Hi Monero community!
Two months ago I posted a CCS for continuing my research on Monero Atomic Swaps. That research is now complete and I’m happy to present my results.
This post will be a summary of my research, but you can also find the whitepaper that describes the full protocol and all the details here.
Shiny BTC/XMR Atomic Swap Protocol!
We found it! With the help of the MRL, my colleagues, and the community, we created the first (to our knowledge) protocol to atomically swap bitcoin and monero. And this resulting protocol is implementable today – no more obscure crypto!
Why now? What changed?
When I started studying Monero for a Bitcoin/Monero atomic swap three and a half years ago, most of the swap protocols where based on ‘Hash Time Locked Contract’ (HTLC), something that we all know as non-existent on Monero. So the goal at the beginning of the project was to create an atomic swap where all the logic (timeouts, possible sequences of operation, secret disclosures, etc) is managed on the other chain: the Bitcoin chain.
The second difficulty with Monero and Bitcoin is their respective underlying cryptographic parameters: they don’t share the same elliptic curve, they don’t share the same signing algorithm; they have nothing in common! This makes the pair a bad candidate for other types of atomic swap that don’t (solely) rely on HTLC.
In November 2018 we came up with a draft protocol that respects the above constraints. Thus, the protocol requires a specific type of zero-knowledge proof to be trustless: a hash pre-image zero-knowledge proof. This type of zkp is not wildly used in practice, if at all. Thus the protocol works in theory, but with some obscure crypto, making the protocol a bad candidate for an implementation.
In early 2020, after presenting the draft protocol at 36C3 in December 2019, I discovered, by reference from Sarang Noether (MRL), Andrew Poelstra’s idea of doing a discrete logarithm equality across group zero-knowledge proof of knowledge (MRL-0010), meaning that we can prove some relations between elements in two different groups (two curves to simplify) and the paper by LLoyd Fournier on One-Time Verifiably Encrypted Signatures allowing secret disclosure with ECDSA.
With these two new (to me) cryptographic primitives, we were able to replace the previous zero-knowledge proof with a combination of the latter, making the protocol complete and practically feasible.
How it works
As a broad overview (and simplified) the protocol work as follow:
The monero are locked in an address generated by both participants
At the beginning, neither of the participants have the full control over the address; they both have half of the private key only
With the cross group discrete logarithm equality zkp, both participants prove to each other that the address on the Bitcoin chain is related to the address on the Monero chain
By means of Bitcoin scripts and ECDSA one-time verifiably encrypted signatures, one participant reveals to the other her partial private key by taking the bitcoin, allowing the other to take control over the monero
If the swap succeeds, A reveals to B, and if the swap is cancelled, B reveals to A. (We have a third scenario explained in the paper to force reaction and avoid deadlock.)
The obvious next step would be to have a working implementation on mainnet, but a ready-to-use implementation that is also robust and safe-to-use requires a lot of engineering work. Furthermore, even though the cryptography is not too obscure, most of it still also lacks an implementation.
I’ll post soon, if the community wants it, a CCS proposal to get my team and I to work on implementing this protocol, step by step, with the end goal of creating a working client/daemon for swapping Bitcoin and Monero. It would be very exciting to build that!
Thanks to the MRL and its researchers for their help, the CCS team, and the community for its support!
I hope I fulfilled the community’s expectations for my my first CCS – all feedback is appreciated.