chris-belcher
commented
6 years ago Small point that in the protocol it must be possible to configure who generates random number X and who doesn't. So for example in the Carol2 <--> Carol3 coinswap, Carol2 should know to generate X and Carol3 does not. Obviously it doesn't make sense for Alice to generate X for that coinswap, she only relays it.
A downside of two-party coinswaps is that Carol knows exactly where Alice's coins went.
For JoinMarket we can say that only the customer taker knows exactly where their coins went, we couldn't say that for coinswap. In that situation coinswap becomes exactly like using a centralized mixer except that the mixer charges less fees and can't steal your money. The privacy is the same, coinswap wouldn't be very revolutionary if it's just a cheaper and less risky BitcoinFog.
A way to improve on this is multi-hop coinswaps. Where Alice chooses many Carol servers and creates a series of coinswaps going through all of them with Alice's payment coming from the last Carol. Each Carol wouldn't know their place in the chain.
The idea of this was discussed before here https://gist.github.com/adlai/976d308efdb2e886ecb9#gistcomment-1593458
Whether it's actually worth doing depends on what you believe the point of coinswap is. Also depends on how private Lightning Network ends up being.
Multi-hop coinswaps won't need a protocol change, I think they use the same Carol code as for two-party coinswaps. They could work by having Alice connect to each Carol, obtain their public keys/HX, opening the 2of2 multisigs and does the coinswap protocol as normal. The multisigs are between the Carol servers, but the tcp connections are between Alice and a Carol.
The system of multisigs:
Alice <--- multisig ---> Carol 1 <--- multisig ---> Carol2 <--- multisig ---> Carol3
The system of tcp connections:
Alice <--- tcp ---> Carol1 Alice <--- tcp ---> Carol2 Alice <--- tcp ---> Carol3
In this way, each of the Carols won't know whether they have opened a 2of2 multisig with Alice or with another Carol. Alice relays public keys, signatures, partially-signed transactions and X values. If Alice or any Carol disappears or becomes evil, then the smart contract of coinswap will mean nobody will lose any money, only privacy.