1424 sats \ 3 replies \ @supertestnet 16 May \ on: Launched: BitEscrow - Non-Custodial Bitcoin Escrow Service bitcoin
I have a thread here where I outline why I think this is so cool. Here I've copy pasted it with slight modifications:
At its core it's "just" escrow software. It helps you create a 2 of 3 multisig where the escrow agent has 1 of the keys and the buyer and seller have the other two. But it's particularly cool because it takes that to the next level: it supports frost multisig, which makes it one of the first bitcoin apps to actually use taproot for what it was meant for, and it's also designed so that users can reuse their bitcoin as collateral in multiple contracts without actually moving it. So you can use this as the basis for bitcoin layer twos.
I also love what they do with their integrated signing device. There's this separate little module that holds your keys and does all of the signing, so the website never has your keys, it just asks this module if you want to sign the contracts, and the module asks you.
I would love to see that piece in particular spun off into its own little app. Too few bitcoin apps do this "separation of concerns" thing where your signing device is separate from the apps you interact with. The signing module could change all that and is worth a lot on its own.
I'm probably butchering this but I think it works like this. There are four people involved in every contract:
Alice's funds go into a 2 of 2 multisig with bitescrow and she gets a presigned "backout transaction" so that bitescrow never has custody of her funds. Suppose Alice wants to buy a car from Bob for $60k. Alice and Bob must first agree on who Carol should be (their agent, separate from bitescrow), then Alice gets bitescrow to cosign a transaction that would, if broadcast, move Alice's funds (1 btc) from the 2 of 2 multisig into a 2 of 3 multisig, where Alice, Bob, and Carol have the keys.
Now Alice sends Bob $60k "real" dollars (USD, not bitcoin). In the "happy path" Bob sends her the car and everyone is happy so Alice and Bob just cooperatively tell the escrow "nevermind, don't actually broadcast anything." And Alice's money thus stays in the 2 of 2 multisig with the escrow. If there's a dispute, bitescrow broadcasts the transaction putting the money into the 2 of 3 multisig whereupon what happens next is up to Carol, the agent: if she sides with Alice, that means Carol thinks Alice got jipped, so Alice gets her bitcoin back. If Carol sides with Bob, she thinks Alice never sent the USD, so Bob gets Alice's money.
But in the "happy path" Alice's money never moved! It still remains in her original 2 of 2 multisig with bitescrow, so she can reuse it in another contract. Your bitcoin is used as collateral for contracts where you actually send something else (not bitcoin) and only use bitcoin as a fallback in case there is a dispute. This should scale really well, and it's also neat that bitescrow never custodies any user funds. They do have to be trusted not to collude with Alice though.
I think that's the basic model but @BlueSlime or @Tristan can correct my errors.
they could do like what mutiny wallet does and run most of the node in the browser, and for the rest use a web based proxy
it allegedly turned out LND was not on our side, and had the WEF pulling strings, despite their vehement denial. So, like any responsible pleb, I closed all my channels, removed LND and the whole stack of apps, and gave them the middle finger
Ok um...someone made an allegation so you did the "responsible" thing and erased the software you enjoyed? What if I make an allegation that linux is controlled by the wef, are you gonna erase your operating system too? If I allege that the golden gate bridge was funded by the wef are you gonna be "responsible" and jump off it? Seems like a pretty easy way to control you, I'll just watch for whenever you do something I don't like and then I'll allege that the wef wants you to do that
Maybe the next time someone alleges the wef is behind some piece of software you like you'll think twice before uninstalling it. Do a little independent thinking is my recommendation and don't just believe random allegations you find on the internet
There are two easy ways to control someone: if you find out they always do whatever you say, tell them to do X, and watch them do it. And if you find out they always do the opposite, just tell them not to do X, then watch them do it.
perhaps they appreciate the information about the kickout protocol even though it addresses something else
I talked with some folks about sybil resistance after making that post and it looks like the two main sybil resistance methods are:
- ensure every coinjoin costs a high fee so that sybils bankrupt themselves by joining it with multiple fake accounts
- make each coinjoiner prove they deposited 4x the coinjoin amount into a timelocked bitcoin address that they get back after a year, ensuring that sybils don't have enough money to make lots of fake accounts
Of the two models I think the first one is easier to implement (I can just increase the mining fee parameter) but I prefer the second option
I love stuff like this! Going through this tutorial would make an excellent workshop for a bitdevs or similar, and it would also be great to present at a bitcoin conference
Emessbee also requires users to pay for their own block space. The mining fee is calculated after all change addresses are submitted, then divided up equally among all participants, and deducted from the amount that would otherwise go to users as change
I took a lot of inspiration from joinmarket, which is the only coinjoin software I've ever used (other than testing my own). But I think I found a better way to banish sybils aka trolls, though I haven't yet implemented it.
