Delivery-date: Sat, 21 Dec 2024 06:26:32 -0800 Received: from mail-qt1-f187.google.com ([209.85.160.187]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1tP0R5-0001vi-8F for bitcoindev@gnusha.org; Sat, 21 Dec 2024 06:26:31 -0800 Received: by mail-qt1-f187.google.com with SMTP id d75a77b69052e-467a0a6c846sf65688261cf.1 for ; Sat, 21 Dec 2024 06:26:30 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1734791184; cv=pass; d=google.com; s=arc-20240605; b=Gd9mD/qMhq/wlvNn2vToetZveGRakOjlsfsCbaGhOQOQo0RsYP7hGpgQWRhjQYeCv8 EpQxIxYkWHOASvg+LuqQMN7QbIcPKoOZn3MHDQ0hxacuGYTmljatJy1VOqhsK2pQLJdo WuL2t7ASHqgvhxWUI1tdXlycZWTroZmEpL1N25s3XWH2iXakspCoRzdhZYQTs8To061R mHEwwoQVpvy1iek1pQc0IH2gXWlW6Jvc8LDy4jUKN+frkDlldPlpYbvMKCL52T13+5je oGbAq6PdJXsK8hhi9AqHfXx9vtKSe86jZrfbqWZk14sFpo1OrzAmDz2+eWOZMXCQfXVS cttg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:to:subject:message-id:date:from :mime-version:sender:dkim-signature; bh=UeEqfRUCFmj9/OHnkY+QsSxmRK2wDM1PY40KHV0FcW4=; fh=iyimZC6ud0HGfoahwsxVeQiitFHKUidxeSk3tsgF0W4=; b=IeAaOZegsBW1vmG1yy1PepFidm3jW/cFB7IYQCUsGV+g2EX9Cs8VPBepYJH1MFCzBt 1adGlpWJOzaNnjbqn3ZgThvIaLysxKs4qgVJmqpRXAvAviUQ4VOEwzpuMJOkk/EZ7PQV GtAheCh6bag0noUm0Q6jCwZBAhq8ykkMQ+Cj8quJ6t8WCB04gOT3aQOsrYB4uQtPRF+f JMHpi4om/mrkZ9+8cT7IOgFPWdPyXRs66a7egDkk65LKkwoCogXxi7WoFAqmjpASKiL3 6RKEeco4UDRQQ50PVNy/7BoSwfx+iojEUc6/oJuuGOcTFVBEkqCmieMIys9j6rs2TzV1 DnvQ==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@woobling.org header.s=google header.b=ScO4pTMN; spf=none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) smtp.mailfrom=nothingmuch@woobling.org; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1734791184; x=1735395984; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:to:subject:message-id:date:from:mime-version :sender:from:to:cc:subject:date:message-id:reply-to; bh=UeEqfRUCFmj9/OHnkY+QsSxmRK2wDM1PY40KHV0FcW4=; b=wRRLZvbTIoLShEdcWYW66Oi5ysRDF4+pOAi1dg5juWXw39d72ThBJMbh+SD/quZHVZ ZJD1px2CHkyblfV8dKKgekOIT//V+dkrZCzPstXX5n4qaa4QeWSxX2esu1frILvqFYx2 t673X1CAZJ1lU6OlYVsczxayHh4jLYwIN6N7ZTHZpbakUuGWd7x6rgMW4VR07eeTxtL4 DabgpO04+tPwuGusclpeGk5Ws/1ctLoWmTbli5SunYAD2dmMC8l+0P0RmhA3c+pWlV5R Z4LASCLmATSe399YZsNqHR+XAjtdZ00oJ91w8yT+ixNnU8yCtSDnL6AgMQhc0Ulnzu0j YT6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734791184; x=1735395984; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:to:subject:message-id:date:from:mime-version :x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date :message-id:reply-to; bh=UeEqfRUCFmj9/OHnkY+QsSxmRK2wDM1PY40KHV0FcW4=; b=uk1hglL/+op3UDkqtJLJMq4cYCtvjXVLg5aGsS7ediu5P7gHQbdRC003PEgdA+nMqJ wK98PJ4PV9Ck9Kz+noWToGTLSadMYwAXQBTDWR/ifsp8FxUNe1g53SUHTuMJUD/us9Ht y+MWdv7GZyt01SXq+pgJel0OToAluwtY2vuVryQToB/V/mvC3hrkc+ffHx02YrJHsZms jifyvWOp3qCjNOQAydxYn/2OpXJJP+OMyARrdwP4mnUUkH9RgP8sslYkeDeBhCqpCQar 5y4w/aADPeZ3e87yV87oUSNkQKpA3TNBbj/CKKiimC31GhKb0GpJqr7Ee0YMi3MD5qDe zEOg== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCW9ZenL00nzErogLymOex8ZMZ0cTTIWekM676/ueXqpw+mvw7LpeYlWON3r7a4/PRwutPC2yVb0ayn7@gnusha.org X-Gm-Message-State: AOJu0Yx+8YWLiDjHpiPNx8pS6Mll3rb7bMah7LY7qq44ESm9tylzCXBt BbI6Bmm1nzMH8OTirJiysbA2PfK66maNL0tYCv5QOmRmR50tuUN6 X-Google-Smtp-Source: AGHT+IElIhFPGIGco5+ZRMI64+qyi3JI7br6/2wWbjeTYAetUwiidWBPMjQ5xxlBLM90MmyhSjBZjA== X-Received: by 2002:ac8:59c4:0:b0:467:6b59:423 with SMTP id d75a77b69052e-46a4a9a4378mr116620331cf.55.1734791184493; Sat, 21 Dec 2024 06:26:24 -0800 (PST) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:ac8:4609:0:b0:468:f965:339d with SMTP id d75a77b69052e-46a3b07bccdls44601751cf.0.