On 2023-06-07 03:30, Burak Keceli wrote:
If the service provider double-spends a transaction that enforces a one-time signature where Bob is the vendor, Bob can forge the service provider’s signature from the 2-of-2 and can immediately claim his previously-spent vTXO(s).
Hi Burak, I'm confused. Bob owns some bitcoins that are timelocked against immediate withdrawal, but where he can spend immediately with the cooperation of service provider Sally. Bob transfers some bitcoins to Sally contingent on her spending an equal amount of bitcoins (minus a fee) to Carol. You already have a mechanism to enforce this contingency (tx outpoints), so if Carol doesn't receive the bitcoins from Sally, then Sally also doesn't receive the bitcoins from Bob. In other words, you already have atomicity for a single transfer. Are you describing the effect over multiple transfers? For example, Bob previously transferred bitcoins to Sally and she paid users X, Y, and Z in transactions that are now confirmed onchain, although she hasn't yet swept Bob's funds. Now when Sally double spends the payment to Carol, Bob can not only reclaim the funds he gave Sally to pay to Carol (which was guaranteed by the atomicity), he can also reclaim the unswept funds he gave Sally to pay X, Y, and Z. If so, I don't think that works. In a private protocol, Carol can't be sure that Bob and Sally are separate individuals. If they're the same entity, then any forfeit that Sally needs to pay Bob is just an internal transfer, not a penalty. I'd appreciate any clarification you can offer. Thanks!, -Dave _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
