Return-Path: Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id E99D7C077D for ; Wed, 15 Jan 2020 21:24:01 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id E58EB87B9B for ; Wed, 15 Jan 2020 21:24:01 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id avU-lV6XT4H8 for ; Wed, 15 Jan 2020 21:24:00 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from 010-162-150-185.host4coins.net (unknown [185.150.162.10]) by hemlock.osuosl.org (Postfix) with ESMTPS id 53E9E87B96 for ; Wed, 15 Jan 2020 21:24:00 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by 010-162-150-185.host4coins.net (Postfix) with ESMTP id 353BA1DABA for ; Wed, 15 Jan 2020 21:23:57 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at Received: from 010-162-150-185.host4coins.net ([127.0.0.1]) by localhost (010-162-150-185.host4coins.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id U67_2Ja9a8Js for ; Wed, 15 Jan 2020 21:23:17 +0000 (UTC) Received: from [10.137.0.26] (unknown [94.134.93.219]) (Authenticated sender: max@towardsliberty.com) by 010-162-150-185.host4coins.net (Postfix) with ESMTPSA id 1FECF1DAA8 for ; Wed, 15 Jan 2020 21:23:17 +0000 (UTC) To: bitcoin-dev@lists.linuxfoundation.org From: Max Hillebrand Autocrypt: addr=max@towardsliberty.com; keydata= mQINBFxeoJABEADfU0UePQ86AkP6IuGsXHTMDYUzixU8toLOkZHCiiho4bCn6ZrfjlKdxX4w HjeNlVKF2bFkg2/lj+b1Zx9Uo81UN7GmckDutDlshKuo8iGGubMRG7RwbMWQ8k0zoPfu8e7x 7qTzEwo+K5llibxofp3aHNJvi51ccGhX7SsnGtSMtpd/xctS3ds8jQnM8l9tRqSDdWpKRXMV NZ6jnA6i3zt0HJ/rXUu70rS4k2QXJilC6t5pHQfS5SJtp5FH+SXdZDxsZGovzCQnAJbiIQdl God+KZqLZ3kDqeZ0CAOc8xeWL83GIchfF8D4jMyXKq5b7WgUaJxNMTI7YJlPCYsEjtoc9dvo C37cfvK42Pw5zU8oQDHLiuTviiylb0mECM42duVxsn1M3pGElroug0V4BvoHzIyOLOScLjNV 4or+CDiicRSb2bmd5yKTdWnvtRWsBYlnvWPhd/2vIdgqtW0puEo5AOWA3TY+W6k1uVJlpcX2 wHAroVQQlbF+uz3iLn9A4KdBVha1HpG7+PsnKULfE4ySij3kBboDbB6++bGwagd3dM3oRX9k ianYnWmc5u0a7MMXUzSLCqji7WCfhIvJnwx9kETTK5JvJtG9qMx2k2z3ONsBNGyu7hV5cIto +hsHYA9SZS+6+S77Qf9wYyEsly4KR5YuDHhpiZAi/7MwDB8LxwARAQABtCdNYXggSGlsbGVi cmFuZCA8bWF4QHRvd2FyZHNsaWJlcnR5LmNvbT6JAkwEEwEKADYWIQTpAF9mqGu4Fr19ln6+ 3NlcQqw8VwUCXF6gkAIbAQQLCQgHBBUKCQgFFgIDAQACHgECF4AACgkQvtzZXEKsPFcu7hAA 00Ze5PE/9obtlzlZXnvXBChEm+WbjJsQ+u8JLSQNRN2HI2TMBSV624yqBSnPqkP22sUr0PbR 3uSEDltG+FwrxZUjpiDvAA7MZpVYg6/bhe5aWIGpy60wYIUwCWz/Rkbu6HZPi0ZnnLcd+m9U ElkQxVma2ghPFDepR2V7yTYiCrpsBQpYCD29ZXlRaPGfW7gMUqjiiku6KKF6PPNJkERPh/Ha WoiIx4CZzxHJKdEHe8esF8k4o1vCN3FvLL3+ZUCIMD8rTHyT4l3eRGXuU7nynhRvzUf+qgFr yVtKTxY/Er9D9R/ZWnppKjydqpS1/CrYWcmfECmlpOOWNnG1k4LQKehGSnfvAKLVwuLU4QHC 7ZCbHKlyl/oSdTaMJqurmlylgdEIo7cIAqnbgK8dZe02h2t1ftfdw/1RrHoEDtFyb8z78bu+ 9ipYGFMvOGG4xqudWwilLLLcBabBfiyPJMBdZSqJPB2nfjAkwYrfuTyuEZvCK/DraElbI0bO XOvUckPPuVuG8gceCdmNsT/mckZcqyOeMGOYMs6DgWpwjUAI+/DWrrbDOLiz9qgUkFyYAKxq Xczwu0c5a12kfzoCJwApyynWEgrahIBd4u/qs88gfMfpGlJfGJ9Som+wf2Fz8l6FXXMO7IQ9 CtHlyssNfsAc5sEQRlal/YNNnuops9F7PjO5Ag0EXF6hFAEQAL4C/g2A7GSCN+nkH7q3PmFH tZBs+0DWtHbvy0Fws0BHo9mQWYnHZEGDE7iVxagPEu+/MXBqrGPiVmdvZgXXblyCkAnCXjXG