nonces to generate the |
|
As stated, these proofs don't work. Sender can prove knowledge of sender.nonce just as easily as they can prove knowledge of Perhaps we need something like pre_nonce = sender_nonce + receiver_nonce |
There was a problem hiding this comment.
Nice job, @DavidBurkett 👍 I took a pass with some thoughts and questions, let me know what you think.
text/0000-eliminate-finalize.md
Outdated
| # Motivation | ||
| [motivation]: #motivation | ||
|
|
||
| To simplify transaction building. |
There was a problem hiding this comment.
Would be good to understand how transaction building gets simplified with this RFC. What are the specific use cases that become easier? Does it become easier for services to process payments? Will user <> user flows be simplified? Cold storage transfers?
I also understand it as enabling payment proofs in the invoice flow, something which hasn't been possible before and is an open question of RFC006, which might be worth while mentioning here as well.
There was a problem hiding this comment.
Yea, was focusing on the technical details. I got a bit lazy. (ok, a lot lazy)
There was a problem hiding this comment.
Haha, understandably! I can help here, if we can identify roughly what these are. It's not entirely clear to me where the benefits arise
text/0000-eliminate-finalize.md
Outdated
| # Community-level explanation | ||
| [community-level-explanation]: #community-level-explanation | ||
|
|
||
| This feels like unnecessary red tape. See summary. |
There was a problem hiding this comment.
I think it would be useful to outline high level before and after flows for transaction building, and how it might be experienced from the end user perspective. Perhaps something like the below?
Prior to this RFC
Sender initiated (regular workflow)
- Sender creates and sends partial slate to receiver to a slatepack address.
- Receiver produces a response and returns to sender.
- Sender finalizes and broadcasts to the network.
Receiver initiated (invoice workflow)
- Receiver creates a payment request and partial slate and sends to sender.
- Sender approves the request, produces a response and returns to receiver.
- Receiver finalises and broadcasts to the network.
Flow as per this RFC
Sender initiated (regular workflow)
- Receiver shares a one-time address with sender along with
grin1slatepack address. - Sender creates a partial slate and shares with receiver.
- Receiver completes the slate and broadcasts transaction to the network.
Receiver initiated (invoice workflow)
- Receiver sends payment request, one-time address, and partial slate to sender.
- Sender approves the request, completes the slate, and broadcasts transaction to the network.
There was a problem hiding this comment.
I will make a few small fixes to this, and use it as the community-level explanation. Thank you
There was a problem hiding this comment.
Flow as per this RFC
Sender initiated (regular workflow)
- Receiver shares a one-time address with sender along with
grin1slatepack address.
To me that's receiver initiated.
Whoever first sends the first slate contents, i.e. public excess and nonce, is the initiator.
Isn't one-time address is just a misleading name for initial slate contents?!
So this looks rather identical to 1st step of traditional receiver workflow "Receiver creates a payment request and partial slate and sends to sender."
- Sender creates a partial slate and shares with receiver.
That looks identical to 2nd step of traditional receiver workflow "Sender approves the request, produces a response and returns to receiver."
- Receiver completes the slate and broadcasts transaction to the network.
That looks identical to the 3rd step of traditional receiver workflow "Receiver finalizes and broadcasts to the network."
The only interesting part to me is the ability to still have a payment proof in the receiver workflow.
Receiver initiated (invoice workflow)
- Receiver sends payment request, one-time address, and partial slate to sender.
- Sender approves the request, completes the slate, and broadcasts transaction to the network.
I fail to see how this works, given that the receiver never produced a partial signature.
There was a problem hiding this comment.
Whoever first sends the first slate contents, i.e. public excess and nonce, is the initiator.
Isn't one-time address is just a misleading name for initial slate contents?!
I believe you're thinking about this too technically, and not enough like a typical user. Right now, nobody complains about calling the regular workflow "sender initiated", even though the first part includes receiver sharing the address with the sender. And the slatepack address could just as easily be considered part of the slate as the one-time public nonce and excess are. If you think of the pub excess, pub nonce, and slatepack address as a "one-time address", and not as a partial slate, the RFC wording will make much more sense.
