Fidelity Bond

[Shourya742]

FIDELITY BOND

Introduction

Fidelity bonds are an integral part of Coinswap, designed to enhance resistance against Sybil attacks, which in turn improves the system’s privacy.

A fidelity bond is a mechanism in which a user deliberately locks a certain amount of bitcoin, making it costly to create a new cryptographic identity. The lockup is done in such a way that its value can be publicly verified. In the Coinswap process, takers are more likely to initiate coinswaps with makers who have staked more valuable fidelity bonds. This makes Sybil attacks significantly more expensive because an attacker would need to lock up a large amount of bitcoin to frequently be chosen as a counterparty in the swaps.

For makers, locking bitcoin as a fidelity bond can increase their participation in coinswaps and, consequently, their fee earnings. The most practical way to establish a fidelity bond is by sending bitcoin to a time-locked address using the opcode [OP_CHECKLOCKTIMEVERIFY](https://en.bitcoin.it/wiki/Timelock#CheckLockTimeVerify). In this case, the "sacrifice" comes from the time-value of money, as the bitcoin is locked and unusable for a period. However, long-term bitcoin holders (or hodlers) can create time-locked fidelity bonds at minimal cost, assuming they don’t plan to use their funds for transactions in the near future.

Note on privacy

A Bitcoin transaction which creates a fidelity bond will be published to the entire world, so before creating them make sure the coins are not linked to any of your privacy-relevant information. Also, use a sweep transaction which does not create a change output when funding the timelocked address. Change addresses can also leak privacy information and the best way to avoid that is to not create change outputs at all i.e. use only sweep transactions.

Once the timelocked addresses expire and become spendable, make sure you don't leak any information then either, mix afterwards as well. If your timelocked address expires and you want to send the coins to another timelocked address then you don't need to mix in between, because no privacy-relevant information linked to you has been leaked.

---

---

---

Spending time-locked coins

Once the time-lock of an address expires the coins can be spent with Coinswap.

What amount of bitcoins to lock up and for how long?

A fidelity bond is valuable as soon as the transaction creating it becomes confirmed. The simplified formula for a fidelity bond's value is:

bond_value = (locked_coins * (exp(interest_rate * locktime) - 1))^x

Here x is the 'exponent', a number larger than 1, for reasons we explain below.

A few important things to notice:

• The bond value goes as the (locked_coins)^x of sacrificed value. For example if x is 1.3, the current default, and your sacrificed value is 5 BTC then the fidelity bond value is ~ 8.1. If instead you sacrificed 6 BTC the value is ~ 10.3. The point of this is to create an incentive for makers to lump all their coins into just one bot rather than spreading it over many bots. It makes a sybil attack much more expensive.
• The longer you lock for the greater the value. The value increases as the interest_rate, which is configurable in the config file with the option interest_rate. By default it is 1.5% per annum and because of tyranny-of-the-default takers are unlikely to change it. This value is probably not too far from the "real" interest rate, and the system still works fine even if the real rate is something like 3% or 0.1%.
• The above formula would suggest that if you lock 3 BTC for 10000 years you get a fidelity bond worth 2.03e+85 (~ 2 followed by 85 zeros). This does not happen because the sacrificed value is capped at the value of the burned coins. So in this example the fidelity bond value would be just ~ 4.17. This feature is not included in the above simplified equation.
• After the locktime expires and the coins are free to move, the fidelity bond will continue to be valuable, but its value will exponentially drop following the interest rate. So it would be good for you as a maker to create a transaction with the UTXO spending it to another time-locked address, but it's not a huge rush (specifically, there's likely no need to pay massive miner fees, you can probably wait until fees are low).

Can maker use multiple timelocked addresses or UTXO?

Alternatively: Can I add more bitcoins to a fidelity bond that already exists?

No. Creating a new transaction which sends more bitcoins to a timelocked address will not add to the existing fidelity bond, but instead create a new one. The two fidelity bonds will not be combined. A maker only announces a single fidelity bond transaction UTXO, and it choses the most valuable one.

As a maker, you are generally stuck with the fidelity bond you create until it expires. You can still create a new fidelity bond and use that instead, but the old one will be unused. If you want to increase the value of a fidelity bond the best way to do that is to wait until it expires and then spend from the timelocked address combining with extra UTXOs you want to add, into a new timelocked address.

This is one reason why a maker who creates a fidelity bond for the first time should only lock up coins for a relatively short time, so that they can try out the whole thing, and don't have to wait too long before they add more coins.

Fidelity bonds in cold storage

To allow for holding fidelity bonds in cold storage, there is an intermediate keypair called the certificate.

UTXO key ---signs---> certificate ---signs---> endpoint

Where the endpoint might be a IRC nickname or Tor onion hostname. The certificate keypair can be kept online and used to prove ownership of the fidelity bond. Even if the hot wallet private keys are stolen, the coins in the timelocked address will still be safe, although the thief will be able to impersonate the fidelity bond until the expiry.

[rishkwal]

Architecture of The Fidelity Certificate

We need to ensure that every Fidelity is linked to a unique maker with a one-to-one mapping. So it makes sense to use the Fidelity pubkey as an unique identifier for every maker. Communication with the maker will require the taker to know the maker's connection endpoint. In order to ensure that the endpoint belongs to the same person/entity that owns the fidelity, we need to establish a cryptographic proof/link between the Fidelity and the endpoint. We can do this by signing the endpoint string with the Fidelity privkey but the problem with this approach is that in order to be able to change the endpoint, we would need to sign the new endpoint with the Fidelity privkey preventing us from holding the fidelity bonds in cold storage. This would increase the risk of loss of the fidelity private key and subsequently the loss of funds. In order to prevent this risk, the creation of a proxy keypair called the certificate is proposed that will sign the endpoint string on behalf of the Fidelity.

Generation of The Certificate

Once the Fidelity is created, the user could then create a certificate keypair(say cert_pub and cert_priv). Now in order to link the certificate keypair to the Fidelity, the user can sign the message string 'fidelity-bond-cert|'+ cert_pub + '|' + cert_creation_timestamp with the fidelity privkey.

Private Key Loss Mitigation

In case the user loses the private key of the certificate, they can create and propagate a new certificate keypair with the updated cert_creation_timestamp which will prevent the misuse of the previous certificate.

Signing The Endpoint Message

Now this cert_priv can be used to verify the communication endpoint of the maker.