š
Original date posted:2021-03-16
š Original message:Good morning JAMES,
> No-one has yet demonstrated that Conjoin or using Wasabi wallet is secure if it relies on third-parties. Are the transaction not forwarded partially signed as with an SPV wallet? So it is possible the SPV server cannot redirect funds if dishonest? SPV wallets are secure producing fully signed transactions. A ConJoin transaction signs for the UTXO and forwards it to be included signed for in another larger transaction with many inputs and outputs
The above point was not answered, so let me answer this for elucidation of you and any readers.
A CoinJoin transaction is a single transaction with many inputs and many outputs.
Every input must be signed.
When used to obfuscate, each input has different actual entities owning the coin.
In order to prevent fraud, it is necessary that what total amount each entity puts into the transaction, that entity also gets out (in freshly-generated addresses, which I hope you do not object to) as an output.
When providing its signature, each entity verifies that its provided address exists in some output first before signing out its input.
The provided signature requires all the inputs and all the outputs to exist in the transaction.
Because of this, it is not possible to take a "partial" signature for this transaction, then change the transaction to redirect outputs elsewhere --- the signature of previous participants become invalid for the modified transaction..
Thus, the security of the CoinJoin cannot be damaged by a third party.
Third parties involved in popular implementations of CoinJoin (such as the coordinator in Wasabi) are nothing more than clerical actuaries that take signatures of an immutable document, and any attempt by that clerical actuary to change the document also destroys any signatures of that document, making the modified document (the transaction) invalid.
> . Also, none of those you mention is inherently a Privacy Technology. Transparency is one of the key articles of value in Bitcoin because it prevents fraud.
The prevention of fraud simply requires that all addition is validatable.
It does not require that the actual values involved are visible in cleartext.
Various cryptographic techniques already exist which allow the verifiable addition of encrypted values ("homomorphisms").
You can get 1 * G and 2 * G, add the resulting points, and compare it to 3 * G and see that you get the same point, yet if you did not know exactly what G was used, you would not know that you were checking the addition of 1 + 2 = 3.
That is the basis of a large number of privacy coins.
At the same time, if I wanted to *voluntarily* reveal this 1 + 2 = 3, I could reveal the numbers involved and the point G I used, and any validator (including, say, a government taxing authority) can check that the points recorded on the blockchain match with what I claimed.
For the prevention of fraud, we should strive to be as transparent as *little* as possible, while allowing users to *voluntarily* reveal information.
Regards,
ZmnSCPxj
ZmnSCPxj [ARCHIVE] /
npub1g5ā¦3ms3l
2023-06-07 18:29:32
in reply to nevent1qā¦r5t2
Author Public Key
npub1g5zswf6y48f7fy90jf3tlcuwdmjn8znhzaa4vkmtxaeskca8hpss23ms3lPublished at
2023-06-07 18:29:32Event JSON
{
"id": "bd6718917da37575a32829c31d351a087052ec829e0d6023b5dcd267a5089143",
"pubkey": "4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861",
"created_at": 1686162572,
"kind": 1,
"tags": [
[
"e",
"fbe18195666f4999749fdf6993d80c23f172359c2ba9321ca7af2f86382284a4",
"",
"root"
],
[
"e",
"d516f0799e7302b70a319ce8dd304bd1ef6c406c3d31ba1df42d154ccd4df00d",
"",
"reply"
],
[
"p",
"ccb1b39ff7981d0cca78700c8f4c60435e3789457bf466d14e67125e56a6c5f6"
]
],
"content": "š
Original date posted:2021-03-16\nš Original message:Good morning JAMES,\n\n\u003e No-one has yet demonstrated that Conjoin or using Wasabi wallet is secure if it relies on third-parties. Are the transaction not forwarded partially signed as with an SPV wallet? So it is possible the SPV server cannot redirect funds if dishonest? SPV wallets are secure producing fully signed transactions. A ConJoin transaction signs for the UTXO and forwards it to be included signed for in another larger transaction with many inputs and outputs\n\nThe above point was not answered, so let me answer this for elucidation of you and any readers.\n\nA CoinJoin transaction is a single transaction with many inputs and many outputs.\n\nEvery input must be signed.\n\nWhen used to obfuscate, each input has different actual entities owning the coin.\n\nIn order to prevent fraud, it is necessary that what total amount each entity puts into the transaction, that entity also gets out (in freshly-generated addresses, which I hope you do not object to) as an output.\n\nWhen providing its signature, each entity verifies that its provided address exists in some output first before signing out its input.\n\nThe provided signature requires all the inputs and all the outputs to exist in the transaction.\nBecause of this, it is not possible to take a \"partial\" signature for this transaction, then change the transaction to redirect outputs elsewhere --- the signature of previous participants become invalid for the modified transaction..\n\nThus, the security of the CoinJoin cannot be damaged by a third party.\n\nThird parties involved in popular implementations of CoinJoin (such as the coordinator in Wasabi) are nothing more than clerical actuaries that take signatures of an immutable document, and any attempt by that clerical actuary to change the document also destroys any signatures of that document, making the modified document (the transaction) invalid.\n\n\u003e . Also, none of those you mention is inherently a Privacy Technology. Transparency is one of the key articles of value in Bitcoin because it prevents fraud.\n\nThe prevention of fraud simply requires that all addition is validatable.\nIt does not require that the actual values involved are visible in cleartext.\n\nVarious cryptographic techniques already exist which allow the verifiable addition of encrypted values (\"homomorphisms\").\nYou can get 1 * G and 2 * G, add the resulting points, and compare it to 3 * G and see that you get the same point, yet if you did not know exactly what G was used, you would not know that you were checking the addition of 1 + 2 = 3.\nThat is the basis of a large number of privacy coins.\n\nAt the same time, if I wanted to *voluntarily* reveal this 1 + 2 = 3, I could reveal the numbers involved and the point G I used, and any validator (including, say, a government taxing authority) can check that the points recorded on the blockchain match with what I claimed.\n\nFor the prevention of fraud, we should strive to be as transparent as *little* as possible, while allowing users to *voluntarily* reveal information.\n\n\nRegards,\nZmnSCPxj",
"sig": "b45c734535fbe7bb41a0c2ebb1d6281c4f09a8bf96c5fabbb158f5e91b2fb4db0277140e3cdec07340fb31d41858c7d41ddbc71605cc53e6b5c60cf805f7d9c3"
}