Welcome to the Dash Forum!

Please sign up to discuss the most innovative cryptocurrency!

Change Contracts using Atomic Transfers

Discussion in 'Official Announcements' started by eduffield, Nov 26, 2014.

  1. eduffield

    eduffield Core Developer
    Dash Core Team

    Joined:
    Mar 9, 2014
    Messages:
    1,084
    Likes Received:
    5,318
    Trophy Points:
    183
    One of the most challenging parts of making an anonymous currency is dealing with change. After Darksend completes mixing on multiple sessions, a user has anonymous funds, but it's possible that after a purchase the change from a purchase could be recombined with that users funds. This is a type of linkage called "forward linking".

    In the real world when you buy something from a merchant, you would give $100 to the merchant, then the merchant would provide you $4 in change. In the world of crypto, that $100 is split into $96 and $4. Afterward, you can always see they were once the same $100.

    So what if you could make a crypto-currency that pays change just like the real world?

    Change Contracts
    User A wants to buy a laptop from Merchant B for $96 (in dollars to make it easier).

    1: User (A) publishes a message to Merchant (B), saying I'll pay you $100 if you pay me back $4
    2: (B) signs this message, returning it to (A). This is the contract.
    3: A makes TX1 (pay $100 to B, only good if B pays A). A provides TX1 to B
    4. B makes TX2 (pay $4 to A, only if A pays B). B provides TX2 to A
    5. A & B make TX3 (A pays B $96) and TX4 (B pays A $4)
    6. A & B publish TX3 & TX4

    If TX3 & TX4 are both published, then the change went through.
    If either is not published A or B can publish TX1 or TX2 to ensure they receive the money.

    TX1 & TX2 will link the payments from the CScript, so this is not ideal. But it ensures the system remain trustless.

    With change contracts, you'll receive money in change that has absolutely no relationship to the money you paid. This will be done in two separate, unlinkable transactions. Due to this happening regularly on the network, a high quality mixing of funds will take place, making it much like traditional cash.

    This will be done at a protocol level, almost completely automatically. As a merchant, You'll receive "change contracts" and approve them, this will complete steps 1 to 4 automatically. However, once you sign and publish TX1 and TX2, there is no way to back out, so a merchant must make sure the payment is correct for the mechanize being purchased.

    After all is said and done, this is akin to a vendor paying you change from their drawer. Surely a huge improvement in the anonymity of Darkcoin.



    Thanks to UdjinM6 for helping out with the concept!
     
    #1 eduffield, Nov 26, 2014
    Last edited by a moderator: Nov 26, 2014
    • Like Like x 13
  2. oblox

    oblox Well-known Member

    Joined:
    Aug 6, 2014
    Messages:
    1,034
    Likes Received:
    539
    Trophy Points:
    183
    Just so I am following logic, in step 3, A actually pays B 100, not the direct 96. The rest of it makes sense then. Does this automatically then become the default standard for change--remove change from the transaction for any overages on approval from the merchant or is it only for DS transfers? So if you wanted to buy something, how do you initially send a change contract? Does that just happen from communication outside of DS? I'd love to hear more on this because at first glance, it seems like it solves linkages.

    Finally, the last logical question would be a timeframe on implementing this change? I'm assuming it's a spork with enforcement back off.
     
  3. thelonecrouton

    thelonecrouton Well-known Member
    Foundation Member

    Joined:
    Apr 15, 2014
    Messages:
    1,139
    Likes Received:
    815
    Trophy Points:
    283
    There is no spoon spork change. :tongue:

    edit: what happens when B doesn't have enough DRK to supply the 'change' to A?
     
  4. eduffield

    eduffield Core Developer
    Dash Core Team

    Joined:
    Mar 9, 2014
    Messages:
    1,084
    Likes Received:
    5,318
    Trophy Points:
    183
    Opps, you got it. At first I'll add it just for anon purchases, they'll go through a completely different set of protocol commands. But eventually, it should be used for everything. However, the merchant must have a daemon running for it to work.
     
