Discussion:
[bitcoin-dev] Simple lock/unlock mechanism
アルム カールヨハン via bitcoin-dev
2018-02-28 03:47:29 UTC
Permalink
With the recent trend of physically robbing people for bitcoin (or
other cryptocurrencies), I thought it would be beneficial to introduce
a standard for locking up a portion of your bitcoin in a simple
'gotta-wait-awhile' system.

The idea is to simply create a transaction spending a set of UTXOs to
a P2SH address with an OP_CSV attached to it, and then throw away the
private keys.

To spend the bitcoin, you would have to broadcast the transaction and
wait the given amount of time, then use the new txout.

There are several ways to shoot yourself in the foot trying to do this
manually, but e.g. Bitcoin Core could handle this in a fairly
straightforward manner by introducing two new commands, which I call
freeze and unfreeze:

bitcoin-cli freeze [amount OR array of txid+vout objects] [days, default 1]

E.g. bitcoin-cli freeze 10 5
E.g. bitcoin-cli freeze ["abc123:1", "def346:0"] 3

The unfreeze command would by default list all freezes:

bitcoin-cli unfreeze
txid days status
bcd123 5 frozen
dca999 3 frozen

including the txid would broadcast the unfreeze and status would
become 'thawing' until the amount becomes available:

bitcoin-cli unfreeze bcd123

bitcoin-cli unfreeze
txid days status
bcd123 5 thawing
dca999 3 frozen

The benefit of this is that it becomes physically impossible for you
to spend the coins until you thaw them, and if this becomes standard
enough, it should disincentivize potential robbers as it would be
expected that you keep most of your assets locked up. They could of
course hold you hostage until the period is over, which may be worse,
but I think that kind of operation would be substantially more
difficult than a simply rob-and-run.

The drawback is that you have to broadcast a transaction in order to
spend the content, and you cannot bump the fee so the transaction
could get stuck in a high-fee situation.

-Kalle.
アルム カールヨハン via bitcoin-dev
2018-02-28 04:34:18 UTC
Permalink
A few p.s.'es:

1. Graftroot probably breaks this (someone could just sign the
time-locked output with a script that has no time-lock).

2. Address reuse of discarded privkeys would be a problem. A way to
alleviate might be that freezing includes a send to a new address and
the privkeys for that new one are discarded instead. One extra
transaction, but reduces the risk of accidentally throwing away
`donations4mybook` vanity keys.

-Kalle.
Post by アルム カールヨハン via bitcoin-dev
With the recent trend of physically robbing people for bitcoin (or
other cryptocurrencies), I thought it would be beneficial to introduce
a standard for locking up a portion of your bitcoin in a simple
'gotta-wait-awhile' system.
The idea is to simply create a transaction spending a set of UTXOs to
a P2SH address with an OP_CSV attached to it, and then throw away the
private keys.
To spend the bitcoin, you would have to broadcast the transaction and
wait the given amount of time, then use the new txout.
There are several ways to shoot yourself in the foot trying to do this
manually, but e.g. Bitcoin Core could handle this in a fairly
straightforward manner by introducing two new commands, which I call
bitcoin-cli freeze [amount OR array of txid+vout objects] [days, default 1]
E.g. bitcoin-cli freeze 10 5
E.g. bitcoin-cli freeze ["abc123:1", "def346:0"] 3
bitcoin-cli unfreeze
txid days status
bcd123 5 frozen
dca999 3 frozen
including the txid would broadcast the unfreeze and status would
bitcoin-cli unfreeze bcd123
bitcoin-cli unfreeze
txid days status
bcd123 5 thawing
dca999 3 frozen
The benefit of this is that it becomes physically impossible for you
to spend the coins until you thaw them, and if this becomes standard
enough, it should disincentivize potential robbers as it would be
expected that you keep most of your assets locked up. They could of
course hold you hostage until the period is over, which may be worse,
but I think that kind of operation would be substantially more
difficult than a simply rob-and-run.
The drawback is that you have to broadcast a transaction in order to
spend the content, and you cannot bump the fee so the transaction
could get stuck in a high-fee situation.
-Kalle.
Anthony Towns via bitcoin-dev
2018-02-28 22:30:44 UTC
Permalink
Post by アルム カールヨハン via bitcoin-dev
1. Graftroot probably breaks this (someone could just sign the
time-locked output with a script that has no time-lock).
Making the graftroot key be a 2-of-2 muSig with an independent third party
that commits to only signing CLTV scripts could avoid this. Making it
3-of-3 or 5-of-5 could be even better if you can find multiple independent
services that will do it.

