BIP Draft for Octojoin #1669

pull 1440000bytes wants to merge 3 commits into bitcoin:master from 1440000bytes:octojoinv1 changing 1 files +116 −0
  1. 1440000bytes commented at 10:54 am on September 25, 2024: none

    I had written a blog post about the concept and it was shared on mailing list in July 2024. There wasn’t any response on mailing list but I have discussed it with some developers and there seems to be lot of interest for the idea among users.

    This is an initial draft and the pull request will help me complete the BIP ASAP.

    TODO

    • Add rationale section
    • Add proof of concept
    • Add acknowledgment section
    • Add more technical details
  2. in bip-octojoin.mediawiki:7 in 6b06823ec1 outdated 
    0@@ -0,0 +1,82 @@
1+  BIP: XXX
2+  Layer: Applications
3+  Title: Octojoin v1
4+  Author: /dev/fd0 <alicexbt@protonmail.com>
5+  Type: Informational
    jonatack commented at 3:17 pm on September 25, 2024:

    Please add the following 2 lines before this line (see BIP-2):

    0Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0xxx
1Status: Draft
  3. jonatack added the label New BIP on Sep 25, 2024
  4. in bip-octojoin.mediawiki:23 in 6b06823ec1 outdated 
    18+
19+====Relation to Monero====
20+
21+Most Monero transactions use 16 ring size for the input, making it impossible to determine which input is signed by the user out of 16. The amounts are hidden, and stealth addresses are used for outputs.
22+
23+Octojoin achieves partial obfuscation similar to Monero's ring signatures ([https://www.getmonero.org/2024/04/27/fcmps.html FCMP++] will replace ring signatures in future) and stealth addresses. Swaps can be done off-chain to obscure the transaction's input ownership and history.
    jonatack commented at 3:21 pm on September 25, 2024: 
    0Octojoin achieves partial obfuscation similar to Monero's ring signatures ([https://www.getmonero.org/2024/04/27/fcmps.html FCMP++] will replace ring signatures in the future) and stealth addresses. Swaps can be done off-chain to obscure the transaction's input ownership and history.
  5. in bip-octojoin.mediawiki:77 in 6b06823ec1 outdated 
    72+
73+Proof of Concept: TBD
74+
75+==Backwards Compatibility==
76+
77+This is a new protocol and has no compatibility issues. It is not a replacement for payjoin either and benefits from multiple interpretations on-chain.
    jonatack commented at 3:26 pm on September 25, 2024:
    Perhaps mention that BIP352 silent payments are a requirement, if I understand correctly.
  6. in bip-octojoin.mediawiki:13 in 6b06823ec1 outdated 
     8+
 9+==Introduction==
10+
11+===Abstract===
12+
13+This document describes the process to use swapped UTXOs for inputs, silent payment addresses for outputs, and hide the transacted amount with multiple interpretations.
    jonatack commented at 3:29 pm on September 25, 2024: 
    0This document describes the process to use swapped UTXOs for inputs, [[bip-0352.mediawiki|BIP 352]] silent payment addresses for outputs, and hide the transacted amount with multiple interpretations.
  7. in bip-octojoin.mediawiki:18 in 6b06823ec1 outdated 
    12+
13+This document describes the process to use swapped UTXOs for inputs, silent payment addresses for outputs, and hide the transacted amount with multiple interpretations.
14+
15+===Motivation===
16+
17+Payjoin requires coordination and sharing of UTXOs between sender and recipient. This affects privacy and UX in some cases. Octojoin avoids sharing of UTXOs and uses swapped UTXOs.
    jonatack commented at 3:39 pm on September 25, 2024:
    Suggest referring to BIP78 here or to which versions of payjoin, as a new version BIP77 is in draft at #1483.
  8. jonatack commented at 3:41 pm on September 25, 2024: member
    A few comments. It may be good to reach out to garner more feedback (i.e. perhaps you and @DanGould, author of #1483, can each review each other’s draft.)
  9. 1440000bytes force-pushed on Oct 7, 2024
  10. 1440000bytes force-pushed on Oct 8, 2024
  11. add bip for octojoin c52c746cc1
  12. 1440000bytes force-pushed on Oct 8, 2024
  13. in bip-octojoin.mediawiki:88 in c52c746cc1 outdated 
    83+    x-axis [Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep]
84+    y-axis "Transactions (in thousands)" 0 --> 160 
85+    bar [125, 143, 157, 130, 117, 106, 121, 123, 127]
86+</source>
87+
88+Transactions that already use 3 inputs and 2 outputs will serve as the anonymity set for octojoin transactions with default values. It is possible to change defaults and use more number of inputs and outputs.
    jonatack commented at 5:48 pm on October 8, 2024: 
    0Transactions that already use 3 inputs and 2 outputs will serve as the anonymity set for octojoin transactions with default values. It is possible to change defaults and use a higher number of inputs and outputs.
  14. in bip-octojoin.mediawiki:92 in c52c746cc1 outdated 
    87+
88+Transactions that already use 3 inputs and 2 outputs will serve as the anonymity set for octojoin transactions with default values. It is possible to change defaults and use more number of inputs and outputs.
89+
90+====Swapped UTXOs====
91+
92+Swapping UTXOs off-chain will obscure the transaction's input ownership and history. It also adds more noise on-chain to make chain analysis difficult
    jonatack commented at 5:49 pm on October 8, 2024: 
    0Swapping UTXOs off-chain will obscure the transaction's input ownership and history. It also adds more noise on-chain to make chain analysis difficult.
  15. in bip-octojoin.mediawiki:47 in c52c746cc1 outdated 
    42+
43+Users should label some UTXOs as “octojoin” so that they can be used in octojoin transactions. Ideally, these UTXOs should be ones that have been swapped with others and are linked to someone else’s transaction history.
44+
45+'''Input Obfuscation with Off-Chain Swaps'''
46+
47+Do off-chain swaps (e.g. statechain, submarine swaps, or coinswap) to obtain UTXOs with different histories. Ensure that all inputs come from other users except one belonging to the sender, making it difficult for on-chain analysts to determine ownership.
    murchandamus commented at 7:29 pm on November 7, 2024:
    • A statechain UTXO is co-owned by the statechain operator and the last recipient in a multisig. Multisig inputs do not participate in the secret derivation.
    • Submarine swaps refer to a multi-hop lightning payment whose last hop is executed as an on-chain payment to the recipient. Submarine swaps are easily identifiable via an on-chain HTLC construction and also include a multisig construction.
    • A coinswap is a payment received to the recipient whose inputs were not controlled by the sender.

