Hello Monero group!
Two months in the past I posted a CCS for persevering with my analysis on Monero Atomic Swaps. That analysis is now full and I am completely happy to current my outcomes.
This publish might be a abstract of my analysis, however you can even discover the whitepaper that describes the complete protocol and all the small print right here.
Shiny BTC/XMR Atomic Swap Protocol!
We discovered it! With the assistance of the MRL, my colleagues, and the group, we created the primary (to our data) protocol to atomically swap bitcoin and monero. And this ensuing protocol is implementable at present – no extra obscure crypto!
Why now? What modified?
After I began finding out Monero for a Bitcoin/Monero atomic swap three and a half years in the past, many of the swap protocols the place based mostly on ‘Hash Time Locked Contract’ (HTLC), one thing that everyone knows as non-existent on Monero. So the aim at first of the challenge was to create an atomic swap the place all of the logic (timeouts, potential sequences of operation, secret disclosures, and so on) is managed on the opposite chain: the Bitcoin chain.
The second problem with Monero and Bitcoin is their respective underlying cryptographic parameters: they do not share the identical elliptic curve, they do not share the identical signing algorithm; they don’t have anything in frequent! This makes the pair a nasty candidate for different sorts of atomic swap that do not (solely) depend on HTLC.
In November 2018 we got here up with a draft protocol that respects the above constraints. Thus, the protocol requires a particular sort of zero-knowledge proof to be trustless: a hash pre-image zero-knowledge proof. This sort of zkp shouldn’t be wildly utilized in observe, if in any respect. Thus the protocol works in idea, however with some obscure crypto, making the protocol a nasty candidate for an implementation.
In early 2020, after presenting the draft protocol at 36C3 in December 2019, I found, by reference from Sarang Noether (MRL), Andrew Poelstra’s concept of doing a discrete logarithm equality throughout group zero-knowledge proof of data (MRL-0010), that means that we will show some relations between parts in two totally different teams (two curves to simplify) and the paper by LLoyd Fournier on One-Time Verifiably Encrypted Signatures permitting secret disclosure with ECDSA.
With these two new (to me) cryptographic primitives, we had been capable of substitute the earlier zero-knowledge proof with a mixture of the latter, making the protocol full and virtually possible.
The way it works
As a broad overview (and simplified) the protocol work as observe:
The monero are locked in an tackle generated by each members
At first, neither of the members have the complete management over the tackle; they each have half of the personal key solely
With the cross group discrete logarithm equality zkp, each members show to one another that the tackle on the Bitcoin chain is said to the tackle on the Monero chain
Via Bitcoin scripts and ECDSA one-time verifiably encrypted signatures, one participant reveals to the opposite her partial personal key by taking the bitcoin, permitting the opposite to take management over the monero
If the swap succeeds, A reveals to B, and if the swap is cancelled, B reveals to A. (Now we have a 3rd situation defined within the paper to drive response and keep away from impasse.)
The apparent subsequent step could be to have a working implementation on mainnet, however a ready-to-use implementation that can be strong and safe-to-use requires plenty of engineering work. Moreover, regardless that the cryptography shouldn’t be too obscure, most of it nonetheless additionally lacks an implementation.
I will publish quickly, if the group desires it, a CCS proposal to get my crew and I to work on implementing this protocol, step-by-step, with the top aim of making a working shopper/daemon for swapping Bitcoin and Monero. It could be very thrilling to construct that!
Because of the MRL and its researchers for his or her assist, the CCS crew, and the group for its assist!
I hope I fulfilled the group’s expectations for my my first CCS – all suggestions is appreciated.