I fail to see how this works, given that the receiver never produced a partial signature.
You're correct. When I included it in the RFC, I made some modifications to make it more accurate. Please see here instead: https://github.com/DavidBurkett/grin-rfcs/blob/eliminate_finalize/text/0000-eliminate-finalize.md#community-level-explanation
There was a problem hiding this comment.
Isn't the point of this RFC to get rid of the third step for both sender and receiver initiated transactions? Pretty sure kurt (from the forum thread) mentioned this is possible if i understood correctly.
Sender initiated
- The sender generates a partial slate, with nonce timestamp etc, and sends it to receiver. (in this case the receiver does not need to be known, could be anonymous)
- The receiver completes the slate verifies the transaction and broadcasts it to the network.
Flow as per this RFC
Sender initiated (regular workflow)
- Receiver shares a one-time address with sender along with
grin1slatepack address.- Sender creates a partial slate and shares with receiver.
- Receiver completes the slate and broadcasts transaction to the network.
Receiver initiated (invoice workflow)
- Receiver sends payment request, one-time address, and partial slate to sender.
- Sender approves the request, completes the slate, and broadcasts transaction to the network.
There was a problem hiding this comment.
Yep, my proposal is here since one month: https://forum.grin.mw/t/eliminating-finalize-step/7621/22?u=kurt (add R_a in the hash of x, plus also verify nonce uniqueness) with some detailed security analysis on various aspects here: https://forum.grin.mw/t/eliminating-finalize-step/7621/40?u=kurt, here: https://forum.grin.mw/t/eliminating-finalize-step/7621/44?u=kurt, here: https://forum.grin.mw/t/eliminating-finalize-step/7621/78?u=kurt, here: https://forum.grin.mw/t/eliminating-finalize-step/7621/88?u=kurt and here: https://forum.grin.mw/t/integrated-payment-proofs-and-round-minimization/7745/7?u=kurt
There was a problem hiding this comment.
That's what I thought, thanks for clarifying. Wasn't sure if something changed after reading this.
| TODO: Define JSON & binary formats | ||
| TODO: Mention QR codes | ||
|
|
||
| ## Backward Compatibility |
There was a problem hiding this comment.
Might also be good to outline whether we think this should be the default moving forward, and if not, i.e. if the existing flow still should be supported, how we expect the two to co-exist without added friction.
There was a problem hiding this comment.
Yea, I'm not even sure what's best to do here. I'll put some thought into it and then update this section accordingly.
| Addresses are significantly longer (170 characters). | ||
|
|
||
| Using one-time addresses increases the risk of "Play" attacks [2]. Recommendations for dealing with these have been discussed in the above "Play attacks" section. | ||
|
|
There was a problem hiding this comment.
How are replay attacks affected by this? Not at all?
Are PayJoins still possible to do as before?
Are there any consensus breaking changes required?
There was a problem hiding this comment.
- Replay attacks seem unaffected.
- Interestingly, it solves the various privacy concerns I have with PayJoins. Using today's workflows, I consider PayJoins a non-starter, as they're terrible for the receiver's privacy. With this RFC, receiver doesn't have to leak any inputs until they choose to broadcast the transaction.
- Nope, consensus layer remains unchanged.
There was a problem hiding this comment.
Ohhh... you're right, it doesn't become possible to probe for tx outputs... ping @phyro
There was a problem hiding this comment.
First, congrats on the scheme David 👍 I think I understand the general idea, but have yet to fully grasp it. Yeah, this should make it easy to avoid the need to show the input to the sender. The receiver not having to send back to sender makes it possible to hide receiver's input which makes it more suitable for the receiver's side. It does require the sender to show their inputs and outputs to the receiver though which is not true in today's tx building since a tx could be merged prior to the receiver seeing it. This scheme basically shifts the roles of information knowledge hence making the sender show their inputs/outputs to the receiver. This gives that possible hiding of inputs/outputs power that the sender has in the current transaction building process to the receiver if I understand it correctly.