-pod-prod-09-us; Sat, 21 Dec 2024 06:26:22 -0800 (PST) X-Received: by 2002:a05:620a:1790:b0:7b6:cb4c:10e8 with SMTP id af79cd13be357-7b9ba716c09mr1061332585a.11.1734791179554; Sat, 21 Dec 2024 06:26:19 -0800 (PST) Received: by 2002:a05:620a:22a:b0:7b6:d314:a4e5 with SMTP id af79cd13be357-7b9b9633366ms85a; Sat, 21 Dec 2024 06:16:24 -0800 (PST) X-Received: by 2002:a05:600c:3b23:b0:434:a525:7257 with SMTP id 5b1f17b1804b1-43668b49a05mr50984885e9.21.1734790582701; Sat, 21 Dec 2024 06:16:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1734790582; cv=none; d=google.com; s=arc-20240605; b=OqsPAPyI1jmbdvKFd6kuDn+z4AqPyL3i1qyQ1BzTgI4mPXxD6b+xG8XBV5RhfrM4ln dPEHx0YUozREeaT0fP5llMMix/GWw+vB9Zxzgkg7TYAa42lcOEOqnbudYsCB/QyyMYlq ene6HxM65dJ973qvyWYhgFnv/9bKhNQBAipRmF3WafW1ex2rf0t07SaMTrNYWc+RGDAF WRjeKvBGm8R45UBFuKFoObvSa6NzoitxBVEXSaFul2VkNOiVQMxBaqZlSM3od9eEytXI 0SUsMz9ghNFEPm3CgBdpSwWefq2WHkDlhuZiKDmqhql5YKQcpbC3x6L58Y02yal3ruB/ jndg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=/Jom5Znrw/ZzI99w4otSKRzMCZLg52T2WAl/MuFQcbA=; fh=DMP0F9ULS1guKiqimntQRCN8ZraraesEgQuVcn7F0Z0=; b=HlRDLdfwVqHVqLY5yZfEUlOsy3u6nyiiqrRkKPs4aWMkSYVFmOXzxNCkO9rXJVCT85 DA/vIS6GM1y/5zHNsld3nZc+0TQ6jt6jNMWXT50h8EHYiK9jOsaUYt9RiU6rhirKjS+D YC2yPUElr8hR1hrZ5fYWcycQqZmxfb/jxJy+QsuE86UnUO4HxK51GNAM/iNqFCajQrPN 1uVNgRi4UUc283OKmleakC3r0fwlwsrz6Zx1Zo1Kmj9IFw/nfVXTyo+sNuW/HZmvX+r1 SNLD4Tk30Y3ZKoKbBT1mOYxqbFNndh08YDuxuupDyUD5BL/A1IKc3aToNSMNTLLveuLh lcLw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@woobling.org header.s=google header.b=ScO4pTMN; spf=none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) smtp.mailfrom=nothingmuch@woobling.org; dara=pass header.i=@googlegroups.com Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com. [2a00:1450:4864:20::22c]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-4364b058038si7604405e9.1.2024.12.21.06.16.22 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 21 Dec 2024 06:16:22 -0800 (PST) Received-SPF: none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) client-ip=2a00:1450:4864:20::22c; Received: by mail-lj1-x22c.google.com with SMTP id 38308e7fff4ca-30167f4c1e3so30601681fa.3 for ; Sat, 21 Dec 2024 06:16:22 -0800 (PST) X-Gm-Gg: ASbGnctwdme7pWKl9gi1qUa36rAuvGYpH6oiHWXBVPtEGS0naz8o4d3RfmfSRGxWp1w szvkwuwozW4hqi8lpo2nHRIVloOZtEiva5bYAFQ== X-Received: by 2002:a05:6512:230d:b0:53f:8c46:42bb with SMTP id 2adb3069b0e04-5422955ff80mr1815982e87.40.1734790580325; Sat, 21 Dec 2024 06:16:20 -0800 (PST) MIME-Version: 1.0 From: Yuval Kogman Date: Sat, 21 Dec 2024 15:16:09 +0100 Message-ID: Subject: [bitcoindev] Reiterating centralized coinjoin (Wasabi & Samourai) deanonymization attacks To: Bitcoin Development Mailing List Content-Type: text/plain; charset="UTF-8" X-Original-Sender: nothingmuch@woobling.org X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@woobling.org header.s=google header.b=ScO4pTMN; spf=none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) smtp.mailfrom=nothingmuch@woobling.org; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) Following the recent Wasabi & GingerWallet vulnerability report[^1] and its "fix", I would like to bring up (reiterate, but for the first time on the mailing lists) some broader deanonymization issues with both Wasabi / GingerWallet and Samourai wallet's CoinJoin protocols. These vulnerabilities were never truly discovered and consequentially not disclosed, responsibly or otherwise, because they had always been in the protocols. Neither team seems capable of addressing these for a variety of reasons. Personal disclosure: I was involved in the design of WabiSabi, as well as its implementation but left in protest before its release. I maintain that this software is not fit for purpose and should not be used unless users trust the coordinators with their privacy. Furthermore, I allege that rent seeking behavior explains the apparent incompetence and willful ignorance, and caution against applying Hanlon's razor too charitibly. In regards to Wasabi/GingerWallet, especially in light of the various "community" WabiSabi protocol coordinators, it's important to make users aware of the degree of trust they place in these services. Wasabi developers are still claiming that these issues are not fixable, which is incorrect to say the