Delivery-date: Thu, 26 Sep 2024 07:43:29 -0700 Received: from mail-qt1-f187.google.com ([209.85.160.187]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1stpiL-00058q-Ai for bitcoindev@gnusha.org; Thu, 26 Sep 2024 07:43:29 -0700 Received: by mail-qt1-f187.google.com with SMTP id d75a77b69052e-45832b277d9sf14806581cf.1 for ; Thu, 26 Sep 2024 07:43:29 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1727361803; cv=pass; d=google.com; s=arc-20240605; b=OKs+QOAicoI++j158/AiX+0nDlfWb0M233zSbLV7bQ7D1RvXICCw5+2CT0quAz8Z0y 7N6K4Y6u0r6w5DLkBcLnvTkaegg3CkLMiNPuuATzCIfrsfRYIRSsd7oOIm0uDwbbEKmJ eEDUj1NkFMvLTXrfmoWCGkWEeyNjJheDatjTVtQ57IV1yt9JSPU1KZ42Ck/TC4NEFxet DexM5j+VSl8LYgsdKemZcLyTUOl4NDqX/Y3OvSQLp9givKYyz0lzTe1nRF0gI/i5HycY J1a5R3coRb6Eg3KE3mIEbXpr/0m4jW2GNgHKaUuEhIgjGKQhGVT8FLuVl8hPUOJ7uhtm nuVA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :sender:dkim-signature; bh=GUSIGfLjDqsiH8MSqYgSh42bQWysqGspyB6c/K/K5/g=; fh=qA7AeG3HusmkNO2P8zmRhAOWPtu+RxNpJwFMj7ili78=; b=LkJZmFKlCbhleLrN+VopT7Iur2d3B+kXerGVLZTaG1Rb3rEIbrLVYFZupYsb3E1GkH BmfyojxP1QmNTez7FedNocPKSJhyYeSkYuTMR4PFfApiJMzPI4cxzfg2EuEhiOInWmUo H/pbcm1KUYKYsCT2M1hdD2xzX1DeujVhIk1/alxkPyEUQoTb9aEEYMXQCg+46y1tVvlK KGqHdy6/TgRstR4GFb58hFM+YZyLA9MX04qgPMjUyj4hB0VOW86XCtSGQfH/NKXv2hUR 1iSDCWw/hg+Lot/VRbAga2QQXD0CzbtSZbv8EgQDCkEXkOzQDvMksFj7lybgHZQZUucy Tn9A==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=WD0izwJy; spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::436 as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1727361803; x=1727966603; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:from:content-language:references:to :subject:user-agent:mime-version:date:message-id:sender:from:to:cc :subject:date:message-id:reply-to; bh=GUSIGfLjDqsiH8MSqYgSh42bQWysqGspyB6c/K/K5/g=; b=VC1u5PVfvrO/PBkoW0iKTNiUjn4EZzX/wzTUnrCPMjxMub6rToAl7/U7Vy48qjb2pY E7DyzhalvczlyGnoYl7KFTVmRvuY9xl2CQHK3UwDQkooX5MOg9F+pFGZYZpSTMlg0jeU xtcTBmDvGsp8K2D9KPduNDbcyGXEbz5OxgXFf5ttGvFQiYEmmruQxlyw88BvEkxwuVce hnaUpZUDD/sPTbDY6wlOvSaktRLCgQ1B5d78KJYXFAxZOHUN6bUdDU6AG0+au+AoAOLo cx+M842Tuqgzqsgux35KmdOwk4t47pyFtXSgWfzI2+p7GSQKZvn4RDAQSfsZHqYcZ4YB kFMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727361803; x=1727966603; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:from:content-language:references:to :subject:user-agent:mime-version:date:message-id:sender:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=GUSIGfLjDqsiH8MSqYgSh42bQWysqGspyB6c/K/K5/g=; b=fiX/Yu9F54L7p1NSbQj56oSpjhRXUq0FFlKQVBfPxPl7eOA/6WJZ5bWtR4KbYNhxfZ M0+az3hzRdqIdh5SkwWHhmQi4Lfdc0j04SZY3aQ8BAaeD/3woWf3dyiFUhRD4haxgB1o tRP+ZHm4oQUz3J/R6kgRRRTlsmz9U7b0ets6p8Wu+xIdw/AtdW/f2zYrgrmClrBx0AI8 yKs2zeHY49o8aIRaNwqo9hQqd4NHFeeWps22sTkNwGWLo4obznBCw7s4rtHOhyOTOIp2 9rQbsS3YIJQQzkvUi374IC0zTER0306eKkjFC0G/123a0SS9hRRTsk9+m07qcXbcFLMe pnGQ== X-Forwarded-Encrypted: i=2; AJvYcCXYXYDtGJbq7Ef4NIV3R6uiVhOqV/fUcMjd3wna+7R7LyVmwO8jeTsI9vomlcfMP34xcnGAJJ0jX/Az@gnusha.org X-Gm-Message-State: AOJu0YyEn8JP9hcRyG7EyMgTGTGg8nHh3tY6zbAxoPOij73mrVM7HxPA ezutgc+ihUgce4ON8fK25TQSBjS94nE/LkE2ODhASEjImXwV5+TP X-Google-Smtp-Source: AGHT+IG17On7OEitamGw0Dg42x44bfgme+82FX+uLLhP5LJNx/QvRVsoOgtx0o39WPp6Dp7kT2ogkw== X-Received: by 2002:a05:622a:490:b0:451:a0f4:c037 with SMTP id d75a77b69052e-45b5def46aemr112091541cf.31.1727361802962; Thu, 26 Sep 2024 07:43:22 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:ac8:7dc7:0:b0:45b:5cdf:9724 with SMTP id d75a77b69052e-45c94a2d36dls5654231cf.0.