W1eZbK5nls7hpYSnI4Ev88Rycb6MeEY8+1GtnOHsTgDl0uBceT1mnXyqEY8KKyVLSHlEu3xJ ozK1k6As+ytYod/zM21LhCXbrYnkgCFx9Craohz4OGPQcxx/IOPYMpHVGzwQBD3skDyLTFGb BZfcOh1QN2oyrTmvlK8/6FzYWtUKjmt4Sq7M6qepB6K1rUnMBHJBlf+cLIyO5XZ1OUj8uB8n G12N1MDQK2I8tBwyRvtGfwzWcB2JfWFzXE/EkN1kEWj9/NUhPFmMLS9tKgur3zCBx2t2OY6A B7nQTMmTSozI4++QDpffRZTqlno2eG37WEzQ2SguIyOXyY0VgfGsAzI8wxzOOTCTq28oTB9Z JzCq/6n+H2/cUt/6crwcnEaakpI9nuKtnL6/FwRo/M9XzUuzzIeTSBaX1z3EKPcJOUIeQR7f FdzFQPi+2osC2/E7am5s9R10iPXVIcMnsfq6fKNGov1CcU7eQaI9w+iq3TbiZZ7uOdofGjVW 0j15NZNeNE5b+QDa8ywqEfLEAgPovmvla+cNl0CNDu6FgoNRxuYdMcB1LdPDUlkTyO4IoR+Q 6VRn0WaRraLLABEBAAGJBHIEGAEKACYWIQTpAF9mqGu4Fr19ln6+3NlcQqw8VwUCXF6hFAIb AgUJAeEzgAJACRC+3NlcQqw8V8F0IAQZAQoAHRYhBEinHsclnm/ru87oefgo31RJinfPBQJc XqEUAAoJEPgo31RJinfPECoP/37lQDtfNE22zw1dOsA42cUdUc2Aw6AmDxEB8UCvmv61acRt r130caolnhq/PZurvTG5b3fsy/7AucDs0l5FaT2MoBgcKvC1Ey7Jg4Sw6enI1kDoPSb2/ez8 IH7VF9AxlIrSaGuq1UiiIcXS+fCxFtqDmVRLmEZCtOnlBRQ2FNXLNO06n2ZOcON6jmYYjMKw OWFkw/wrS7aQYvEkZfsT896CaIeIenTOELaWBoom52VozRzUYyfVjeHMMUyOE/QFFNiGyHHD MONp0NiZsWBA2SXOx+y2FkhP7hHloCeCl8djnQZ/aEs1BA6WKMWXygcNfHilOhR/FqCbfJfN 38KkpWPxljIjVWLvdHZSZhQAXAWpkgXsboHmIN2g4TgorS31W1soLYZgJRTq8HzyxVHvNI4S +kkff9PBWY4nkdCttMmMAcnBY1zkkGULQqP14AS4722ec4U3rENsB2zYkiHQPdioWinz5A+S l1kFqNuipoM01Lw4fl14FH47H8S0NbPEhc7Ld/ySBEVRi5ZI/rsV1+RWKv97E44LiMDh5GxQ OX6blSNWYOnpgoGE0qyBAyzJLyzNyDJC6WG78B49tiQuwqYoZV8IlibloSmw1k+Bv6WsuwGe IF80fgutZj+boKiYYBSsoXC3Ybr3pXnuWgB64srVnmLntaa88TnOurVSaxOqSBYQAJgNjjXM Y4nHZfEAofGw08WtBTQxC5iuHbduS1JsvTaw4OeD4P8qy0d+glYFIK3RxO3NlX3j13VtRTKU RfJAzMoFfscc9ho3m822bTes6DHW1KNTgNx86m+z78m/sueA3i9D/qQIY5FQ1UyRaT2Z14C+ BbXT1Jj13Uhkln4A4IHl1TjWD4CAVrX2ipkNWW9PuYJFSKtSpz1Nx3JQCCb8WIz7HIddawCb 8E+PqzX77Y9DWNKhlgl24J8gPgaVAHeftJCQ5qhnjRGPlBOxi0L7sNtLE6GpQCJuZb1e4lU/ 9b0bcrlZxkvw+bEwNzR211Sc6ZCEUqkyEXYBqhrnW27ntStNa/d59idZAbnLWaMkSNgwuy6q pRoH+Vzfr6p5JiRn3JVOTWZLpT3I3By1iq/kHnVvxDDjHkGQtb4A8Nt3eTJY3xSv8eSzyjjZ haDR0v7YFhV3gyo+/P61qpv6mMK8rMXz83W5prWPA8veoeNZ9gxYZWgiQOG/hyygn77JDxq7 wICmUgS+C+d73b6p3Z1l6uUSC1KqjaB9roI5riKOT/WmI5xRymTM+q7ZuroYFO5h+RkAbRTS EfDJtalOQyhPGBxdi/rgNz+bWPwzwwwptnYzuxI+/7Fw4Xgoqt8Tj56AMA0C8MgDd6btmDtm aztp762eey+WE05vgchUPCut0kbYuQINBFxeogkBEACw8Cst5aOplMnDkXF1B6CjAx4VjsKx iDktlDSTJknqb4IsoJ+PBPTzC0cnEngNhlbzJlCx71fF/9uJ0YkRVPExhwImQvlK9AWItdpH fG4WTulT/Iyi4njJODrPv2drBALrL90GNfTUaPUxuzeQf6Sgi6nF6tQD1cwdiUCjEcps7f6Q 3h/8LvqEo+i625xwPmz27R/cR4r66hj+Z3b4LbEx+9o83iCWEcYHN5wU+obwexmIhukNUJ6E MSLI127Xb9l1INT/BZ7i2rqRLk99vMdhtSCJeNpDkG6KZUaeLtPQBnekBg8m35MpVwwoM8LN MrOCqYu6yXgWLTW8CdbJRCBLB6KQXQqGgQUFoYBrMHxng3ZPcUVgy/LymRCSHohWkhSfpU7M e7w/TVPGJLmnwCycUSMych5xNETeQccaf6zrbfhaR3dLBRiOrBSNJSsnlgSLMxFkfIFiMtQe lJ+qi8kuQy1dU+JUI0rb7yo2LWeRO+vCcOSCMAzyOjOfHfcBJzOU9IfFONcfPPclrFsGNVVC ahfad3VS+4dZ/pshy3XIwp0DKr8ZvJzEARaa5y/n2Rx65DO5H9uxgdOHj6FGqLlLRzcuBeOB TfsL3YdaNMQ3gCKoUM9y5XW+l/Vhn453s/7UTJTi7+QKwdVns54kXzAeyvoPuUETAjfGB3Ju 8nxB8wARAQABiQI8BBgBCgAmFiEE6QBfZqhruBa9fZZ+vtzZXEKsPFcFAlxeogkCGwwFCQHh