The Kickout Protocol (not yet implemented in Emessbee)
Kicking trolls out of Round 1
Suppose in round 1, 100 people register for a coinjoin. If a troll never enters this round, no harm is done. If a troll sends a registration message for this round, there are three ways he can do it incorrectly: not register a valid change output, not register 1 or 2 valid inputs, or register 1 or 2 valid inputs but without proving ownership (you're supposed to sign a recent blockhash with the inputs' private keys). All of those are publicly detectable by every participant, so everyone simply ignores messages that fail any of these steps, and thus every honest participant continues to round 2 with the same set of other honest people. In other words, trollish "Round 1" messages are discarded by all honest parties, so they have no effect, it is as if the trolls never sent a message and thus never entered Round 1.
Kicking trolls out of Round 2
Suppose the trolls did round 1 correctly and are now in round 2. There are three ways a troll can do round 2 incorrectly: not register a valid "equal amount" output, register "too many" equal amount ouputs, or not provide a valid ring signature proving they were in round 1. All honest parties discard messages that lack valid ring signatures, so that part has no effect, it is as if they never sent the message. To detect a troll who uses either of the other two trollish behaviors (i.e. they register 0 or more than 1 "equal amount" output), all parties sum up the number of equal amount outputs and, if it is not equal to the number of people who were in round 1, they know a troll is among them. Therefore, every honest participant should send a new message to the group that unmasks their ring signature, thus revealing which of their inputs map to which of their outputs. If anyone does not do this, or if their now-mapped signature demonstrates that they submitted multiple outputs, the honest participants have identified a troll and the troll's inputs (they are whichever inputs were in a "round 1" message whose "ringsig pubkey" has not been unmasked as "belonging to" one of the outputs), so they kick that troll's inputs out of the group and restart with the remaining honest people. Continue this procedure until you enter round 3 or you are the only coinjoiner left, which just means there were no other honest coinjoiners in your group, so try again in the next round.
Kicking trolls out of Round 3
Suppose the trolls did rounds 1 and 2 correctly and are now in round 3. There are two ways a troll can do round 3 incorrectly: not provide valid "btc sigs" for their inputs or not provide a valid ring signature proving they were in round 1. All honest parties discard messages that lack valid ring signatures, so that part has no effect, it is as if they never sent the message. And if any troll did not send valid btc sigs, kick his inputs out of the group and restart with the remaining honest people. Continue this procedure until round 3 is done or you are the only coinjoiner left, which just means there were no other honest coinjoiners in your group, so try again in the next round.
Conclusion
If any troll goes through rounds 1, 2, and 3 properly, then they were not a troll, they did the coinjoin all the way through, so huzzah! But by the above methods you can kick a "real troll" out of any round (1, 2, or 3) and then redo the coinjoin with the remaining honest participants. This seems better than using fidelity bonds which make it so that many bitcoin holders cannot participate in joinmarket. Please let me know if you see any flaws in this protocol. I hasten to add, I have not implemented this "kickout protocol" yet, so Emessbee is currently flawed in exactly the way you identified: sybils can flood any attempt with fake messages to disrupt it and stop it from happening. But if Emessbee works in the happy path (it does) and if the kickout protocol can "enforce" the happy path, then I think we're in good shape.
Yes, you can find a "regular" coinjoin coordinator that's running behind tor and hope whoever is running it continues to successfully hide from the government
if you use nostr as a "bulletin board", wouldn't they make the argument that the relay operators are coordinators?
They can make any argument they like but good luck shutting down every nostr relay e.g. in Jamaica, Russia, and Cuba. Also, this argument would imply that every text forum is a money transmitter. Good luck getting a court to agree.