As you've already said, repetitive utxo spoofing should be impossible in theory, but some care needs to be taken because if the receive action is automated, the sender could send 1 nanogrin a dozen times and then observe the transactions which could cause output leaking if the receiver finalizing the tx was automated.
Such A->B scheme would be nice if we conclude it is secure. I have some questions but am not sure how relevant they are:
- What happens if the sender sends to the same address twice? are there any possible security issues?
- UTXO spoofing should be impossible in theory, but what happens if you just send 1 nanogrin a dozen times to a wallet that is automated to receive? My current understanding is that automated PayJoin
receivetransactions could be a bad idea if one is concerned about this attack, so payjoins might be best if they required a manual confirmation. Am I understanding it correctly?
There was a problem hiding this comment.
This scheme basically shifts the roles of information knowledge hence making the sender show their inputs/outputs to the receiver.
Yea, this is how we used to do it before compact slates anyway. It's far less harmful than letting a random sender prod a listening wallet for inputs. The sender chooses who to reveal its inputs to, making it far less worrisome.
the sender could send 1 nanogrin a dozen times and then observe the transactions which could cause output leaking if the receiver finalizing the tx was automated.
You're talking about when using PayJoin?
- What happens if the sender sends to the same address twice? are there any possible security issues?
Huge security issues, which is why I define the exact process in the "Nonce Reuse" section. Have a re-read of it and let me know if you still have questions.
2. My current understanding is that automated PayJoin
receivetransactions could be a bad idea if one is concerned about this attack, so payjoins might be best if they required a manual confirmation. Am I understanding it correctly?
Yea, you're understanding that correctly. Good point. PayJoin is still problematic. However, since these are one-time addresses, presumably you're not giving dozens of them out to the same person. You could have an automated service that does that though, so it's still worth considering if maybe PayJoin should always require manual intervention. An automated service could still collect partial transactions, and user could later manually finalize them all and choose whether to payjoin or not.
| # Rationale and alternatives | ||
| [rationale-and-alternatives]: #rationale-and-alternatives | ||
|
|
||
| An alternative approach to simplifying transaction building is to support non-interactive transactions [3]. |
There was a problem hiding this comment.
Is it fair to say that another alternative would be for a receiver to pre-generate a lot of invoice slates using the existing workflow? With the drawback there being that they would need to specify amounts (right?) and also that payment proofs would not be supported?
There was a problem hiding this comment.
The amounts part kind of seems like a deal killer. It's not a practical solution.
There was a problem hiding this comment.
Maybe still worth raising it as an alternative and explain why it's not as good, it only helps build the case for what's being proposed I believe
| # Unresolved questions | ||
| [unresolved-questions]: #unresolved-questions | ||
|
|
||
| * Can this be used to simplify sending to a multisig address? |
There was a problem hiding this comment.
Interesting.... We should explore this, it's one of the open things with Slatepacks as well. If we could ascertain that this flow would make multisigs (and maybe also atomic swaps?) easier, it could be a powerful statement.
Why? It's part of their address.
Why does pubkey need to be involved at all? Since nonce is already part of the address, I don't see why we also have to commit to excess in the hash also. And without pubkey, this is almost exactly the scheme I mentioned above. Put in this form, it would just be |
text/0000-eliminate-finalize.md
Outdated
|
|
||
| TODO: Describe play attacks, and finish this section. | ||
|
|
||
| Any inputs sent from a wallet to a one-time address should be considered as sent. They should not be cancelable, however, the sender should have the option to add additional inputs and/or increase the fee (equivalent of bitcoin's RBF). |
There was a problem hiding this comment.
Please correct me if I'm misunderstanding this, but I think that they should definitely be cancelable from the sender side. Consider a scenario where Alice is sending 5 Grin to Bob and she uses an input that holds 1000 Grin. She creates her change output with 995 Grin. If she can't cancel the transaction, then if Bob simply refuses to finalize the transaction, this is somewhat equivalent to Bob burning all the outputs which would make Alice lose her 995 Grin output. In theory, Bob could blackmail Alice telling her to send some more coins if she wants to get her change output. Adding a cancel option to Alice solves this as she could reuse the inputs in a new transaction.
