AdamISZ

PathCoin

Caveat

Before we begin: this post describes a very limited protocol idea. It's possible that what we describe here is a start towards, or a component of, something genuinely useful, but in itself it's really more of a toy, albeit it's fun.

Non-interactive digital cash

Since the 90s, there was a dream that cash could be sent online just like email. We've basically been experimenting with tradeoffs against this pure vision ever since. Sometimes the tradeoff is: there's a central party we have to trust (either with our privacy or our money or the management or inflation or..), but otherwise we get the goal. Often the tradeoff includes: we have to interact with the receiver. In pretty much every case there's an online-ness requirement: we have to exchange messages with a p2p network of active nodes (bitcoin) or a central server and our counterparty, or at least, directly with our counterparty (e.g. Lightning) in the payment transaction.

AdamISZ

# A reminder of how to "prove" you're Satoshi.

# ("reminder" - this was done (with tongue in cheek, presumably)
# by someone on Twitter a few years ago).

# 1. We need the public key of the receiving address of (e.g.) block 1.

# it is on the blockchain in uncompressed form (P2PK):

block1_uncompressed_output_key_hex = "0496b538e853519c726a2c91e61ec11600ae1390813a627c66fb8be7947be63c52da7589379515d4e0a604f8141781e62294721166bf621e73a82cbf2342c858ee"

AdamISZ

Chaumian cash in a Bitcoin world - cashu, Fedimint

What's this for?

• More scalable/faster than a blockchain (not enough utxos)
• Much better privacy security model than a blockchain
• Same or better theft security model than TTP but much worse than a blockchain

If it's so great, why hasn't it been done yet?

AdamISZ

As per footnote 2 in the draft BIP here, it is possible in MuSig2 to create a partial signature which verifies correctly to the other participants, even though the adversary does not know the secret key corresponding to the given public key, but only by the adversary taking the role of at least one other participant, and in that case it is not possible to create a partial signature for that other public key, even if the corresponding private key is known.

The purpose of this gist is to work through the mathematical details of the above statement, as it isn't, probably, obvious to most readers (although it may be at least somewhat intuitive - think about 'free variables').

Setup: keyset $L = X_1 , X_2 , X_3 , X_4 , X_5$. The adversary will take the roles of indices 4 and 5, and will forge a partial signature on key $X_4$, not knowing the corresponding secret $x_4$, on a given message $m$. Assume the adversary does kn

AdamISZ

### This module illustrates how Back's variant
# of the LSAG (linkable spontaneous anonymous group)
# signature of Liu Wei Wong 2004, works.
# There is no command line tool, only a set of tests
# as sanity checks that the algorithm is correct.
#
# To use, pip install python-bitcointx (which comes from:
# https://github.com/Simplexum/python-bitcointx )
# and note that installation of this will only work if it
# succeeds in finding libsecp256k1 on your system.

AdamISZ

(parentheses + italics = commentary, questions on how these challenges are structured. obviously not intended to be in the text for the students.)

Challenge 1: The fees are all mine(d) (3/10)

(This challenge is focused on not needing any coding skills and just discussing/knowing basic bitcoin mechanisms)

Tx number	Fee /sats	Weight	Standard?	Consensus valid?	Spends from
1	58M	3.6M	✔️	✔️	4

AdamISZ

import os
from optparse import OptionParser
from jmbase import jmprint
from jmclient import load_program_config, LegacyWallet, VolatileStorage, get_network


def get_parser():
    description = (
        'Use this script to extract keys and addresses from pre-segwit '
        'Joinmarket wallets if you do not have access to Bitcoin Core. Specify '

AdamISZ

#!/usr/bin/env python3

""" Tool to take sets of Joinmarket coinjoin transactions,
    and do subset sum iteration to find possible sets of taker
    inputs, based on an assumed max possible value of maker fees
    (see tolerance).
"""

from itertools import combinations, chain, product
from jmbitcoin import CTransaction, is_jm_tx, CScript

AdamISZ

pre-requisite: a Bitcoin Core instance, set up regtest and start running it.
Before starting run, set up a bitcoin conf in say ~/bitcoin.conf and put:

rpcuser=user
rpcpassword=password
txindex=1

Then, ./bitcoind -regtest -daemon -conf=/home/username/bitcoin.conf

or whatever. Make sure to generate some blocks.

AdamISZ

We are working in pairs. One person is HOLDER. One person is RECEIVER.

Instructions for RECEIVER

As receiver, you don't know much about Bitcoin!! So:

1. Download a wallet on your phone. There are many apps, but we need to use signet. Please download Padawan wallet on Android or iPhone , which is signet by default and is very simple. If that fails, use the Electrum wallet on your computer, as instructed to the HOLDER.
2. Create a new wallet, write down the seedphrase on paper, (go to Settings->Recovery Phrase), and create a receiving address. Give the receiving address to your HOLDER.