Re: [bitcoin-dev] LN & Coinjoin, a Great Tx Format Wedding
‐‐‐ Original Message ‐‐‐ On Friday, 21 February 2020 22:17, Antoine Riard via bitcoin-dev wrote: > How can a Bitcoin tranaction leak protocol usage ? > * the output type (p2sh, p2wsh, ...) > * the spending policy (2-of-3 multisig, timelock, hashlock,...) > * outputs ordering (BIP69) > * nLocktime/nSequence > * RBF-signaling > * Equal-value outputs > * weird watermark (LN commitment tx obfuscated commitment number) > * fees strategy like CPFP > * in-protocol announcements [0] > Good list. Another one, usually wouldn't be *protocol* as much as wallet leakage, but could be: utxo selection algorithm (which of course may be difficult to deduce, but often, far from impossible). (Also trivial and increasingly irrelevant, but nVersion). With regards to coinjoin in this context (I know your points are much broader), my comment is: For existing protocols (joinmarket's, wasabi's, samourai's), in the equal-outs paradigm, I don't see much that can be done in this area. But I would ask people to consider CoinJoinXT[1] more seriously in a taproot/schnorr world, since it addresses this exact point. With a short (not cross-block like swaps or LN setup) interaction, participants can arrange the effect of coinjoin without the on-chain watermark of coinjoin (so, steganographic). The taproot/schnorr part is needed there because multisig is required from transaction to transaction in that protocol, so doing it today is less interesting (albeit still interesting). waxwing [1] https://joinmarket.me/blog/blog/coinjoinxt/ ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] LN & Coinjoin, a Great Tx Format Wedding
Good morning waxwing, > ‐‐‐ Original Message ‐‐‐ > On Friday, 21 February 2020 22:17, Antoine Riard via bitcoin-dev > bitcoin-dev@lists.linuxfoundation.org wrote: > > > How can a Bitcoin tranaction leak protocol usage ? > > > > - the output type (p2sh, p2wsh, ...) > > - the spending policy (2-of-3 multisig, timelock, hashlock,...) > > - outputs ordering (BIP69) > > - nLocktime/nSequence > > - RBF-signaling > > - Equal-value outputs > > - weird watermark (LN commitment tx obfuscated commitment number) > > - fees strategy like CPFP > > - in-protocol announcements [0] > > Good list. > Another one, usually wouldn't be protocol as much as wallet leakage, but > could be: utxo selection algorithm (which of course may be difficult to > deduce, but often, far from impossible). > (Also trivial and increasingly irrelevant, but nVersion). > > With regards to coinjoin in this context (I know your points are much > broader), my comment is: > For existing protocols (joinmarket's, wasabi's, samourai's), in the > equal-outs paradigm, I don't see much that can be done in this area. > But I would ask people to consider CoinJoinXT[1] more seriously in a > taproot/schnorr world, since it addresses this exact point. With a short (not > cross-block like swaps or LN setup) interaction, participants can arrange the > effect of coinjoin without the on-chain watermark of coinjoin (so, > steganographic). The taproot/schnorr part is needed there because multisig is > required from transaction to transaction in that protocol, so doing it today > is less interesting (albeit still interesting). CoinJoinXT is indeed something I am interested in at some point: https://zmnscpxj.github.io/bitcoin/coinjoinxt.html The above writeup is a client-server model, with multiple clients mixing. If none of the participants reveal that a CoinJoinXT was done, then the graph is difficult to detect as such. However, if any participants reveal that a CoinJoinXT was done, it has a fallback such that it is almost as good as an equal-value CoinJoin (but takes up more block space). At least it is not immediately obvious that it is in fact a CoinJoinXT from *just* a simple transaction analysis, which we hope is enough to deter simple policies like "check N transactions back for a transaction with more than one equal-valued output". Regards, ZmnSCPxj ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] LN & Coinjoin, a Great Tx Format Wedding
Ggood morning Antoine, and list, > * nLocktime/nSequence > ... > * weird watermark (LN commitment tx obfuscated commitment number) > ... > LN (cooperative case): I notice your post puts little spotlight on unilateral cases. A thing to note, is that we only use `nSequence` and the weird watermark on unilateral closes. Even HTLCs only exist on unilateral closes --- on mutual closes we wait for HTLCs to settle one way or the other before doing the mutual close. If we assume that unilateral closes are rare, then it might be an acceptable risk to lose privacy in that case. Of course, it takes two to tango, and it takes two to make a Lightning channel, so --- In any case, I explored some of the difficulties with unilateral closes as well: * https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-January/002421.html * https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-January/002415.html On mutual closes, we should probably set `nLockTime` to the current blockheight + 1 as well. This has greater benefit later in a Taproot world. > Questions: > * Are there any protocol-specific semantic wrt to onchain transactions > incompatibility > between Coinjoin and cooperative LN txn ? A kind of non-equal-value CoinJoin could emulate a Lightning open + close, but most Lightning channels will have a large number of blocks (thousands or tens of thousands) between the open and the close; it seems unlikely that a short-term channel will exist that matches the non-equal-value CoinJoin. In particular, a LN cooperative close will, in general, have only one input. A new form of CoinJoin could, instead of using a single transaction, use two, with an entry transaction that spends into an n-of-n of the participants, and the n-of-n being spent to split the coin back to their owners. But again: a Lightning network channel would have much time with the funds in a single UTXO before later splitting the funds, This also starts edging closer to CoinJoinXT territory. > * What about RBF-by-default ? Should always be on, even if we do not (yet) have a facility to re-interact to bump fees higher. While it is true that a surveillor can determine that a transaction has in fact been replaced (by observing the mempool) and thus eliminate the set of transactions that arose from protocols that mark RBF but do not (yet) have a facility to bump fees higher, this information is not permanently recorded on all fullnodes and at least we force surveillors to record this information themselves. > * Core wallet or any other protocol or even batching algorithms could adopt > to this format ? It seems likely. However, it seems to me that we need to as well nail down the details of this format. > * Is artificially increasing the number of outputs to mimic Coinjoins txn > acceptable wrt to utxo bloat/fees ? That is indeed an issue. Regards, ZmnSCPxj ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] Non-equal value CoinJoins. Opinions.
