Orange Samurai. Image by Toshiyuki IMAI via flickr,com. License: Creative Commons

After Monero (XMR) disappears from more and more exchanges, the Bitcoin wallet Samourai is opening up cross-blockchain P2P trading. It incorporates some of the latest cryptographic achievements.

It has been apparent for a long time, but has recently become increasingly clear: privacy coins like Monero (XMR) have no future on traditional exchanges.

Sooner or later, most exchanges will remove privacy coins from trading. They do not do this out of malice or ideology. Rather, it is impossible or at least extremely complex to bring privacy coins into line with the requirements that supervisors around the world demand, such as the Travel Rule.

This forces the Monero community to preemptively migrate underground. The acid test that the Bitcoin scene both feared and longed for from the start comes with Monero: Is a cryptocurrency viable if it is actually banned? When no financial institution in the world trades them?

Because Monero is now entering the phase for which many Bitcoiners have been preparing, the community is receiving support from the very Bitcoiners who feel most closely connected to the ideals of the cypherpunks. Samourai, a Bitcoin wallet that strengthens the privacy of its users with the Whirlpool mixing process, integrates a marketplace for the P2P exchange of Bitcoin for Monero. This means that Samourai is leaving the “Bitcoin-only” camp.

HTLCs, like Lightning

These so-called “Atomic Swaps” are now live in beta after the developers worked on them for around half a year. They allow the change without a third party or trust between the parties involved. Essentially, they do the same thing with exchanges as Bitcoin does with transactions.

Such atomic swaps with Bitcoin have been known for a long time and have long been implemented for trading with Litecoin. They are based on “Hash Time-Lock Contracts” (HTLC), like those used by the Lightning network in Bitcoin. Bitcoins sent to HTLCs can be triggered by two conditions: proof of a secret or after a certain time has passed.

In an HTLC-based exchange, the following happens: Both parties put the agreed sums into an HTLC. One party then sends the other the secret that they need to release the coins from the HTLC. However, the transaction through which this happens is constructed in such a way that it reveals the secret with which the other coins can be paid out. This is why the change is called “atomic”: it is effectively completed with a single action.

If the swap fails, it can be reversed after a certain period of time.

How to replace the HTLCs in Monero

The problem is that Monero does not support scripts and therefore no HTLCs. You can only send Monero by presenting a private key. An atomic swap, as just described, is not possible.

However, thanks to some advances, developers have been able to replace HTLCs. They describe it in a white paper, which is based on the paper “Bitcoin-Monero Cross-Chain Atomic Swaps” by Joel Gugger. The technical details are extremely complicated. In a sense, the spearhead of cryptographic high-tech is being put in place here.

Very roughly speaking, it works like this: You split the private key for Monero into two parts. One of the parts is revealed when the exchange is completed using “One-time Verifiably Encrypted Signatures” (One-Time VES for short). One-Time VES are a cryptographic innovation that allows additional information to be revealed through a signature. In principle, they are intentionally broken signatures, but they can be useful for some applications. Lloyd Fournier only described it in a paper in 2019.

In addition, so-called “discrete logarithms” help to prove that the two parts of the key fit together using a zero-knowledge proof. This is particularly interesting because they are selected as points of different elliptic curves, for Bitcoin by secp256k1, for Monero by edward25519.

Overall, it’s a hideously complicated but magnificent construction that pulls out all the stops of cryptographic magic. I don’t understand them nearly well enough to describe them here. What is important is that the process apparently works: with a sequence of transactions, you can exchange Bitcoin for Monero and vice versa.

The script of a swap

The process goes something like this: If someone wants to buy Monero, they first send a so-called “lock transaction”. This is a modified HTLC that Gugger describes as a “swaplock”: You can trigger the Bitcoins using a secret or transfer them back after 72 hours.

Once this transaction is confirmed, the seller sends their lock transaction, which does something similar to the Monero: the XMR lands on an address whose private key is split in two. The buyer owns one part and the seller owns the other. The discrete logarithm serves as proof that the two parts produce the correct key.

When this transaction reaches 10 confirmations, the buyer sends the seller a signature through which the seller can withdraw the Bitcoins. The transaction that does this reveals, via a One-Time VES, the key the buyer needs to unfreeze the frozen Monero.

As a backup, there is a refund transaction: This can be used to cancel the swap if the Bitcoin lock transaction has received 72 confirmations. The refund transaction initially returns the Bitcoins to the buyer, but also reveals the key that the seller of Monero needs to release his coins from the lock transaction.

Both the execution and cancellation of the trade are “atomic”: you release the coins on both blockchains with one transaction.

Not for inexperienced users

Such an atomic swap between Bitcoin and Monero is more or less the holy grail of privacy. It makes it effectively impossible to prevent Monero from entering circulation. As long as there are Bitcoins to buy on crypto exchanges, anyone who wants or needs to can get Monero and thus the cryptocurrency with the highest privacy standards.

In principle, the Samourai team has used software to overturn all regulatory efforts to prevent anonymous crypto transactions.

Nikita Zhavoronkov from block explorer Blockchair raves Therefore: “I would not be surprised if the liquidity of the XMR-BTC atomic swaps left Lightning+Liquid behind in a few months […] P2P > Bankstream.” The tweet clearly shows Nikita’s aversion to Lightning and Blockstream. But this hardly invalidates his prognosis.

However, the swap is still in a beta version. It is technically not very easy and is probably only suitable for advanced users. And that’s probably a good thing, because innocent use of swaps can also become an own goal.

In itself, switching to Monero is a very sharp knife for Bitcoiners to cut the chain of transactions that remains a telltale trace on the Bitcoins. But the return exchange is trickier. Finally, you have to exchange the anonymous – and therefore by definition clean – Monero for Bitcoins again: for Bitcoins, which by definition have a chain of old transactions behind them. If you deposit these Bitcoins on an exchange, you can be in for a rude awakening because you are suddenly connected to criminal activities that you never had anything to do with, but that stick to your Bitcoins like old dirt.

Atomic swaps are one of the most powerful methods to improve your privacy. But they are also one of the most dangerous for careless users.


Leave a Reply