[bisq-network/proposals] Trust Minimized Bisq Daemon (#174)

sqrrm notifications at github.com
Sun Jan 26 17:18:51 UTC 2020

An idea on how to move forward with light clients, where to focus the efforts with the API and how to grow the Bisq user base.

## Motivation
### Safety
Now that Bisq has an API it will be possible to build light clients that connect to a bisq-daemon running on a VPS or similar. There are risks with running software that controls private keys on a VPS as they are potential targets for hackers.

In the case the server is set up to cater to multiple users there is also an additional risk that these users take by trusting the operator of the server.

### Convenience
There are some hurdles for new users to use Bisq. One is the requirement to own some BTC to be used as deposit during the trade. Then there is the need for a desktop app that needs to be downloaded and installed. The first one might be overcome by allowing for independent operators to onboard users as they see fit, using credit or other means. That would be made possible by moving certain aspects to a light client in the form of a mobile app that connects to a server, which alleviates the problems of downloading and running a desktop client.

## Requirements
As users would connect to a bisq server through the API they would currently expose their full account information, BTC and BSQ private keys and trading history to the server. It is assumed this server would be run by the user themself with only one server per user. This is rather inefficient and not easy to set up for the average user.

To allow for federated bisq servers to be used by light clients and still preserve the most important aspects of a decentralized trading platform a minimum of the following criteria should be fulfilled
- The server should not be able to steal funds
- The server should not see account information of users

## Implementation
Let's focus on the case where the user is the maker as it's the harder case. If the user were the taker they would be online while taking an offer and the rest of the protocol is the same for takers and makers.

### Private Keys

To allow the users full control of their BTC they will have to be available to sign transactions throughout the trade process. In particular they need to be available to sign and fund the deposit transaction while an offers is being taken. As the maker they need to react to the request from the taker to sign the deposit tx. This seems doable with a light client app running on a phone reacting to a notification from the server, but it might be too slow.

The BTC keys can be stored with the phone client and the bisq server would not be able to steal the funds.

### Accounts
Account information is currently stored with the bisq client. To avoid that the bisq server could access account information it could instead store accounts as accountAgeWitnesses hash and payment method. During a trade the server would forward mailboxmessages from lightclients to the other user.

It might be that accounts are not needed at all on the server side and could be provided by the light client on demand, that might be even better.

### Network
The phone client would run a Tor hidden service to connect to the server. This likely has some problems with either reliability or battery usage or both. More research is needed to see if this is a reasonable way forward.

Chat messages from trades, mediation and arbitration would have to be forwarded. Handling payout of funds in all these cases would also have to be done on the light client.

It would also be worth thinking about adding other options to connect to the bisq-daemon. It could then act as a bridge to the Bisq network for those that aren't able to use Tor.

### Fees
The trading fees could be paid in BSQ by the bisq server and charged to the users in BTC. There is already the fee tx to initiate an offer and by adding a BTC change output that's controlled by the server and the server adding the fees in BSQ the server can charge users while fees are paid in BSQ. This would be a way to fund these servers by charging a markup on the BSQ fees but still a discount compared to fees paid in BTC.

## Drawbacks
This kind of federated server setup would centralize parts of the Bisq network and give control to the server operators. There is however no barrier to entry to setup these servers so anyone could do it. The users of this kind of server might be users that would otherwise not have the ability to use Bisq, in that case it would still be an improvement from the users perspective.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20200126/dfb12838/attachment-0001.html>

More information about the bisq-github mailing list