Add features to help people split coins after a fork

[moral-agent]

Procedure:

Someone gets their hands on the coinbase output from a S2X block.

This person is now a Split-Monger.

Split-Monger hops on JoinMarket and offers to set up CoinJoin transactions with Split-Requesters.

For each Split-Requester, a CoinJoin transaction is constructed. One of the inputs is from the Split-Monger and is tainted with coins that can only be mined on the S2X chain. The other inputs belong to the Split-Requester and are still vulnerable to being mined on the BTC chain.

The CoinJoin transaction is signed by the Split-Requester and the Split-Monger and then broadcast. It can only be mined on the S2X chain. Furthermore, all of the outputs cannot be mined on the BTC chain. The Split-Monger receives an output equal to or greater than the value of their input. The Split-Requester receives an output equal to their input minus the transaction fee and the monger's fee.

Split-Requester now has the option to earn back the monger's fee by offering their shiny new split coins on JoinMarket, thereby accelerating the process.

Advantages:

1. Splits the coins the first time every time.
2. Safe because the transaction is only valid on one chain.
3. Not subject to miner whims.
4. Not necessary to bloat the bitcoin blockchain.
5. Can use whichever chain with the lowest fees.
6. Inexpensive -- could be done as part of a transaction user planned to do anyway.
7. Good incentives feedback / bootstrapping -- if there are no split-mongers the monger fee rises, if there are split-mongers then the fee falls.
8. Does not need replay protection.

To Do List:

1. Need to be able to see if an output is split or not. Split output is defined as an output that can only be spent on one chain.
2. Need to advertise that you are offering or requesting a CoinJoin that splits coins.
3. Marketing/spread the word etc.

Implementation ideas:

• Implement with a Forward Pass: Each output is given a score according to this formula: If the output is a coinbase output, it is given a score equal to the block height at which it is created. If the output is not a coinbase output, it is given a score equal to the maximum score among the inputs to the transaction. An output is considered "split" if it has a score greater than the last block the two chains shared.
• Implement by Checking a Proof: Evaluate a short proof to see if it shows that the output comes from a transaction with at least one split input. The proof could simply be the transaction ids linking a post-split coinbase output to the transaction.
• Implement with a Backward Pass: Check each input. If the input is from a pre-split transaction, mark it dead. If the input is from a post-split coinbase, then return true. If the input is from a post-split transaction that is not a coinbase, mark that transaction as a candidate. When you have finished evaluating the inputs to the transaction, if you have not returned true, then go check the inputs to the candidates.

[adlai]

Excellent concept! I wonder whether anyone will implement it in time...

At worst, someone who doesn't care about their own privacy can explicitly designate their liquidity using a pseudonym (for example, via bitmessage) and others use sendpayment -P

[moral-agent]

@harding points out that a bad guy can create a coinbase that is replayable :-/ so checking whether an output comes from a post-fork coinbase is not reliable.

Can do checking to see whether an output comes from a transaction that cannot be replayed on the other chain by checking whether any of the inputs were already used in a different transaction though.