1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
|
Delivery-date: Wed, 09 Apr 2025 02:24:31 -0700
Received: from mail-qt1-f186.google.com ([209.85.160.186])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDDJ7LVFRIHRBRPZ3C7QMGQEGFHPQBQ@googlegroups.com>)
id 1u2Rfa-0001gD-8c
for bitcoindev@gnusha.org; Wed, 09 Apr 2025 02:24:31 -0700
Received: by mail-qt1-f186.google.com with SMTP id d75a77b69052e-4767261982esf117991591cf.2
for <bitcoindev@gnusha.org>; Wed, 09 Apr 2025 02:24:30 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1744190664; cv=pass;
d=google.com; s=arc-20240605;
b=g+8CS2v2MoqsFuk6x7UhlBRqv9Cbw58NBRiDc1UHUFB6f1Y5EMC204+vybLwA1kQNg
iVSPT6RUban6+EDFpH4SL8bACA2NJuZ7NDCLqE/pyZ6eY3n11zm41rEDLi64RvzMbW1C
gp3DJ6hc5RH4xjTbjQV62SaYv9+lIvxszSa0uiDJvGODrqdSC75wcySSNeO3yNiGvIvP
Lq5dLqxw1FjZoAMl6acuiNezw6fhR13wp51xtukAv9DoAOKh3sY6/1XkUZkdpVHCfutj
WsTJDUEoMA0GRgcY9vC6fPYp2FzcVw2XOJbTuRtDCfnUpIIFZek9FDUFcrCjFv8UI9s8
E2NA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:content-transfer-encoding:cc:to
:subject:message-id:date:from:in-reply-to:references:mime-version
:sender:dkim-signature;
bh=KhREwM0EtYHMCC5lFlv0nSbb4bPEiFwoZfCzlkjCawU=;
fh=KHyk+tVPobQBrsf5DYFcqU4SgpyCNQUvtpvwHrW8+F8=;
b=KHYDbuaYSuafIW2GNeI96F5Uas5WAIDWwBOIAikjUz9EA1inVS6X4bYFkhErQ1uk5b
QtKznO5OoD91S044FJpcLIfON2PrH+GdT/SD0ujVv2ns0EHN0746zsXRW64tkbLpWZIT
s+XidyQKEBUzJ6sPcIrZBJdw9280nokLeyh2Hq3mVvKgln37vtZC/xGh61zZZSvzcl+L
P/HXTzZvHKXp6phI4mjtGy1QZyQRsUajPFR1m1tc1mZ++lgW1xm2ApcL0HaaLLXekeOC
+i5yewNppQ6f27LNUk6e6eLUaRcEwmXoHyyxSoatagOUrZcOD1TkC8JiM54/RuTI3SuR
lFKQ==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@woobling.org header.s=google header.b=TOCyFcjm;
spf=none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) smtp.mailfrom=nothingmuch@woobling.org;
dara=pass header.i=@googlegroups.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1744190664; x=1744795464; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-transfer-encoding:cc:to:subject
:message-id:date:from:in-reply-to:references:mime-version:sender
:from:to:cc:subject:date:message-id:reply-to;
bh=KhREwM0EtYHMCC5lFlv0nSbb4bPEiFwoZfCzlkjCawU=;
b=T2KpU8zBWbe65SIwtquXpgBEAH+U8MTGTC3PyXL86zFdw5KHArzVBTSt9AqHlYRf91
xUJ9cXwO/N08W4wt1ycoZ2C4BOIuRbzEpC3mD4vxvyapjrv1scE63woJO95Gsh11ItNl
7rGIq3qmspiBOk1jYuyKF5mm4CZPSjIWEhJ2fvYxjyOnnCV8xBF3zZEP4FZGIKNzQhIa
tjvCK/wYQoDlzZO1abP4+A4HwdSvRjfXICxGetPlvRaEwfNgRJTLydjlAwFG4tFMbZuJ
qVCcOpjT5IqxYXdnxRfNWDFSNkBCy1Zdi4z3w4U0MzXo4Efspf9bd3ReTJgLsoW3rPTI
lj8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1744190664; x=1744795464;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-transfer-encoding:cc:to:subject
:message-id:date:from:in-reply-to:references:mime-version
:x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date
:message-id:reply-to;
bh=KhREwM0EtYHMCC5lFlv0nSbb4bPEiFwoZfCzlkjCawU=;
b=kPWTxg+PWHqFHdzfD22aRd27hzmBpcBpqI7p5Mci+36FR99ZdGJWmXTRhdI98Lc/p4
/fDlEE4wcVvaInDSYvEh7Lm7qsJmHD5rjegVG73oU7QrMhY13OKHMkUJ1P630opSqOEn
fSeilTadNc/IR1wnRbuwtSGcDZVckg9hMpQEQliQhOj+YfJM3z8pbsSUpZH1bPfFkUnn
jGTu+dejMexIPGpn8eULpXHKbIC+42bUme4jROaZdUwb+BI6140BzUaIaSgbXvTGOmhV
2eLHlEOvwSnhnLg/NhtDLOkgzThPC4/SOPaO9YPrxw7//8hnv1Olhgksj2d+sqvELvGI