M4AACgkQvtzZXEKsPFclMRAAvLVJ5aoy5I5it95mgWTKwATnJVaDdqe8QPEg5AJB8zG01Bom DJZ5RXGCTe3Gsp6sVmZI+T9kAdj5ZXgGz19RRPxsQwW4R4lpaGdp5ai5qsAD47bDwpjCZ+sx nvS4y8oP2cSsN1lnxcvaR78+zSJOgXBomGiqJPCCXqqjklbTTAMdoNuanSV0IbqREnbP0Jr2 K6JoiAEFqE15+04LpN9PJEXwJDHxmmoSlMD6qF68vZDDMIx5APPjytzv+fJiyoZ5ihcAPZKa 2ZHbVJpYlmFrklqMB1653kmDSaRcMu0ensJAHBX5WoSRvu/Jksfc8QwKFfplE+pdMpoqTE8/ D7KCTumschiNK4mGo+DjCIbk9szUB2v6+EUpu6tnuf4tRfmGoyfgmmA60lV1mq8P8WFmtual 9RshWVozIRJzOzpkA6eNckH5Iqf7TEQVLI7mZwN1ZRwlMmWM5MzOy3u0B2rxElgmDRyEM3KE QYJQB7yrlZwvQi633xhldosMLJAZ6BZpu5Ahppl20EMf4Z8HXFiWjy/FMT4poz083XCw9+V9 UmzYz3ql5E4EVStlC48RlIYmn0PoDq2Dn4PwpW9JJsNqcolv/aTXPeFxHelqHSTdTNa+CVJe zsiYtCxX8+ZXDGX7/v0bUd2qXe239hoOLdL2WFXM3pxK9wQL4f7AyOEiUlU= Message-ID: <96dc101e-30ba-9833-7ba0-41eda910d3cc@towardsliberty.com> Date: Wed, 15 Jan 2020 22:23:15 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Wed, 15 Jan 2020 21:29:05 +0000 Subject: [bitcoin-dev] ***UNCHECKED*** Wormhole: Sending and receiving bitcoin anonymously X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jan 2020 21:24:02 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello all! May I propose you this protocol which seemingly provides a great level of privacy for both the sender and receiver of bitcoin. This was initially posted to the [Wasabi Wallet GitHub](https://github.com/zkSNACKs/Meta/issues/64), and after thorough contemplation and minor tweaks, I would now like to request your feedback on the conceptual design and possible implementation. Cheers Max # Wormhole ## Abstract A protocol to transfer bitcoin, without the receiver gaining knowledge of the input of the sender, and without the sender gaining knowledge of the output of the receiver, while simultaneously generating equal value CoinJoin outputs with anonymity set. ## Introduction This is achieved by minor changes to the [Zero Link](https://github.com/nopara73/zerolink) CoinJoin protocol, utilizing a centralized coordinator who cannot steal, and cannot spy. Schnorr blind signatures are used to obfuscate the link between inputs and equal value outputs throughout the ceremony. The coordinator does not gain knowledge that Wormhole is used. ## Protocol - - Alice A [with tor identity A1 and A2] has a 5.5 bitcoin UTXO - - A sends 1 bitcoin to Bob B [with tor identity B1 and B2] - - Wasabi server W coordinates the zero link CoinJoin: =C2=A0=C2=A0=C2=A0 -- Equal value denominations are 1, 2, 4, 8, 16, 32 bi= tcoin =C2=A0=C2=A0=C2=A0 -- Anonymity set for each denomination is 100 =C2=A0=C2=A0=C2=A0 -- Wormhole protocol is opt-in for some unknown number= of peers ### Input Registration - - A generates an input proof of the 5.5 bitcoin UTXO - - A generates one `blindedOutput` with 4 bitcoin, and one `changeAddress` with 0.5 bitcoin - - B generates one `blindedOutput` with 1 bitcoin & he sends this to A - - A1 sends all of the above to W - - W verifies =C2=A0=C2=A0=C2=A0 -- `maxInputsPerRegistraion` not reached =C2=A0=C2=A0=C2=A0 -- `maxInputPerTx` not