least, especially considering that when I was contributing to the project and taking for granted that these issues would be addressed I got no pushback, nor any indication that they did not understand the issue at the time. Whirlpool is now defunct, but Samourai proponents are claiming that their developers have warned about the Wasabi vulnerability, despite the Whirlpool protocol having a more blatant and easily exploitable version of the same category of attack, so it's worth setting the record straight. The whirlpool client code was included in Sparrow wallet until v1.9.0 when it was removed following the shutdown of the whirlpool service. [^1]: https://bitcoinops.org/en/newsletters/2024/12/13/#deanonymization-vulnerability-affecting-wasabi-and-related-software ## Preliminaries Both protocols facilitate multiparty transaction construction, ostensibly utilizing cryptography for privacy preserving denial of service protection. TxOut addition requires authorization tokens, an unblinded signature in Whirlpool's case, or an anonymous credential in WabiSabi's, that is supposed to not be linkable to any of the client's added TxIns. In both protocols a malicious coordinator can trick the existing client implementations into making fully deanonymized requests. In Whirlpool this means a TxOut is linkable to a TxIn. In WabiSabi this means that the set of TxOuts is linkable to the set of TxIns of a single client. ### Whirlpool This is a trivial deanonymization attack reliant on the fact that the client completely trusts the server with regards to the consistency of the blind signing key. In Whirlpool, the server's blind signing key is obtained by the client by extracting it from the response to the input registration request.[^2] Subsequently, this key is used to make blind signing requests during the confirmation phase.[^3] After a blind signature is given to the client the unblinded signature is used to request an output registration.[^4] Because the key is not announced a priori, nor is it signed by the participants' spending keys before output registration or signing[^5], the server can provide each input with a unique RSA key. Since the unblinded signatures are made by different keys, the server can learn the mapping from inputs to outputs. This description along with some preliminaries is also posted on github.[^6]. [^2]: https://github.com/Archive-Samourai-Wallet/whirlpool-client/blob/99c1acc101f53fef21fbcc5d23cb05eafb7324e9/src/main/java/com/samourai/whirlpool/client/mix/MixProcess.java#L140-L141 [^3]: https://github.com/Archive-Samourai-Wallet/whirlpool-client/blob/99c1acc101f53fef21fbcc5d23cb05eafb7324e9/src/main/java/com/samourai/whirlpool/client/mix/MixProcess.java#L146 [^4]: https://github.com/Archive-Samourai-Wallet/whirlpool-client/blob/99c1acc101f53fef21fbcc5d23cb05eafb7324e9/src/main/java/com/samourai/whirlpool/client/mix/MixProcess.java#L185 [^5]: https://github.com/Archive-Samourai-Wallet/whirlpool-client/blob/99c1acc101f53fef21fbcc5d23cb05eafb7324e9/src/main/java/com/samourai/whirlpool/client/mix/MixProcess.java#L216 [^6]: https://gist.github.com/nothingmuch/74d0b0bd63a2d663efce5e8a82d32bca ### WabiSabi This affects Wasabi Wallet, and Ginger Wallet which is a fork of Wasabi. Trezor Suite was also affected, but has subsequently removed support for coinjoins[^18]. They too were made aware of various issues and chose to ignore them, despite contributing the limited (read: purely theater for privacy, only addressing hardware wallet specific theft scenario) ownership proof verification. Here the issue is more complex, but ultimately reduces to key consistency as well. In the protocol clients register their Bitcoin UTXOs independently. A valid input registration request includes a BIP-322 ownership proof, which commits to the so called *Round ID*. This in turn is a hash commitment to the parameters of the round, including the server's