There was a problem hiding this comment.
Good point. I didn't think that through very well at all 😆
I guess I more meant that cancel and resend to same receiver because the transaction "failed" (a common case today) shouldn't be supported, since cancel requires respending those inputs. Instead, we should resend the original partial slate, perhaps with a larger fee. We should never naively just return the inputs back to the wallet as spendable.
There was a problem hiding this comment.
yeah, I agree. A 'resend' after cancelation should reuse the inputs to avoid the play attacks - a reuse of completely the same inputs and outputs is one such option.
No comment on this?
But can sender convince a 3rd party (like a court) that the receiver used that address?
They are already in existing payment proofs, where you call them sender_address, receiver_address. |
Can a receiver repudiate having a bitcoin address? Exactly what should the receiver sign the nonce with? Are we going to require registration or some kind of web of trust in order to validate an address belongs to someone?
Sure, but the sender_nonce and receiver_nonce are enough to take that place. I'm fine with including full addresses there, but I thought your claim was that including full address was somehow a resolution to the comment "As stated, these proofs don't work". I fail to see how including full address improves the strength of the proof.
But |
After some offline discussion, it was determined that the issue @tromp was referring to does not apply to this scheme, since we correctly hash the sender.nonce as part of the logic to determine |
|
Sorry for misunderstanding the construct previously and incorrectly claiming they don't work.
No, but we do want to tie payment proofs to addresses that have some permanence and might conceivably be published or attested to. The latter would be outside the scope of this proposal though.
I would also Hash a memo field that both parties could agree on to describe the payment.
It may be hard to convince a 3rd party arbiter that the claimed receiver.public_nonce was the actual one. This is specific to one tx and not likely to be publicly verifiable.
doesn't seem to have that issue as total_nonce unambiguously commits to all the hashed data. |
It doesn't though. The only way to tie the I suppose the solution is to extend the bech32 address further to contain:
|
|
You're right; there needs to be an actual signature withe the ed25519_pubkey involved somewhere... |
|
A thought I wanted to park here is that this approach (with one time use addresses) to some degree supports the previous thinking where we wanted to discourage slatepack address re-use in any case as it leaks privacy unnecessarily. On the other hand, there's also:
|
|
@lehnberg am I understanding correctly that the receiver would need to pass a new address for every |
We used to have a clear separation between slate address and slate contents. |
|
Slippery slope to what? What practical issues are there with it? |
|
Slippery slope to confusing the notions of slatepack and slatepack address. Instead of
Then the payment proof could be tied to the more permanent receiver address, making it far more useful. |
There was a problem hiding this comment.
Thanks very much for taking the time to put this together @DavidBurkett, apologies for taking so long to review. This is an exciting idea made even more exciting with a beautiful RFC :)
Something for us to think about in general- how much of a headache will it be to support both tx types long term? If we can live with it, this is an interesting opportunity to improve UX by reducing manual interactive steps and to potentially improve privacy by enforcing unique addresses for tx's, both while still allowing support for short generic slatepack addresses that can remain static as a donation address for example.
This does come at a cost of potential added confusion for users with the added complexity: which kind of address should I paste to receive coin from my exchange? which kind is the most private/secure? even if Tor works for both of us? what if it doesn't? which kind should I implement for my online store? what are the implications and tradeoffs with each? will multisig and payment channels be supported by both types? These questions can all be overcome with additional documentation at the cost of ecosystem fluidity.
Like with slatepack, this RFC seems to be more about a UX improvement than a technical improvement, but we still have to make sure the technical details are sound enough to avoid new UX headaches (or worse). Unfortunately for us, since UX is such a major component of this area, it is harder to objectively determine what the "best" approach is, relative to purely technical decisions.