-pod-prod-03-us; Thu, 26 Sep 2024 07:43:20 -0700 (PDT) X-Received: by 2002:a05:620a:43a2:b0:7ac:e839:df76 with SMTP id af79cd13be357-7ace839e0e9mr891793885a.43.1727361800375; Thu, 26 Sep 2024 07:43:20 -0700 (PDT) Received: by 2002:a05:620a:12d7:b0:7a1:d643:94b4 with SMTP id af79cd13be357-7ae2f1ea2c7ms85a; Thu, 26 Sep 2024 07:34:51 -0700 (PDT) X-Received: by 2002:a5d:43c7:0:b0:37c:cc67:8b1f with SMTP id ffacd0b85a97d-37ccc678cfemr2994949f8f.48.1727361289779; Thu, 26 Sep 2024 07:34:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1727361289; cv=none; d=google.com; s=arc-20240605; b=bO/YTKCeSutG5Qq2hKNeM99E7BGSn6ZvkULl1EY1BRjgsWvk2d9C20SMQfcH1F4HRf Ky5BF3CekzE+DRCCSLaZ8OZZaatkjjaoWV7VBw2U/GXwdKzL8eO64zIM99m6f3y4lul3 hzWxqoS0cGQnsKNf17ymc+Ji9fTKZwFURjwOz0YggQK6DU0+vmAMTMgNBkbrQ8U3Ddzv PB8aQtE6y8ZbUIT7fhBTQBep7MP60xqhD/WMlEwv5WxsvIH28nC7gtHDH9aoyhm3CjLs Tm5ZP5HQCDbt3mEvNhZAUXB4/tNDiVbPWNLksbcTFEksjefvv83rzTKPy3eRk+7WYdCd 0VMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :sender:dkim-signature; bh=1SZnIUAjEBzJ0mubug+uT50aR8RUSV4Z54d+bIQncus=; fh=VcGcg+Zjs9gw1uDcHbxsAILhBAcecnbJzZRdxgKVDIc=; b=fRV087X+EfNKLEnFC64EUdpIsb4EZrh7XtKHAFP3Ll9xIREYYIPh0LMy/Rz7v1bF4R BSpV4wzd+JYU/EQvkSUNBv/2cips6O5OZHRJ8yfTuHi98kyOetFWax0tvJzzrjNq1nP7 lRhcADUUp0rHQJBU6VygIbqDofa7QlDvRBYVaX9qifmOkmSCU0x1ts6GVxradA2wUBi/ FaNDQW2eFKstMmXBEEFwmD5wiFAYRUN9YqcJnH1oSL0OjE0kA60+5kHMOoDR4p5hr2PU Zb2/Iu+sr9jD80bSfSaInsdAJLMxd02FvxHN1og9/LRo35aGUtV0QrSpyv12D+ydWoBh befw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=WD0izwJy; spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::436 as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com. [2a00:1450:4864:20::436]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-42e9025c19esi3759435e9.0.2024.09.26.07.34.49 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 26 Sep 2024 07:34:49 -0700 (PDT) Received-SPF: pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::436 as permitted sender) client-ip=2a00:1450:4864:20::436; Received: by mail-wr1-x436.google.com with SMTP id ffacd0b85a97d-37ccebd7f0dso543007f8f.1 for ; Thu, 26 Sep 2024 07:34:49 -0700 (PDT) X-Received: by 2002:a5d:58eb:0:b0:37c:d227:d193 with SMTP id ffacd0b85a97d-37cd227d254mr880021f8f.10.1727361289015; Thu, 26 Sep 2024 07:34:49 -0700 (PDT) Received: from [10.11.10.42] (p54b84e49.dip0.t-ipconnect.de. [84.184.78.73]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-37cbc3187e6sm6671170f8f.92.2024.09.26.07.34.47 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 26 Sep 2024 07:34:48 -0700 (PDT) Sender: Jonas Nick Message-ID: <14b8d064-1097-4cc5-a0f4-56bbd4f9417b@gmail.com> Date: Thu, 26 Sep 2024 14:34:47 +0000 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [bitcoindev] Re: Shielded CSV: Private and Efficient Client-Side Validation To: bitcoindev@googlegroups.com References: <33cd30ab-c5c2-4785-9815-4a2da3c7e267n@googlegroups.com> Content-Language: en-US From: Jonas Nick In-Reply-To: <33cd30ab-c5c2-4785-9815-4a2da3c7e267n@googlegroups.com> Content-Type: text/plain; charset="UTF-8"; format=flowed