Comments (10)
Lolll. Sorry! Shame on me! We need to reiterate the protocol! The chosen hash function allows arbitrary signature forgeries composed with BLS signatures. Kudos to @kobigurk
Specifically, if you have a valid signature on message , then you can forge signature on an arbitrary message by computing , which is a valid signature on .
from wabisabi.
unfairly linear ;-)
from wabisabi.
We would like to have an enhanced Chaumian CoinJoin mixing protocol which allows mixing participants not only to mix to their own addresses, but potentially mix to an address belonging to another entity. This would allow users to use CoinJoins also for payments.
I don't think that the address is the main issue here. It is one of the issues, and in the case a round fails, we need to get a new address of the receiver somehow. So, it's not unsolved.
However, I think that it must be an arbitrary payment amount, different from the equal value denomination
is the tricky part too, maybe this should be reflected.
from wabisabi.
I don't think that the address is the main issue here. It is one of the issues, and in the case a round fails, we need to get a new address of the receiver somehow. So, it's not unsolved.
I think, this is somewhat an orthogonal problem to the mixing protocol itself. Since we could assume that the sender can non-interactively derive multiple addresses for the recipient. So even if a round fails, a payment sender can create another fresh address for her recipient which she can use in the next round. Could we assume that sender and receiver use some key-derivation protocol or stealth addresses? Or is this a strong assumption Max, @nopara73 ?
However, I think that it must be
an arbitrary payment amount, different from the equal value denomination
is the tricky part too, maybe this should be reflected.
I'll update now the post above. Although I do think that what we call input UTXO splitting and merging essentially solves this very same problem you mentioned here. I did not articulate this well.
from wabisabi.
Reiterating some points from previous issues and slack:
-
Do we actually require bilinearity? Isn't the linearity of Schnorr blind signatures sufficient? The main advantage seems to be lack of Wagner attack but this seems irrelevant since the number of signatures is limited.
-
To prevent double spending how does the coordinator know the user only submits the unblinded signatures for originally submitted amounts, and not arbitrary combinations of unblinded signatures? For example if I have three registered amounts , how does the coordinator detect that a malicious set of output registrations that double spends : , the two
sumsproducts of the signatures are distinct -
Are we convinced that bias in the amount values is not a concern for deanonymizing them? This is way over my head, but after reading a few abstracts about lattice attacks on elliptic curves, I think this is still a concern we must address since the coordinator knows quite a bit about the values, since the coordinator knows quite a bit about the top bits of the various messages both at input registration time and at output registration time. Does the argument rely on the fact that only the sums of the blinding factors is revealed?
from wabisabi.
If the round fails then the blame round starts with the exact same participants with the exact same inputs and exact same outputs. Don't assume stealth addresses and similar exotic stuff those didn't gain adoption even without the complexity of coinjoins.
from wabisabi.
This should be since is an element of the group, not a scalar (unless the mod is meant to be in the exponent, which doesn't really matter since the group is cyclic?)
from wabisabi.
This should be since is an element of the group, not a scalar (unless the mod is meant to be in the exponent, which doesn't really matter since the group is cyclic?)
Indeed! Good catch! Should be fixed now!
- Do we actually require bilinearity? Isn't the linearity of Schnorr blind signatures sufficient? The main advantage seems to be lack of Wagner attack but this seems irrelevant since the number of signatures is limited.
Later we should definitely explore the practicality of other blind signature schemes as well in this context.
- To prevent double spending how does the coordinator know the user only submits the unblinded signatures for originally submitted amounts, and not arbitrary combinations of unblinded signatures? For example if I have three registered amounts , how does the coordinator detect that a malicious set of output registrations that double spends : , the two
sumsproducts of the signatures are distinct
This is a serious issue we should fix in the coming days!
- Are we convinced that bias in the amount values is not a concern for deanonymizing them? This is way over my head, but after reading a few abstracts about lattice attacks on elliptic curves, I think this is still a concern we must address since the coordinator knows quite a bit about the values, since the coordinator knows quite a bit about the top bits of the various messages both at input registration time and at output registration time. Does the argument rely on the fact that only the sums of the blinding factors is revealed?
I'm kind of convinced that lattice attack are not relevant here. Or would be computationally infeasible but it is definitely good that you brought up and let's not forget about it! Coordinator might guess 30 bits of the values or so but the remaining 200 bits or so (the subsatoshi values in the padding scheme) should be totally random, hence this attack is not a threat I would say.
from wabisabi.
This scheme could still work, since our double spending solution (the zero knowledge accumulator stuff I don'understand: https://eprint.iacr.org/2019/1255.pdf) not only prevents double spending, but also prevents the malleability issue @seresistvanandras thought ruins everything.
from wabisabi.
from wabisabi.
Related Issues (20)
- Protocol: KVAC based HOT 15
- Pre-paying the coordinator fee HOT 7
- Archiving Old Readme.md HOT 1
- Quantifying CoinJoin inefficiencies HOT 20
- meta: issue cleanup HOT 1
- Post-Cryptographic Research HOT 3
- citations to footnotes HOT 1
- Clarifying the Balance Proof HOT 8
- Eliminate serial number attribute HOT 7
- improve notation for attributes HOT 1
- document structure improvements HOT 2
- Add explainer somewhere into this repo
- The Protocol HOT 34
- 3 path UX for sending with WabiSabi
- The section "Over-spending prevention by balance proof" doesn't make sense HOT 4
- Crypto Bikeshedding
- mitigate coordinator deanonymization attacks based on timing and data withholding HOT 4
- Amount Organization HOT 3
- Protocol docs - Input Registration HOT 1
- Security Proof Improvements HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wabisabi.