If address reuse with this transaction flow means potential fund loss, and an address_list and indicator for used addresses must be kept to prevent address reuse, does this mean that for a secure restore from seed, an up-to-date address_list must be kept to be input with a seed on restore? Maybe there is some synergy there for mitigating (re)play related attacks in the wallet, as iirc the ability to track state into a seed restore will solve at least some of the problems. This seems to be one of the biggest challenges of the idea, but if we need to track a wallet state anyway, this data could certainly be included.
As @tromp points out, I am a bit wary to start embedding data at the address layer because we spent a lot of effort while architecting slatepack to think carefully about what data is embedded at which layer. Obviously the opportunity to reduce the number of steps taken by users in an ecosystem that already has usability challenges is appealing and should be explored with a cautious optimism, as long as we are certain that reducing the number of steps in this way does make the improvements we are seeking. For better or worse, with a more complicated slatepack address, we lose the ability to associate Grin keys with identity in future systems like keys.pub and lose the ability to use Grin keys as age encryption/decryption keys for files or even message data a la keybase. While there are advantages to retaining simplicity and compatibility in the address space, a significant UX improvement would be one of the few valid reasons to consider adding complexity there.
I still want to think through implications of the additional data leakage for the newly proposed addresses, as well as step through the crypto more closely, particularly around the payment proofs. As previously pointed out, I'm also very curious what multiparty flows would look like. Overall, I appreciate the opportunity in the idea, even more so with the level of detail you have included in the RFC, nice work.
|
After another look, I might have been confused around the nonce and the |
|
Correct, much like a send slate today can't be finalized on a separate, restored wallet, a slate to a one-time address can't be finalized on a separate, restored wallet. |
|
Supporting both types of transactions should be trivial, and is described in the backward compatibility section. The only challenge is, as you mentioned, trying not to confuse users when displaying both a one-time address and a permanent one. But maybe we don't have to display both. It's technically possible to do both types of sends (one-time and traditional) provided just a single address. If the one-time address was already used, the receiver will ignore the partial signature created using the one-time nonce/excess, and just return a slate for finalization by the sender. But if the nonce/excess are unused, receiver can finalize herself. I'm not sure how I feel about that yet, but it's just a quick thought I had. We might be able to iterate on it further. |
|
If we're open to making a consensus change, removing public excess from the schnorr signature challenge will allow us to eliminate the finalize step without the requirement for using one-time addresses. Kurt had originally claimed this was possible, but I hadn't had time to investigate the consequences until now. Our schnorr signatures use A standard schnorr multisignature only requires If Edit: @valdok found that this idea is borked. :( |
|
I was going to ask about this on #bitcoin-wizards, but it appears @tromp beat me to it:
It seems like we should be ok to go with the approach of always generating a random excess, but letting the sender generate a public nonce for us based on some linear combination of a permanent public key. So one-time addresses would indeed not be necessary to remove the finalize step. Are there any obvious objections to going this route? Is this consensus change something we'd be ok with? If we are, I'll go ahead and update this RFC to use the permanent address approach that involves changing our schnorr multisignatures to use |
|
What is the advantage of one-time addresses or new kinds of Schnorr signatures over simply |
|
The advantage of changing Schnorr signatures is we get reusable addresses, so receiver doesn't have to initiate a send if the address is already known. It's also much easier to have listening wallets, and "cold" storage. You can set up a listener to collect a bunch of partial transactions while your keys are offline, and then receive/finalize them at your convenience without worrying about sending something back to the sender. |
|
I don't think the following point is correct -
My (limited) understanding is it is necessary to include both https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
|
This would be a problem if we were generating kernel excesses from our BIP32 seeds. Fortunately, we're not. They're randomly generated, so only the owner knows the relationship between the public keys. Edit: Actually, I think it's just transaction offset which is generated randomly. Since outputs are generated from BIP32 seeds, indirectly the kernel excesses would be too. I think it still requires knowing the xpub to determine the relationships between child pubkeys, but we should switch to hardened keys to be safe. |
|
This would allow any third-party to malleate a transaction, not just the sender or receiver?