X-Original-Sender: jonasdnick@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=WD0izwJy; spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::436 as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) Hi Antoine, Thank you for your comments. They are touching on some of the key aspects of the protocol. > in this proposed CSV scheme it sounds each nullifier verification participant > needs the banwidth cost to read the whole of the blockchain. You're correct. Shielded CSV nodes need to have access to the current best blockchain, similar to regular Bitcoin nodes. Shielded CSV nodes scan for 64-byte nullifiers, verify their half-aggregate signatures and place them in a data structure we call "nullifier accumulator". There's potential for a light client scheme, where users don't validate blocks, but infer the best blockchain via proof-of-work (similar to SPV) and obtain the corresponding nullifier accumulator value from somewhere. In addition, they receive a succinct proof that the blockchain is valid and the nullifier accumulator value is correct. This model allows the light client to receive transactions. However, to create transactions, they need to prove inclusion in the nullifier accumulator, which requires knowledge of the nullifiers in the blockchain. There are some ideas for how to do this in a relatively light fashion, but nothing concrete yet. It's certainly an interesting area for further exploration. > there could be a way to hide the coin creation time A coin (the data sent to the recipient) contains the exact location of the nullifier that created the coin. This is indeed a noteworthy issue and we discuss the implications in section 6.3 of the paper. In particular, revealing the nullifier location implies that outputs of the same transaction are linkable. We therefore suggest that regular wallets should just create a single output. A fundamental limitation of the Shielded CSV model appears to be that the sender must reveal an upper bound on when the coin has been created ("This coin is older than the block at height..."). Otherwise, the receiver would not know how long to wait until the coin has sufficient confirmations. In fact, a previous version of the Shielded CSV protocol did exactly that. But we moved away from that because it was incompatible with our ideas to support pruning the wallet state (i.e., removing old transaction history), which is an important aspect in holistic privacy. We came up with a version of the protocol that supported prunable wallet state and only leaked the block in which the coin was created and not the exact nullifier. However, this version has two drawbacks: 1. The state the wallet needs to keep for the unpruned transaction history is larger: 256 bits per received coin (one hash) instead of about 60 bits (the blockchain location). 2. The privacy improvement is fuzzy and difficult to understand. In the extreme case, such as when there's only one nullifier in the block, there's no improvement over the current Shielded CSV version. But I agree, if possible without significant drawbacks, this privacy leak should be mitigated. -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/14b8d064-1097-4cc5-a0f4-56bbd4f9417b%40gmail.com.