> It seems to me that most users will not have nearly the same output of "around 1 BTC" While that would be true out of context, it depends on how you interpret it and they interpret it really broadly: " One input might be 0.03771049 BCH; the next might be 0.24881232 BCH, etc. " > anyway if you deploy this on a real live mainnet, and if your math requires that you have "around 1 BTC" outputs per user. you might as well just use equal-valued CoinJoins, where the equal-valued outputs at least are completely unlinked from the inputs. > e.g. if you have a CashFusion transaction with outputs 1.0, 1.1, 0.99, you could transform that to a CoinJoin with 0.99, 0.99, 0.99, 0.01, 0.11 outputs. Equal valued coinjoins (1) waste more blockspace as your example illustrates and (2) prevent arbitrary amounts, so you cannot send in coinjoins. > Indeed, the change outputs of an equal-valued CoinJoin would have similar analyses to CashFusion, since the same analysis "around 1 BTC" can be performed with the CoinJoin change outputs "around 0 BTC". I've been wondering about this too. I think it cannot be applied to existing CoinJoin schemes, as coin selection heuristics are quite a help and that could be a reason why the changes can be deanonymized (I assume.) For example if I want to analyze a Wasabi CJ, then I assume every input that have > 0.1 BTC value to be THE valid input partition and I will only look for the valid matching partition on the output side. I won't try to find all the partitions and look at all the possible subset sums. ( https://github.com/nopara73/Notes/blob/master/BellNumber.md, https://github.com/nopara73/Notes/blob/master/SubSetSum.md) At the very least coin selection for equal value coinjoins can be relaxed to remove such assumptions and make the above math applicable for the change. (If works.) On Sun, Dec 29, 2019 at 12:25 AM ZmnSCPxj wrote: > Good morning Adam, > > > The CashFusion research came out of the Bitcoin Cash camp, thus this > probably went under the radar of many of you. I would like to ask your > opinions on the research's claim that, if non-equal value coinjoins can be > really relied on for privacy or not. > > > > (Btw, there were also similar ideas in the Knapsack paper in 2017: > https://www.comsys.rwth-aachen.de/fileadmin/papers/2017/2017-maurer-trustcom-coinjoin.pdf > ) > > > > > https://github.com/cashshuffle/spec/blob/master/CASHFUSION.md#avoiding-amount-linkages-through-combinatorics > > > > > I copy the most relevant paragraphs here: > > > > -BEGIN QUOTE - > > > > > > Consider a transaction where 10 people have each brought 10 inputs of > arbitary amounts in the neighborhood of ~0.1 BCH. One input might be > 0.03771049 BCH; the next might be 0.24881232 BCH, etc. All parties have > chosen to consolidate their coins, so the transaction has 10 outputs of > around 1 BCH. So the transaction has 100 inputs, and 10 outputs. The first > output might be 0.91128495, the next could be 1.79783710, etc. > > > > Now, there are 100!/(10!)^10 ~= 10^92 ways to partition the inputs into > a list of 10 sets of 10 inputs, but only a tiny fraction of these > partitions will produce the precise output list. So, how many ways produce > this exact output list? We can estimate with some napkin math. First, > recognize that for each partitioning, each output will typically land in a > range of ~10^8 discrete possibilities (around 1 BCH wide, with a 0.0001 > BCH resolution). The first 9 outputs all have this range of possibilities, > and the last will be constrained by the others. So, the 10^92 possibilies > will land somewhere within a 9-dimensional grid that cointains > (10^8)^9=10^72 possible distinct sites, one site which is our actual output > list. Since we are stuffing 10^92 possibilties into a grid that contains > only 10^72 sites, then this means on average, each site will have 10^20 > possibilities. > > > > Based on the example above, we can see that not only are there a huge > number of partitions, but that even with a fast algorithm that could find > matching partitions, it would produce around 10^20 possible valid > configurations. With 10^20 possibilities, there is essentially no linkage. > The Cash Fusion scheme actually extends this obfuscation even further. Not > only can players bring many inputs, they can also have multiple outputs. > > > > -END QUOTE - > > -- > > > It seems to me that most users will not have nearly the same output of > "around 1 BTC" anyway if you deploy this on a real live mainnet, and if > your math requires that you have "around 1 BTC" outputs per user. you might > as well just use equal-valued CoinJoins, where the equal-valued outputs at > least are completely unlinked from the inputs. > > Indeed, the change outputs of an equal-valued CoinJoin would have similar > analyses to CashFusion, since the same analysis "around 1 BTC" can be > performed with the CoinJoin change outputs "around 0 BTC". > > * You can always
