š
Original date posted:2019-12-29
š Original message:Good morning Yuval,
> Additionally (though is a broader criticism of CoinJoin based privacy and not specific to unequal amounts, and in particular refers to ZmnSCPxj's assertion of 0 linkability) I am very worried that perspectives that focus on linkability information revealed by a single coinjoin transaction in isolation. This problem was alluded in the document, to but I don't see that it was addressed. Naively the post/pre mix transaction graph would seem to present a computationally much harder problem when looking at the combinatorics through the same lens, but reality it can also be used to place many constraints on valid partitions/sub-transaction assignments for a single transaction with equal amounts. The trivial example is post mix linking of outputs, but there are many other ways to draw inferences or eliminate possible interpretations of a single transaction based on its wider context, which in turn may be used to attack other transactions.
Indeed, this is a problem still of equal-valued CoinJoin.
In theory the ZeroLink protocol fixes this by strongly constraining user behavior, but ZeroLink is not "purely" implemented in e.g. Wasabi: Wasabi still allows spending pre- and post-mix coins in the same tx (ZeroLink disallows this) and any mix change should be considered as still linked to the inputs (though could be unlinked from the equal-valued output), i.e. returned to pre-mix wallet.
> Finally, the proof as well as its applicability seems suspect to me, since seems to involve trusting the server:
> "Since the distinct list [...] [is] kept on the server and not shared with the players"
> "The server knows the linkages of the commitments but does not participate as a verifier "
> "If there is a problem [...] each component is assigned to another player at random for verification"
> these 3 statements together seems to suggest the server is trusted to not use sybils in order the compromise privacy by participating in the verification process?
Equal-valued CoinJoins fix this by using a Chaumian bank, which constrains value transfers to specific fixed amounts.
Since an equal-valued CoinJoin uses a single fixed amount anyway, it is not an additional restriction.
CashFusion cannot use the same technique without dropping into something very much like an equal-valued CoinJoin.
Regards,
ZmnSCPxj
ZmnSCPxj [ARCHIVE] /
npub1g5ā¦3ms3l
2023-06-07 18:22:11
in reply to nevent1qā¦8zmt
Author Public Key
npub1g5zswf6y48f7fy90jf3tlcuwdmjn8znhzaa4vkmtxaeskca8hpss23ms3lPublished at
2023-06-07 18:22:11Event JSON
{
"id": "e3462a4e9b16dca503f23a9e7e05bab587b58960f3fa32af8fec48442dfef4c4",
"pubkey": "4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861",
"created_at": 1686162131,
"kind": 1,
"tags": [
[
"e",
"f507cc2a9b9c10e1b82a23d29be55ddd98d5f9cde976d6b65dc74790dffb5be9",
"",
"root"
],
[
"e",
"48d9caaeeb488291cc5372d5824849dace2862f5d1cad941b40465b76d5e4fbf",
"",
"reply"
],
[
"p",
"bd93d4f0280eb5fc59e028b3cddc81715c02f65db04534e98da4b77de31a6cf8"
]
],
"content": "š
Original date posted:2019-12-29\nš Original message:Good morning Yuval,\n\n\n\u003e Additionally (though is a broader criticism of CoinJoin based privacy and not specific to unequal amounts, and in particular refers to ZmnSCPxj's assertion of 0 linkability) I am very worried that perspectives that focus on linkability information revealed by a single coinjoin transaction in isolation. This problem was alluded in the document, to but I don't see that it was addressed. Naively the post/pre mix transaction graph would seem to present a computationally much harder problem when looking at the combinatorics through the same lens, but reality it can also be used to place many constraints on valid partitions/sub-transaction assignments for a single transaction with equal amounts. The trivial example is post mix linking of outputs, but there are many other ways to draw inferences or eliminate possible interpretations of a single transaction based on its wider context, which in turn may be used to attack other transactions.\n\nIndeed, this is a problem still of equal-valued CoinJoin.\nIn theory the ZeroLink protocol fixes this by strongly constraining user behavior, but ZeroLink is not \"purely\" implemented in e.g. Wasabi: Wasabi still allows spending pre- and post-mix coins in the same tx (ZeroLink disallows this) and any mix change should be considered as still linked to the inputs (though could be unlinked from the equal-valued output), i.e. returned to pre-mix wallet.\n\n\u003e Finally, the proof as well as its applicability seems suspect to me, since seems to involve trusting the server:\n\u003e \"Since the distinct list [...] [is] kept on the server and not shared with the players\"\n\u003e \"The server knows the linkages of the commitments but does not participate as a verifier \"\n\u003e \"If there is a problem [...] each component is assigned to another player at random for verification\"\n\u003e these 3 statements together seems to suggest the server is trusted to not use sybils in order the compromise privacy by participating in the verification process?\n\nEqual-valued CoinJoins fix this by using a Chaumian bank, which constrains value transfers to specific fixed amounts.\nSince an equal-valued CoinJoin uses a single fixed amount anyway, it is not an additional restriction.\nCashFusion cannot use the same technique without dropping into something very much like an equal-valued CoinJoin.\n\nRegards,\nZmnSCPxj",
"sig": "a38e28c05fb628f79fcaee46884cdf6c5359885339c062270cd11f88805b915e3470fd1595a132ca27f3f553c87779917898e15b4c10c789713e37aa533b2993"
}