anonymous credential issuance parameters (analogous to a public key). The parameters are obtained by polling the server for information about active rounds. If inconsistent round IDs are given to clients, this effectively partitions them, allowing deanonymization. Although clients obtain the ownership proofs of other clients and seemingly verify them, BIP-322 proofs verification requires knowledge of the spent outputs `scriptPubKey` which light clients cannot obtain on their own. This public key is included alongside the ownership proofs, which makes their verification non-binding, the server can generate unrelated public keys, and create ownership proofs with those keys that commit to the per-client round IDs, which the client will accept as valid. This issue was described before the initial release[^7] but never addressed. Although subsequently ownership proofs were given to clients[^8], this change only addressed the use of ownership proofs to identify a wallet's own inputs in a stateless signing device, without addressing the consistency issues. Because the server provides the public key against which unknown inputs ownership proofs must be verified, that places them under adversarial control. Related issues and comments I have posted over the years: - unimplemented consistency check that does not depend on prevout also not implemented[^9] - no commitment to coordinator address in the round parameters[^10], although this was temporarily fixed the fix was reverted[^11] - additional missing fields in the round parameter commitments, and rationale addressing tagging attacks[^12] - initial description of blind signature based protocol, which predates my collaboration and design of the anonymous credential based protocol which also addresses this explicitly[^13] Finally, although not in scope I will also note that poor coin selection (bad randomization and de-randomization), improper randomization of input registration timing, and tor circuit management increase the probability of the success of such an attack, by making it easier to target specific users. Additional concerns exist for alternative clients due to use of JSON and HTTP in the protocol, in the C# implementation serialization by a 3rd party JSON library, which may canonicalize JSON differently (e.g. ordering of properties in JSON objects), etc. Additionally, although designed with coordination fees in mind, the anonymous credential mechanism did not enforce that coordination fees are fair or incentive compatible (nor can it with non-binding ownership proofs, though the main privacy concern there is the coordinator lying about the values of other clients' prevouts leading to poor amount decomposition), resulting in thefts of user funds[^14][^15], but this has now been removed[^16]. Again a version of this with some preliminaries is also on github.[^17] [^7]: https://github.com/WalletWasabi/WalletWasabi/issues/5533 [^8]: https://github.com/WalletWasabi/WalletWasabi/pull/8708 [^9]: https://github.com/WalletWasabi/WalletWasabi/issues/6394#issuecomment-920225648 [^10]: https://github.com/WalletWasabi/WalletWasabi/issues/5992 [^11]: https://github.com/WalletWasabi/WalletWasabi/pull/8708/files#diff-04b849802b4adf5b34756a49b498f2ac97247cbb64424e5a69ee64c28a7033bcR120 [^12]: https://github.com/WalletWasabi/WalletWasabi/issues/5439 [^13]: https://gist.github.com/nothingmuch/61968fde675a596758bffd4c278ac096 [^14]: https://github.com/WalletWasabi/WalletWasabi/discussions/13249 [^15]: https://bitcointalk.org/index.php?topic=5499439.msg64309927#msg64309927 [^16]: https://archive.is/xFRHO [^17]: https://gist.github.com/nothingmuch/4d717e12e451ff4ce43474972e41c6ba [^18]: https://blog.trezor.io/important-update-transitioning-from-coinjoin-in-trezor-suite-9dfc63d2662f -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAAQdECCdRVV%2B3ZoJhOotKEvmUV4yrV7EYWE8SOWCE1CF9tZ6Yg%40mail.gmail.com.