Design of Deniability Proofs

[mojoX911]

Deniability Proof

Problem Statement

Deniability proof allows users to prove they performed a coinswap. This is useful if a user faces legal persecution based on transaction history from a swap counterparty.

Users can provide proof data that univocally demonstrates they performed the coinswap, proving the transaction history is not their own.

The proof system verifies:

• A specific outpoint matches the Coinswap tapscript/redeemscript pattern.
• The user owns their portion of the Musig2/Multisig pubkeys.
• The user owns the hashlock pubkey in the contract redeemscript/tapscript.

This proof must be stored on disk after swap completion and can be included in the end-of-swap report.

Proof Data

The proof system varies slightly between Taproot and P2WSH protocols. Required data:

Taproot:

• (txid:vout) of the contract output.
• Tapscript data: internal pubkey, timelock script, hashlock script.
• All Musig2 pubkeys used for the internal key: PubMine(musig) and PubOther(musig).
• Sig(musig): Signature from PubMine(musig) over the serialized contract tx.
• Sig(hashlock): Signature from PubMine(hashlock) over the serialized contract tx.

P2WSH:

• (txid:vout) of the funding transaction output.
• Pre-signed contract transaction.
• HTLC redeemscript containing PubMine(hashlock).
• 2-of-2 multisig redeemscript with PubMine(multi) and PubOther(multi).
• Sig(multi): Signature from PubMine(multi) over the serialized contract tx.
• Sig(hashlock): Signature from PubMine(hashlock) over the serialized contract tx.

Verification

Verification of the proof data must be done with the following steps.

Taproot

• Retrieve the contract tx output from the blockchain using (txid, vout).
• Reconstruct the taproot script_pubkey from internal pubkey, timelock script, and hashlock script, then match against the output.
• Verify internal pubkey is a valid Musig2 aggregate of PubMine(musig) and PubOther(musig).
• Verify PubMine(hashlock) exists in the hashlock script.
• Verify Sig(musig) against PubMine(musig).
• Verify Sig(hashlock) against PubMine(hashlock).

P2WSH

• Verify the contract tx references the same funding (txid:vout).
• Verify the HTLC redeemscript compiles to the contract tx output's script_pubkey.
• Verify PubMine(multi) is in the 2-of-2 multisig redeemscript.
• Verify PubMine(hashlock) is in the HTLC redeemscript.
• Verify Sig(multi) against PubMine(multi).
• Verify Sig(hashlock) against PubMine(hashlock).

These checks together ensures that all proof data are correct and the swap did happened. Providing plausible deniability for the users.

[stark-3k]

Looks good, we just need a new structure in the wallet to store this data and verification functions to validate the deniability claim. Although, I also think that keeping track of the corresponding outgoing utxo/swapcoin will also be helpful here to further validate the claim.