reached =C2=A0=C2=A0=C2=A0 -- `blindedOutput` never registered =C2=A0=C2=A0=C2=A0 -- each input =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 --- not already registered for= this round =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 --- UTXO not banned =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 --- proof =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 --- unspent =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 --- if coinbase, confirmations= > 100 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 --- must be SegWit v0 [maybe a= lso v1] bech32 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 --- is from unconfirmed CoinJo= in tx - - W generates `uniqueID` - - W signs all `blindedOutput` - - W sends `uniqueID` & `signedBlindedOutput` to A1 ### Connection Confirmation - - Starts when `timeSinceLastRound > maxWaitPeriod` OR `registeredInputs > requiredInputs` - - A abandons if confirmation is refused - - A1 sends `uniqueID` W - - W verifies `uniqueID`, and calculates `roundHash =3D hash of all registered inputs` - - W sends `roundHash` to A1 and B1 ### Output Registration - - Starts when `confirmedUniquelds =3D=3D registeredInputs` OR `timeout = && confirmedUniquelds >=3D requiredInputs` - - A sends `signedBlindedOuput_B` to B - - Both A and B unblind the `signedBlindedOutput` - - Both A2 and B2 send `output` & `signature` & `roundHash` **DIRECTLY** to W - they do **NOT** send to each other - - W verifies `roundHash` & `signature` & `Output` ### Signing - - Starts when `outputs =3D=3D registeredInputs` OR `timeout` [go signin= g, even if there are missing outputs to identify them and ban them as they won't sign] - - W builds CoinJoin transaction `CJTX` and sends to A1 and B1 and all other peers - - A and B verify `roundHash` [by calculating hash of all `txInputs`] - - B verifies that his output is included & signs a commitment message m where he acknowledges that it is included & sends m to A - - A verifies that her input and her outputs are included & verifies B signature of m [assumption that Bob provides a correct address, as with any transaction] & signs `CJTX` - - A1 sends `uniqueID` & `signature, inputIndex` to W - A does **NOT** send this to B - - W verifies `uniqueID` & each signature against `inputs[uniqueID][index]` ### Broadcast TX - - Starts when `signatures =3D=3D registeredInputs` - - W broadcasts signed transaction to the Bitcoin peer-to-peer network ## Result - - A has one 4 bitcoin UTXO with 100 anonset & one 0.5 bitcoin UTXO with 1 anonset - - B has one 1 bitcoin UTXO with 100 anonset - - W knows the input and change of A & W does not know who controls which equal value output & W does not know that B has no inputs - - A does not know the output of B, there are 99 possible coins. - - B does not know the input and outputs of A, there are 100+ possible coins. ## Communication This is an interactive protocol with several rounds of