Are there any other ways you could run a "bulletin board" without the semi-centralization of relays?
Yes, you could post the messages in a group chat on Twitter, Telegram, Signal, IRC, Session, Simplex, Tor, or literally any other place where it's possible to (1) send a message and (2) read other people's messages
You could probably even find a government website where you can do that
The only way they can stop this service is by taking down the entire internet
Here is the demo video from the BTC++ hackathon:
And in the following video (from BTC++'s Workshop Day) I outline the protocol in greater detail:
An implementation of the Ark second-layer payment protocol for Bitcoin
It calls itself "the Ark second-layer payment protocol"
That is different from calling itself "the payment layer," as if there is no other
There is no other second layer payment protocol called Ark so it is perfectly reasonable to use a definite article ("the") in order to distinguish this layer two from other second layer payments protocols called other things (e.g. lightning)
Another second layer!! ... WTF is going on?
You sound upset, why? What is wrong with more second layers? Devs are just devving my friend, it's what we do
I'd have to hear his input on how easy he might think it would be to do that protocol with pen and paper
not easy
for hedgehog to work you have to create a preimage & hash in every transaction, as well as two bitcoin signatures. A guy in this video shows how to create a preimage & hash with pen and paper. It looks like it would take about 8 hours of full time work and you'd probably make a mistake somewhere, so you'd likely need a team of three people to check your work. It is my understanding that creating a signature manually is about twice as difficult as creating a hash manually, and you need two of those per transaction so it's about four times as much work to make the signatures. So you're looking at five days of 8 hours of work for a team of four people -- per transaction.
But why do this with pen and paper? In this hypothetical scenario, did the USA also confiscate and ban all graphing calculators? It only takes a graphing calculator about a second to calculate a hash or a signature, so you'd simply have to program it for that -- and I'm sure such programs would be released as shareware. (There's one for gameboy already, so start with that and modify it for a ti-86, which should be easy because they are both 8bit processors with Assembly support. Or literally use a gameboy.)
I have had no problems leaving it closed most of the time and only opening it up when I need to make a payment. But since I live on bitcoin and use it in several of my day to day purchases, I generally open it up multiple times per day. Electrum also has a watchtower option so you can find someone who's running one and ask them if you can plug their watchtower info into your electrum wallet.
Watchtowers do not have custody of your funds but they do have some presigned transactions they can broadcast to close your channels, and you're trusting them to do that if you don't think you can get online in time to punish your counterparty if they try to cheat. There are instructions for running a watchtower here, consider running one for your friends and having them run one for you. It is my understanding that if you don't use a watchtower, you are safe as long as you open up your lightning node at least once during every two week period.
Electrum is the best
- easy to install
- built in graphical interface
- mobile and desktop support
- recommends good routing nodes by default
- option to manually connect to any other node
- option to control via command line
- option to automate on servers via json rpc
- excellent documentation, just run
electrum help
I don't know why it gets so little attention. IMO it's far more normie friendly than something like LND, CLN, or Eclair, because it's designed to be used visually with its integrated, excellent gui. The others have UIs but you have to pick one, and they are made by other devs with varying degrees of confusingness mixed in. Electrum strikes the right balance IMO: normies can use a standardized interface that looks nice and matches what they'd expect from a desktop or mobile app, and power users can access advanced features from the menus, or, if that's not enough, there are the command line and RPC options.
Try bitpac.org -- it's super easy to set up a multisig there, all you need is a nostr profile from each party
I used joinmarket to coinjoin my coins, and the best part was, I never paid a cent
I just ran it in "market maker" mode and people paid me to coinjoin with them
I also wrote a little tool here that alerts you via Telegram whenever someone pays you to coinjoin with them, and tells you how much money you made
I doubt it still works but maybe I should check and make sure
This is clearly an attempt to scare people, but it's not working. You can't lump everything together. And if I compile my own wallet, do I have to do KYC on myself? Ahahahah
I think they would go after any node that relays your transactions and charge them with transmitting money sans KYC
Well, I don't think they would do that, but I wonder if they want node operators to worry about a dragnet operation -- "if I keep running this node they're coming after me!"