I'm only going to talk about cashfusion and not the knapsack paper.

The language they use to describe the cashfusion protocol is very
broad and could describe many things. Because it is hard so vague I
don't want to dismiss the cashfusion approach out of hand. For
instance they say: "inputs of arbitary amounts in the neighborhood of
~0.1 BCH" what exactly does this mean?

Attack 1:
If we assume arbitrary means any precision then a trivial attack is
possible. Consider the case where one of the inputs has more precision
than any other input. This allows an attacker to trivially break the
privacy of that input:

Lets look at a toy example that takes 12 inputs and creates 3 outputs
inputs:
0.1525
0.1225
0.1145
0.1443
0.1144111
0.1001
0.1124
0.1093
0.1113
0.1134
0.1029
0.1206

Outputs:
0.4648111
0.5185
0.4349

Clearly output output 0.4648111 contains input 0.1144111.

Attack 2:
Let's say you attempt to address this problem this by limiting the
precision of inputs to two decimal places i.e. 0.1X where 0<=X<=9.
Consider the case of 10 users where each user is always joining sets
of 10 inputs to create 1 output. Thus in total you would have 100
inputs and 10 outputs in the coinjoin. If one of those outputs is 2
then you know its inputs must all be 0.2. Using this method you can
start eliminate input output pairs far faster brute force. How much
faster is hard to say without adding additional assumptions for
instance are these inputs amounts drawn from a uniform distribution?

I want to be clear. I'm not saying cashfusion is broken or that this
more inputs than outputs technique is a dead end. However the
description given is vague and could be interpreted to describe a
broken protocol. Is this actively being used?

On Fri, Dec 27, 2019 at 8:29 PM nopara73 via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> The CashFusion research came out of the Bitcoin Cash camp, thus this probably 
> went under the radar of many of you. I would like to ask your opinions on the 
> research's claim that, if non-equal value coinjoins can be really relied on 
> for privacy or not.
>
> (Btw, there were also similar ideas in the Knapsack paper in 2017: 
> https://www.comsys.rwth-aachen.de/fileadmin/papers/2017/2017-maurer-trustcom-coinjoin.pdf
>  )
>
> https://github.com/cashshuffle/spec/blob/master/CASHFUSION.md#avoiding-amount-linkages-through-combinatorics
>
> I copy the most relevant paragraphs here:
>
>   ---------BEGIN QUOTE ---------
>
>
> Consider a transaction where 10 people have each brought 10 inputs of 
> arbitary amounts in the neighborhood of ~0.1 BCH. One input might be 
> 0.03771049 BCH; the next might be 0.24881232 BCH, etc. All parties have 
> chosen to consolidate their coins, so the transaction has 10 outputs of 
> around 1 BCH. So the transaction has 100 inputs, and 10 outputs. The first 
> output might be 0.91128495, the next could be 1.79783710, etc.
>
> Now, there are 100!/(10!)^10 ~= 10^92 ways to partition the inputs into a 
> list of 10 sets of 10 inputs, but only a tiny fraction of these partitions 
> will produce the precise output list. So, how many ways produce this exact 
> output list? We can estimate with some napkin math. First, recognize that for 
> each partitioning, each output will typically land in a range of ~10^8 
> discrete possibilities (around 1 BCH wide, with a 0.00000001 BCH resolution). 
> The first 9 outputs all have this range of possibilities, and the last will 
> be constrained by the others. So, the 10^92 possibilies will land somewhere 
> within a 9-dimensional grid that cointains (10^8)^9=10^72 possible distinct 
> sites, one site which is our actual output list. Since we are stuffing 10^92 
> possibilties into a grid that contains only 10^72 sites, then this means on 
> average, each site will have 10^20 possibilities.
>
> Based on the example above, we can see that not only are there a huge number 
> of partitions, but that even with a fast algorithm that could find matching 
> partitions, it would produce around 10^20 possible valid configurations. With 
> 10^20 possibilities, there is essentially no linkage. The Cash Fusion scheme 
> actually extends this obfuscation even further. Not only can players bring 
> many inputs, they can also have multiple outputs.
>
> ---------END QUOTE ---------
> --
> Best,
> Ádám
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Reply via email to