communication, thus all A & B & W need to be online. The communication between A and B can be done on any suitably private channel, including but not limited to tor, QR codes, SD cards, or carrier pigeon. The communication between A / B & W will be the same as used for the regular zero link implementation, most likely tor. ## Privacy The equal value zero link outputs from A and B have the anonymity set of the total number of equal value zero link outputs in the same transaction. Wormhole breaks the assumption that zero link is a consolidation within the same wallet [`Input Alice =3D Output Alice + Fee`], in a way that neither A nor B can spy on each other. W does not know if any peer is using Wormhole, none or one or all peers **might** use it. ## Questions I am not sure what information is broadcasted from W to all peers in the round, and if Bob can get this information without revealing that he is the receiver of a Wormhole transaction [he has no input proof]. What information can be send from W to B directly will determine the trust level of A passing honest messages. Wormhole might be used in conjunction with [Pay to Endpoint](https://medium.com/@nopara73/pay-to-endpoint-56eb05d3cac6) or [Knapsack](https://www.comsys.rwth-aachen.de/fileadmin/papers/2017/2017-m= aurer-trustcom-coinjoin.pdf) so that A can send a specific amount to B, with part being the equal value zero link output, and part the P2EP change, or Knapsack sub-transaction. [Atomic coin swaps](https://github.com/ElementsProject/scriptless-scripts/blob/master/= md/atomic-swap.md) with Schnorr adaptor signatures might be integrated, so A input in `CJTX1` "pays" B output in `CJTX2`, but this might require B to know the signature [and thus the input] of A. - --=20 This email was signed with my PGP key [E900 5F66 A86B B816 BD7D 967E BEDC D95C 42AC 3C57](https://towardsliberty.com/contact/PGP_MaxHillebrand.txt) Please verify it on my [website](https://towardsliberty.com/contact), [github](https://github.com/maxhillebrand/contact) and on the bottom right corner of my [videos](https://towardsliberty.com/videos). -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEESKcexyWeb+u7zuh5+CjfVEmKd88FAl4fgr4ACgkQ+CjfVEmK d8/56xAAnRcr8CN945OGzHQOZE4aaSKDipPBIPhuRs4RNWSzlP+16gUuDOksR31b P8lXgleycr/SHipL2CwrBdl4FPNX82CKw9p5rO/PBkkZ4g3TNAyMJD6ec2S0oBRc hsASMPWJ7oXoRFf9yXKUnFyjMPg75U12pw3GmNOu9EM8FB50zjCO61BB2VRbFHTh VZ5KVWHclOMyWpQsz+/awi9kzpP2t0/dMV1vx6fq3DhlzXQOKEGXQ+yh4eZ+0L+Y 9DwjBVH1q0QufQHwZynWv+TjSftdwJqdiCeKpO1UQo+IgaBE6CkHSlwOK/09mPHK hcSaSpa75KbNIdZUP+6bZG1aLT4AWMAdxbeR/Z4E50bqnHsvETcJeN+L6vopcLZN 3Pyc7jWD82+jBqXrLez7IiIyHRxrqrcyrLYAJoNavvtyGKRnT/jodxsX0QDyhm/3 PfHwADKrrnYtcnSL2rpSNNAEQF8SOXRPUm+Kr7rrwnfegiRjtIz1uD5lysPj++OJ O9yxQsnhNt6/lAkUTXnQPPIooqEXXazDb0hrJMguXfnPVRsKGpzajHg7e33d5OZx vLSpKZx9TGOPbsbC6vR+NXz6n0U3Kba26Qc4dSYUi3sdLokcTR0wvDxHxTouYswr KPOaqR11SZ3wsL9NTXbU91SyVQBvdZP95uvlpoN3n9kopzSO5eA=3D =3DHG53 -----END PGP SIGNATURE-----