đź“… Original date posted:2014-01-15
đź“ť Original message:One challenge with reusable addresses is that while they result in a
small constant overhead for full nodes in searching for their own
transactions they create large overheads for SPV nodes.
One way to address this is for the SPV nodes to hand their servers
their blinding private key so that the server may test addresses on
their behalf. The primary problem with this is that it is
non-reputable: If I show you a blinding private key and say a set of
transactions are related you will be utterly convinced of it, the
transactions really are related. This makes the privacy brittle.
It also has a downside of not being indexable for the server, the
server must do O(clients * reusable-address-txn) work and the work
includes an ECC multiply.
An idea that Adam Back had originally proposed was including optional
"bloom bait", a small token— say 8 bits— that distinguished
transactions which allowed an anonymity set vs filtering trade off.
Such a bait would be indexable, enabling faster lookup too.
But bloom bait has privacy problems more severe than the current SPV
bloom filtering. While you leak information to your SPV servers today
if you use bloom filtering the leak usually goes no further. So a
compromise requires both a statistical attack _and_ using SPV servers
that log data against your interest. With bloom bait the whole
network can see the relation. That is unfortunate.
I suggest instead that with optional bait is included in an address
that the sender compute H(nonce-pubkey) and then pick one byte at
random out of the first 16 and xor it with the specified bait and
store the result in the transaction. An SPV server can now index the
bait as it comes in by extracting 16 8-bit keys from each transaction
(the 16 bytes xored with the bait in the transaction). When the
client wants to search for transactions it can give the server a list
of keys its interested in— including their real key and number of
random number of cover keys.
ObTechnicalWank: This is a specific simple instance of a general
class of solutions which are related to locally decodable error
correcting codes: E.g. the transaction data represents a codeword in a
vector-space and the degree of freedom provided by the adjustable
prefix is used to ensure that codeword is never more than a certain
distance from a specified point. The point isn't made public in the
transaction and it's hidden from the server by providing several
points. There is still an information leak here— as if someone
believes a set of transactions are related they can intersect their
radiuses and test if the intersection is empty, and if it's not assume
that they found the secret bait— but it is substantially lower an
information leak than the prefix case.
I didn't give any though into the parameters 8-bits and 16 dimensions.
Some reasoning should be done to fix the parameters in order to make
them the most useful: e.g.
Systems derived from more complex linear codes might give better
performance, e.g. two secret bloom baits, two prefixes in the
transaction bait0^random_char[0-8], bait1^random_char[0-8], server
extracts 16 keys.. and returns to the client transactions which have
at least two key matches with their list.
Obviously whatever is used needs to be easy to implement, but schemes
loosely based on fountain codes should only require picking some
things and xoring... so they should be simple enough.
Gregory Maxwell [ARCHIVE] /
npub1f2…crwet
2023-06-07 15:12:10
in reply to nevent1q…87ka
Author Public Key
npub1f2nvlx49er5c7sqa43src6ssyp6snd4qwvtkwm5avc2l84cs84esecrwetSeen on
wss://relay.nostr.bandPublished at
2023-06-07 15:12:10Event JSON
{
"id": "d244dd44699414dd323e79e4bb52bfbf2b24f9d6d1f799fbd6b5929623c995dc",
"pubkey": "4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73",
"created_at": 1686150730,
"kind": 1,
"tags": [
[
"e",
"957b5afc5fd78b0a0795fe6e0429600771d924f03896fb3817eaea18bdef1fca",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "📅 Original date posted:2014-01-15\n📝 Original message:One challenge with reusable addresses is that while they result in a\nsmall constant overhead for full nodes in searching for their own\ntransactions they create large overheads for SPV nodes.\n\nOne way to address this is for the SPV nodes to hand their servers\ntheir blinding private key so that the server may test addresses on\ntheir behalf. The primary problem with this is that it is\nnon-reputable: If I show you a blinding private key and say a set of\ntransactions are related you will be utterly convinced of it, the\ntransactions really are related. This makes the privacy brittle.\n\nIt also has a downside of not being indexable for the server, the\nserver must do O(clients * reusable-address-txn) work and the work\nincludes an ECC multiply.\n\nAn idea that Adam Back had originally proposed was including optional\n\"bloom bait\", a small token— say 8 bits— that distinguished\ntransactions which allowed an anonymity set vs filtering trade off.\nSuch a bait would be indexable, enabling faster lookup too.\n\nBut bloom bait has privacy problems more severe than the current SPV\nbloom filtering. While you leak information to your SPV servers today\nif you use bloom filtering the leak usually goes no further. So a\ncompromise requires both a statistical attack _and_ using SPV servers\nthat log data against your interest. With bloom bait the whole\nnetwork can see the relation. That is unfortunate.\n\nI suggest instead that with optional bait is included in an address\nthat the sender compute H(nonce-pubkey) and then pick one byte at\nrandom out of the first 16 and xor it with the specified bait and\nstore the result in the transaction. An SPV server can now index the\nbait as it comes in by extracting 16 8-bit keys from each transaction\n(the 16 bytes xored with the bait in the transaction). When the\nclient wants to search for transactions it can give the server a list\nof keys its interested in— including their real key and number of\nrandom number of cover keys.\n\nObTechnicalWank: This is a specific simple instance of a general\nclass of solutions which are related to locally decodable error\ncorrecting codes: E.g. the transaction data represents a codeword in a\nvector-space and the degree of freedom provided by the adjustable\nprefix is used to ensure that codeword is never more than a certain\ndistance from a specified point. The point isn't made public in the\ntransaction and it's hidden from the server by providing several\npoints. There is still an information leak here— as if someone\nbelieves a set of transactions are related they can intersect their\nradiuses and test if the intersection is empty, and if it's not assume\nthat they found the secret bait— but it is substantially lower an\ninformation leak than the prefix case.\n\nI didn't give any though into the parameters 8-bits and 16 dimensions.\nSome reasoning should be done to fix the parameters in order to make\nthem the most useful: e.g.\n\nSystems derived from more complex linear codes might give better\nperformance, e.g. two secret bloom baits, two prefixes in the\ntransaction bait0^random_char[0-8], bait1^random_char[0-8], server\nextracts 16 keys.. and returns to the client transactions which have\nat least two key matches with their list.\n\nObviously whatever is used needs to be easy to implement, but schemes\nloosely based on fountain codes should only require picking some\nthings and xoring... so they should be simple enough.",
"sig": "7054a7abba1767cc171a6e3eb4bdb2d59ab59eae6c4e16d7c28033db0dbe3bc4f14819aa3ca9418917aa0493b5d1eef82cf975c4d5eef2626ac17f70bb202a54"
}