Cheers,
aj
Adam Back via bitcoin-dev
2018-02-28 23:36:05 UTC
Permalink
Coincidentally I had thought of something similar to what Kalle posted
about a kind of software only time-lock vault, and described the idea
to a few people off-list. Re. Root incompatibility, if the key is
deleted (as it must be) then a delegated signature can not be made
that bypasses the CSV timeout restriction, so Root should not be
incompatible with this. I think it would be disadvantageous to mark
keys as Rootable vs not in a sighash sense, because then that is
another privacy/fungibility loss eroding the uniformity advantage of
Root when the delegate is not used.

One drawback is deleting keys may itself be a bit difficult to assure
with HD wallet seeds setup-time backup model.

As Anthony described I think, a simpler though less robust model would
be to have a third party refuse to co-sign until a pre-arranged time,
and this would have the advantage of not requiring two on-chain
transactions.

With bulletproofs and CT rangeproofs / general ECDL ZKPS there is the
possibility to prove things about the private key, or hidden
attributes of a public key in zero-knowledge. Kind of what we want is
to place private key covenants, where we have to prove that they are
met without disclosing them. For example there is a hidden CSV and it
is met OR there is no hidden CSV so it is not applicable.

Adam

On 28 February 2018 at 23:30, Anthony Towns via bitcoin-dev
Post by Anthony Towns via bitcoin-dev
Post by アルム カールヨハン via bitcoin-dev
1. Graftroot probably breaks this (someone could just sign the
time-locked output with a script that has no time-lock).
Making the graftroot key be a 2-of-2 muSig with an independent third party
that commits to only signing CLTV scripts could avoid this. Making it
3-of-3 or 5-of-5 could be even better if you can find multiple independent
services that will do it.
Cheers,
aj
_______________________________________________
bitcoin-dev mailing list
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
アルム カールヨハン via bitcoin-dev
2018-03-01 05:11:54 UTC
Permalink
Post by Anthony Towns via bitcoin-dev
Post by アルム カールヨハン via bitcoin-dev
1. Graftroot probably breaks this (someone could just sign the
time-locked output with a script that has no time-lock).
Making the graftroot key be a 2-of-2 muSig with an independent third party
that commits to only signing CLTV scripts could avoid this. Making it
3-of-3 or 5-of-5 could be even better if you can find multiple independent
services that will do it.
That kind of defeats the purpose. If you go through the trouble of
doing that, you can just do multisig and skip the freezing part
entirely. A robber would have to get you and the cosigner to sign in
both cases, and the CLTV could be overridden with graftroot.
Post by Anthony Towns via bitcoin-dev
Coincidentally I had thought of something similar to what Kalle posted
about a kind of software only time-lock vault, and described the idea
to a few people off-list. Re. Root incompatibility, if the key is
deleted (as it must be) then a delegated signature can not be made
that bypasses the CSV timeout restriction, so Root should not be
incompatible with this. I think it would be disadvantageous to mark
keys as Rootable vs not in a sighash sense, because then that is
another privacy/fungibility loss eroding the uniformity advantage of
Root when the delegate is not used.
1. Create TX1=(tx, sig) from UTXO A to p2sh B which has a CSV
timelock. Discard privkey A.
2. After broadcasting TX1, you need privkey B to spend it.
3. Use graftroot and privkey B with a script without timelock to spend B.

The robber can simply force you to execute step 3, since you have the
privkey to B.
Post by Anthony Towns via bitcoin-dev
One drawback is deleting keys may itself be a bit difficult to assure
with HD wallet seeds setup-time backup model.
That's a good point. Even more of a reason to include as part of
'freezing' a send to a new ephemeral key as 'initialization'. Sucks to
pay triple fees though (freeze ephemeral + unfreeze + actual use).
Post by Anthony Towns via bitcoin-dev
As Anthony described I think, a simpler though less robust model would
be to have a third party refuse to co-sign until a pre-arranged time,
and this would have the advantage of not requiring two on-chain
transactions.
I was hoping there was a way for a person to simply lock-up the major
portion of their coins easily.

As a sidenote: a security firm (e.g. one that comes to your house when
the alarm goes off) could have a service where seeing an unfreeze
transaction which you have told them about without you giving a heads
up beforehand is equal to alarm going off.

-Kalle.
アルム カールヨハン via bitcoin-dev
2018-03-05 14:53:16 UTC
Permalink
Post by アルム カールヨハン via bitcoin-dev
That kind of defeats the purpose. If you go through the trouble of
doing that, you can just do multisig and skip the freezing part
entirely. A robber would have to get you and the cosigner to sign in
both cases, and the CLTV could be overridden with graftroot.
I think I'm confused on this. To use graftroot it has to be a pubkey,
not a p2sh thing.

-Kalle.

Loading...