For any arbitrary "additive tweak" We would need to use I do like the idea of removing key-prefixing if this is not actually required. But the malleability makes me hesitate. |
Yep, correct. I think this should be fine in our existing use cases, although it's certainly a non-trivial change. What does this do to your NRD proposal? Can it work with R instead of commitment? I'm ashamed to admit I never got a chance to review the RFC. |
|
I'm guessing two kernels sharing the same I'm not clear on if this there is a problem with nonce reuse here though. |
Presumably the excess would be different for any "duplicate" (duplicate R) kernel, so I believe it should be fine. For sure using the same excess with a different message would be bad. I'll see if I can get some time this weekend to look at the NRD RFC and see if we could make it work. |
|
The other thing that bugs me here is this proposal effectively pre-shares the public nonce prior to the message being committed to. There is not a lot of freedom in the message as we only include the features, the fee and potentially lock height, but there is some freedom. See "Pre-shared nonces in MuSig" here - I honestly don't know if this is an issue with this approach - but something we should understand. |
|
After I put the specific of the scheme with re-usable address for the nonce (https://forum.grin.mw/t/eliminating-finalize-step/7621/22?u=kurt), (and justified in another post why it is important that the sender commits to its partial nonce in x), I started to analyze the security of it and described the details of a possible attack that allows to steal coins if we are not careful with the protocol: This can be achieved by 2 different solutions:
I prefer the solution 2. by far because it means that the user does not have to be careful, and can even re-use addresses accross wallets. It improves ux and relieves the burdon from the wallet developers and the users. It is true that the kernel with this scheme will be malleable by everybody. For now I don't see an issue with this. Concerning biasing the hash function, I do not see an issue either. The ultimate property of a hash function is to be collision-resistant, which our hash function provides. There is always the possibility in our current transaction building process that the receiver tries out different partial nonces before he finalizes the message of the signature. This is inherent to a Schnorr multi-sig. Concerning the security of the scheme, I highly encourage everyone to try to attack it more. This new Schnorr scheme is modified, and moreover intervenes in the context of a Mimblewimble blockchain. The attack that I described on the forum is not due to this modified Schnorr itself, but is precisely due to the fact that this modified Schnorr is inside a Mimblewimble protocol: There is absolutely no guarantees that there are not other attacks of this kind, even if we do verify nonce uniqueness to solve the first attack. I have looked more at the scheme and tried to attack it again, and my current feeling is that the scheme is secure. One of the necessary conditions for this scheme to be secure is that knowing Hash(m1).x1 - Hash(m2).x2 does not lead to an attack (knowing x1 - x2 does lead to an attack, which is the one I described). I believe it does not, but I don't have a formal proof for this. |
It's even worse than that. The sender can also bias their public nonce, since it's not previously committed to. Though despite a few previous attempts to understand Wagner's attack, I still am yet to fully comprehend the implications. It's going to take some head-scratching. |
Irrelevant to our scheme as I detail in https://forum.grin.mw/t/eliminating-finalize-step/7621/78?u=kurt. |
|
Maybe another way of thinking about this is less about "eliminating" the finalize step and rather allowing the sender to delegate the responsibility of finalizing the transaction to another party. In the simple sender->receiver case the sender delegates this responsibility to the receiver. And this is achieved by publishing partial nonces and removing the public excess from the signature challenge, allowing the sender to build their partial signature earlier in the protocol. |
|
@antiochp What you're saying is more accurate technically, but to a typical user, it's a reduction of the number of actions, leaving just 2: send and receive (or send and accept, depending on how you view it). No more need for them to reason about finalization. |
|
@DavidBurkett not seeing much activity on this, is it still active? Was it shown to be flawed? Should it continued to be kept open? |
|
The RFC has not been shown to be flawed, though the consensus change mentioned in an above comment is. It's hard to gauge interest in the idea, which is why I held off. We can see what happens with Kurt's new design for the consensus change approach and decide from there which approach to take. |
|
From a community perspective, I think this functionality is critical to our success. |
RFC for the idea originally discussed here: https://forum.grin.mw/t/eliminating-finalize-step/7621
Link to rendered text: https://github.com/DavidBurkett/grin-rfcs/blob/eliminate_finalize/text/0000-eliminate-finalize.md