  5. Propulsion

    Propulsion The buck stops here.

    Joined:
    Feb 26, 2014
    Messages:
    1,008
    Likes Received:
    467
    Trophy Points:
    183
    Dash Address:
    XerHCGryyfZttUc6mnuRY3FNJzU1Jm9u5L
    What happens when the seller shuts down the client before the change contract is paid?

    How would it be enforced?

    Is it cheatable?

    Edit: Is this the solution to the 'dead change' issue?
     
  6. thelonecrouton

    thelonecrouton Well-known Member
    Foundation Member

    Joined:
    Apr 15, 2014
    Messages:
    1,139
    Likes Received:
    815
    Trophy Points:
    283
    It should be atomic - (via MN transaction locks?) - whole deal either happens or not.

    But: "If either is not published A or B can publish TX1 or TX2 to ensure they receive the money."
     
  7. eduffield

    eduffield Core Developer
    Dash Core Team

    Joined:
    Mar 9, 2014
    Messages:
    1,084
    Likes Received:
    5,318
    Trophy Points:
    183
    No, it's trustless.
     
    • Like Like x 4
  8. oblox

    oblox Well-known Member

    Joined:
    Aug 6, 2014
    Messages:
    1,034
    Likes Received:
    539
    Trophy Points:
    183
    Is there anyway to embed it into the client (qt or darkcoind) so there isn't a separate daemon that needs to be ran?

    Also, from the standpoint of the contract itself, how would the contract know what address (I'm assuming it generates a fresh address in A's wallet) to send the 4 drk to? Any linkages that can be used in this sort of communication?
     
    • Like Like x 1
  9. cryptoyogi

    cryptoyogi New Member

    Joined:
    Jun 9, 2014
    Messages:
    18
    Likes Received:
    18
    Trophy Points:
    3
    For those of us less technologically advanced, is this very important or a technological breakthrough?
     
  10. oblox

    oblox Well-known Member

    Joined:
    Aug 6, 2014
    Messages:
    1,034
    Likes Received:
    539
    Trophy Points:
    183
    It solves an important issue surrounding maintaining privacy in Darksend, the core feature of this coin.
     
  11. darkchild

    darkchild Member

    Joined:
    Sep 20, 2014
    Messages:
    76
    Likes Received:
    193
    Trophy Points:
    73
    This is pretty important because it mimics real world cash payments together with privacy, and guarantees that you do get your change in return. I'm not sure why you would want to pay $100 when you can just pay the $96 unless it was some kind of instant rebate purchase.

    The more things we can do with the darkcoin wallet like this the more merchants darkcoin will attract.
     
    • Like Like x 1
  12. thelonecrouton

    thelonecrouton Well-known Member
    Foundation Member

    Joined:
    Apr 15, 2014
    Messages:
    1,139
    Likes Received:
    815
    Trophy Points:
    283
    Example numbers to make it easier to grasp. The change issue is (usually, but not always, maybe you only have a 100DRK lump to spend) one of small (sub 1DRK) amounts in practice, but is important because those small amounts can provide information about past transactions and thus compromise your privacy.
     
  13. g8F98FF3gjafogj4

    g8F98FF3gjafogj4 Well-known Member
    Foundation Member

    Joined:
    Apr 8, 2014
    Messages:
    151
    Likes Received:
    84
    Trophy Points:
    188
    What would happen if you wanted to anonymously send funds to someones tip address but they didn't have a daemon running?
     
  14. illodin

    illodin Member

    Joined:
    Apr 26, 2014
    Messages:
    122
    Likes Received:
    71
    Trophy Points:
    78
    Cons:
    • receiver must have wallet running when you're sending the money
    • receiver must have $4 (the example) to send back to you
    • you must have $1 (assuming denoms are $1, $10, $100) to send back to him (this gets more complicated if you want to send $93: send $100, receive $10, send $5, receive $1 and $1)
     
  15. UdjinM6

    UdjinM6 Official Dash Dev
    Dash Core Team Moderator

    Joined:
    May 20, 2014
    Messages:
    3,621
    Likes Received:
    3,531
    Trophy Points:
    1,183
    Let's imagine that liquidity provider is a vendor too.... who sells "service" for 0.1 DRK...
     
