Draft BIP Atomic Cross Chain Transfers

[telepatheic]

This thread references https://github.com/TierNolan/bips/blob/bip4x/bip-atom.mediawiki

[telepatheic]

The scheme in the draft BIP won't work because Alice only signs the first input of Bob.Payout, Bob is free to change the second input in order to not reveal x.

Signatures apply to the entire transaction.  There are options to only sign part of the transaction, but by default all outputs are signed.

No they don't, signatures apply to the whole transaction but with the other inputs set to 0 see https://en.bitcoin.it/wiki/OP_CHECKSIG

As mentioned in another thread, transaction signing is weird, complicated and needs updating.

[TierNolan]

Comments from the other thread by me

Thanks for looking at it.

Signatures apply to the entire transaction.  There are options to only sign part of the transaction, but by default all outputs are signed.

Alice.Bail.In can only be added to the blockchain exactly as written.

There is a weakness where Bob can spend Alice.Bail.In:1 without participating in the protocol.  It is assumed that fees are low enough that it doesn't matter.  If he does spend it, then he has to release x, so Alice can spend his fee on his Bail in.

Alice should not release her Bail-in until Bob does first.

and

What is the process that Bob uses to break the system?

Bob wants to spend Bob.Payout

He has a signed version of Bob.Payout input 0, signed by Alice.

He can add his own signature to that, and input zero is signed.

Alice's signature refers to the entire transaction except the input scripts.  It DOES include the tx-id and index number.

Bob cannot change what input 1 refers to.  He has to sign Alice.Bail.In:1.  That requires he reveals x.