    Given that two of the listed examples exhibit uncommon patterns, and the third constitutes a payment to a wallet that was executed by a different UTXO owner than the sender, it’s not clear to me how a transaction funded by a combination of such inputs would have significantly improved privacy properties. If an observer simply categorizes the inputs and analyses their pedigree under the corresponding context, it seems likely that a transaction would be sufficiently recognizable as an Octojoin and given the small number of Statechain and Submarine Swap providers, potentially even identifiable via information requests to such service providers. Could you please expand the motivation section by elaborating your arguments why participation in this scheme is expected to lead to a privacy improvement?

    1440000bytes commented at 7:04 pm on February 16, 2025:

    A statechain UTXO is co-owned by the statechain operator and the last recipient in a multisig. Multisig inputs do not participate in the secret derivation.

    I do not understand what you mean by secret derivation here but swaps are possible using statechains. It is described with an example in this blog post: https://uncensoredtech.substack.com/p/octojoin

    Submarine swaps refer to a multi-hop lightning payment whose last hop is executed as an on-chain payment to the recipient. Submarine swaps are easily identifiable via an on-chain HTLC construction and also include a multisig construction.

    This is a swap tx using boltz and looks normal to me: https://mempool.space/testnet/tx/e72f8323de0fa8eb9540041a787d4b89694040fd0a674701877f0a352b8f3685

    A coinswap is a payment received to the recipient whose inputs were not controlled by the sender.

    https://github.com/citadel-tech/coinswap can be used to swap UTXOs which will be part of octojoin transactions along with normal inputs.

    If an observer simply categorizes the inputs and analyses their pedigree under the corresponding context, it seems likely that a transaction would be sufficiently recognizable as an Octojoin and given the small number of Statechain and Submarine Swap providers, potentially even identifiable via information requests to such service providers.

    Octojoin transactions will always look normal on-chain. Leak during swaps is out of context for this BIP still added as attack vectors.

    Could you please expand the motivation section by elaborating your arguments why participation in this scheme is expected to lead to a privacy improvement?

    Done

  16. murchandamus commented at 7:38 pm on November 7, 2024: contributor
    The hard part of this scheme appears to be the acquisition of inputs from varied sources, but then the proposed approach in this BIP seems to amount to using such UTXOs to fund an ordinary silent payment. It’s not clear to me whether this BIP draft amounts to an original innovation, given that the method of acquiring UTXOs of varied backgrounds does not appear to be in the focus of this BIP.
  17. murchandamus added the label PR Author action required on Nov 7, 2024
  18. 1440000bytes commented at 6:43 am on November 8, 2024: none

    It’s not clear to me whether this BIP draft amounts to an original innovation, given that the method of acquiring UTXOs of varied backgrounds does not appear to be in the focus of this BIP.

    This BIP isn’t about acquiring UTXOs but using them. Input selection used in such transactions along with outputs is the original innovation.

    Example for an octojoin transaction (both outputs belong to recipient): https://mempool.space/signet/tx/5447f526c64d4f00171f024aae38a1c347ad00e7a295247f9c6acfca21ed2655

    I will address other comments after adding more things in next commit.

  19. address review comments 3695241cf3
  20. add acknowledgement section 5fb151c6e9
  21. 1440000bytes marked this as ready for review on Feb 16, 2025
  22. 1440000bytes commented at 7:06 pm on February 16, 2025: none
    I have addressed all the review comments, added acknowledgement section and a link to proof of concept (WIP). I will add more technical details in next commit which will include output amounts, change etc.
  23. jonatack removed the label PR Author action required on Feb 17, 2025
  24. murchandamus commented at 7:49 pm on February 18, 2025: contributor
    I am not convinced that the idea to “acquire at least two UTXOs from swap services and use those as additional inputs when you make a silent payment” has demonstrated sufficient interest to be BIPable.
  25. 1440000bytes commented at 8:19 pm on February 18, 2025: none
    There is some misunderstanding. Number of inputs and outputs are not fixed. Its a minimum that 2 swapped inputs should exist. Silent payment exist so that you can get multiple addresses.
  26. 1440000bytes commented at 8:24 pm on February 18, 2025: none
    I appreciate your review and not aware of new rules but BIP editors should not get in to these things.
  27. 1440000bytes commented at 8:31 pm on February 18, 2025: none
    image
  28. 1440000bytes commented at 8:54 pm on February 18, 2025: none

    I don’t have time for this politics and drama, I dont need your certification for my BIP.

    Here’s the BIP: https://github.com/octojoin/bip/blob/main/bip.mediawiki

  29. 1440000bytes closed this on Feb 18, 2025


1440000bytes jonatack murchandamus

Labels
New BIP

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-02-22 08:10 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me