  16. Minotaur

    Minotaur Well-known Member
    Foundation Member

    Joined:
    Apr 7, 2014
    Messages:
    452
    Likes Received:
    1,079
    Trophy Points:
    263
    Can you explain a little bit better what happens if the receiver does not have the wallet running when the coins are Darksent?
     
  17. oblox

    oblox Well-known Member

    Joined:
    Aug 6, 2014
    Messages:
    1,034
    Likes Received:
    539
    Trophy Points:
    183
    Right now it sounds like the receiving party would need to first agree to taking over the amount and sending "change" back as a new tx. How this works is beyond me.
     
  18. TaoOfSatoshi

    TaoOfSatoshi Grizzled Member
    Linguistic Dash Nation Founder Moderator

    Joined:
    Jul 15, 2014
    Messages:
    2,607
    Likes Received:
    2,574
    Trophy Points:
    1,183
    See, it's like I said in the dead change thread, you give Evan enough time, he WILL figure it out!

    Thank you eduffield for taking the time to fully deal with this issue. This solution is loads better than the previous one. We will all benefit in the end!

    No joke brother, you are the man!
     
  19. aaxx1503

    aaxx1503 Active Member

    Joined:
    Feb 28, 2014
    Messages:
    113
    Likes Received:
    106
    Trophy Points:
    93
    That's a very interesting solution to the problem. Kudos to the entire dev team. Was there an answer to the "what if the person doesn't have enough change?" question?
     
  20. oblox

    oblox Well-known Member

    Joined:
    Aug 6, 2014
    Messages:
    1,034
    Likes Received:
    539
    Trophy Points:
    183
    Well... in every case, they would because the person sending would be "overpaying".
     
  21. JGCMiner

    JGCMiner Active Member
    Masternode Owner/Operator Moderator

    Joined:
    Jun 8, 2014
    Messages:
    333
    Likes Received:
    199
    Trophy Points:
    113
    I think your second and third points are not really issues. As Oblox says above, the sender is overpaying and the receiver signs a contract to return the excess. There should be no problem sending to a wallet with 0 balance and multiple iterations to get the exact change are not necessary as I understand it.

    As for the first point... I wonder if a random masternode can be selected to lock the funds in escrow for say, 1 week worth of blocks -- such that, if the reciever runs the wallet software at any point during that window he receives the transaction. Else, the funds are released back to the sender when the window closes.
     
  22. thelonecrouton

    thelonecrouton Well-known Member
    Foundation Member

    Joined:
    Apr 15, 2014
    Messages:
    1,139
    Likes Received:
    815
    Trophy Points:
    283
    But then you're back to square one - isn't the point of this that the 'change' you get back isn't your own? Therefore not really change at all. Therefore avoiding the change problem?
     
    • Like Like x 1
  23. crowning

    crowning Well-known Member

    Joined:
    May 29, 2014
    Messages:
    1,430
    Likes Received:
    2,009
    Trophy Points:
    183
    Some random early-morning thoughts:

    • What if (for whatever reason) (A) never makes step 3? Or (B) step 4? Are the funds kinda locked and how are they unlocked? Timeout perhaps?
    • Also, what happens when "Evil-A" invests the money to make some kind of "Contract-Flooding"? Thousands of unfinished contracts.
    • And what if (B) hasn't the funds for the change? Will the contract be cancelled?
     
  24. darkwing

    darkwing Active Member

    Joined:
    Apr 8, 2014
    Messages:
    149
    Likes Received:
    110
    Trophy Points:
    103
    Forgive me if I'm missing something key.. but would sending the correct amount to yourself not solve the problem? So person wants to send 1 drk needs 9 drk change. Client sends anon funds to self splitting 1 and 9 into separate addresses. While both link back to the original 10 drk address it is anonymous so what can be gathered? 1 Drk is then sent to the merchant (still only links back to an anon address) and the 9 change will have to be reanonymized. Or is that how it works now?

    These atomic contracts I imagine would be fantastic/necessary for instantX but is the above not a viable offline option?
     
    #24 darkwing, Nov 26, 2014
    Last edited by a moderator: Nov 26, 2014
    • Like Like x 3
  25. thelonecrouton

    thelonecrouton Well-known Member
    Foundation Member

    Joined:
    Apr 15, 2014
    Messages:
    1,139
    Likes Received:
    815
    Trophy Points:
    283
    Have the client automatically generate the exact 'chunk' prior to sending it, so there's no change. I like it. :) At least keeps the sub-denom amounts in wallet.
     
    #25 thelonecrouton, Nov 26, 2014
    Last edited by a moderator: Nov 26, 2014
    • Like Like x 1
  26. oblox

    oblox Well-known Member

    Joined:
    Aug 6, 2014
    Messages:
    1,034
    Likes Received:
    539
    Trophy Points:
    183
    The difference is that it's not coming back in the same tx. This leads then to the problem of looking at timestamp to match up change, but most likely fixed with a random delay in returning the second tx.
     
  27. thelonecrouton

    thelonecrouton Well-known Member
    Foundation Member

    Joined:
    Apr 15, 2014
    Messages:
    1,139
    Likes Received:
    815
    Trophy Points:
    283
    What connects the two transactions? There's nothing on the blockchain to indicate they have anything to do with each other. You could point at any two transactions and claim some link, but where's the evidence?

    edit: I am assuming the contract specifies sending the 'change' to an address other than the spent-from one...?
     
  28. oblox

    oblox Well-known Member

    Joined:
    Aug 6, 2014
    Messages:
    1,034
    Likes Received:
    539
    Trophy Points:
    183
    I also have some follow up questions to the ones that have been left unknown:

    1. Why does there even need to be a contract or a daemon open? Why can't at the time of you send, the client automatically rounds up to the nearest denomination, sends the whole lot over and then on receival, the masternode locks what should be change, setting it aside for a send back in a fresh tx at a random (say within 3-6 blocks). Seems in both cases, anyone with a passphrase on their wallet will run into issues of needing to be around to unlock it for the second tx back acting as change? Both ideas (mine and Evan's) seems to counter the idea of going in the direction of Instantx if there are more steps involved in setting the transaction up, whether it be introducing a timer for when to release the funds or human interaction for prompting a passphrase for the secondary sendback.

    2. How is party B knowing where to send the tx back to? Obviously it needs to be a fresh address generated in wallet A, so how is the key being passed to B?
     
  29. drkhouse

    drkhouse Member

    Joined:
    Nov 22, 2014
    Messages:
    78
    Likes Received:
    19
    Trophy Points:
    48
    I love Evan's work. But on this change thing, I am pretty sure most merchant will never have a daemon open.

    Based on this, I like this idea more.
     
    #29 drkhouse, Nov 26, 2014
    Last edited by a moderator: Nov 26, 2014
  30. oblox

    oblox Well-known Member

    Joined:
    Aug 6, 2014
    Messages:
    1,034
    Likes Received:
    539
    Trophy Points:
    183
    If we assume all anon transactions are this new smart contact method, aren't we shooting ourselves in the foot for future security and features (instantx)? The change is the problem so the fix would need to be on all the time when it comes to tx's requiring anonymity. If you implement smart contracts, there needs to be conditions involved with their usage, example, time involved before reverting to one of the secondary cases. If you start having time involved, what good is instantx if x number of minutes need to go by anyway? From a security standpoint, the tx to a fresh address back to A would need to have the user have the wallet unlocked. Then there is the whole issue of the masternode still knowing where party B is going to send "change" A in the first place.
     

Share This Page