hb1Q==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCVx24Xa8nvwQr//AbWXoqRN/bAi6WZPHlZFcrRRds2If3W++7khia/hF1yqQoovAVaaXAsLavUu5GqT@gnusha.org
X-Gm-Message-State: AOJu0YxCCMy1RIsS7j0CE34UcT3sCF57Bx42/omTzunoxRXaSgA7+2hw
CVCtlDnzqadmFviBzBQWCNjK+zadcq5uFgISM36vyBGxgGtkjeyY
X-Google-Smtp-Source: AGHT+IE4nOivkY0k3avC9q0WhEg989p3hiyRxuArIn9r+qIT72i7lb53GePRHyJVs+51Bmni7eSgpw==
X-Received: by 2002:a05:622a:1a95:b0:478:f8bb:b5e with SMTP id d75a77b69052e-4795f2ce093mr31770981cf.13.1744190664116;
Wed, 09 Apr 2025 02:24:24 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=ARLLPAK26CKHqJkU6gb//Fvb7ewxEHjHOGEuK0DZH9M5o8Ne1A==
Received: by 2002:ac8:5249:0:b0:476:69c5:ff0b with SMTP id d75a77b69052e-4792138365als4778321cf.1.-pod-prod-09-us;
Wed, 09 Apr 2025 02:24:21 -0700 (PDT)
X-Received: by 2002:a05:620a:801b:b0:7c5:4711:dc51 with SMTP id af79cd13be357-7c79cbc2467mr355451385a.2.1744190661319;
Wed, 09 Apr 2025 02:24:21 -0700 (PDT)
Received: by 2002:a05:600c:6542:b0:43d:85ca:231a with SMTP id 5b1f17b1804b1-43f1f1c6f9ems5e9;
Tue, 8 Apr 2025 19:16:51 -0700 (PDT)
X-Received: by 2002:a5d:6da2:0:b0:38f:30a3:51fe with SMTP id ffacd0b85a97d-39d87cd0099mr983223f8f.42.1744165009158;
Tue, 08 Apr 2025 19:16:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1744165009; cv=none;
d=google.com; s=arc-20240605;
b=FxaMJOjpVoZbYR0fysosZict+I71g+YIFXGokL5f2v30ZKoc1ekbxj9Fux6AiFi7Rs
Hup0Eg00IxjIfegD5kedADuDlEM4W2P7DrmnK0U6AFujfCumqTB7RMjF9jqN65Y1lGwC
ssHIsfMxCMNKRxh5iAbeahag0eVgQIgrM+ssPya3iYzAdX2hJzhPHfxD6FiNP/5kxJRU
aTf8JGHbsoBVtC1yPuRdEBt99rletQq5InKQYPX5l3aeBKTL60vLsyD1VWVc21sqYRSl
NirNWxTk0aE1X1bPZN3C3sF9E4OUlPzX6o8z+GnoMSmxXogpyCpeIM4uHIWQuMRVUewc
lEXg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=content-transfer-encoding:cc:to:subject:message-id:date:from
:in-reply-to:references:mime-version:dkim-signature;
bh=ilHgZfEbLBF+8L4ZNoOsG/e6Gcm5Vwy3y3Jt+PZ6q60=;
fh=GeJIUmU5jL7J6QstWKEKlkHrfJpGokhJFVi/d43gVbE=;
b=J9YLfXwdQPX1nNwrf5jj71GicWAgrI4JZ7oZ3Je3uLsNoyOQxb+eJiMPmUTh5/l8Ka
SW+2lM791fzZlZq0W9Wjuu8js4lVAkxAsRTpI0vOTZBDEM1lAmBD/btkd46AtabotqOx
vPUnqTSaZ7VtlXzDc/86KfncOWy+14SqQ9pv3Ts7vr4dH2ryOORzK49ayGHW3cqbUUTu
AgdUX1La8wU5/bphHms3xiOWP8bDCj38QbtqlAC+0uLNy/Rd5RzYyg58YuwB3N150mN+
jqvY18AXVIitlHi4zpKjC61QwZS1WXHdmNw9Rr5ZIsEECw4RxqMqQpP4XR1DCoL2SVVL
CwzQ==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@woobling.org header.s=google header.b=TOCyFcjm;
spf=none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) smtp.mailfrom=nothingmuch@woobling.org;
dara=pass header.i=@googlegroups.com
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com. [2a00:1450:4864:20::230])
by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-43f20a2fadfsi205225e9.1.2025.04.08.19.16.47
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Tue, 08 Apr 2025 19:16:47 -0700 (PDT)
Received-SPF: none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) client-ip=2a00:1450:4864:20::230;
Received: by mail-lj1-x230.google.com with SMTP id 38308e7fff4ca-30bf1d48843so54042571fa.2
for <bitcoindev@googlegroups.com>; Tue, 08 Apr 2025 19:16:47 -0700 (PDT)
X-Gm-Gg: ASbGncvwziQJ36tzHXrNyK3JhQrRhNktBoCDFeOXmCawGVngKnhOZEpr7r4oVgd7Z2J
avCqCmiHkpUZAzynO6XLjIxk9xyb6OrfpnBgtAEEIQtQIFY5ybwGtL7G6VWgXAptpOkpyX1a1E5
5lcik8eIStYi2wE3z5/HyZTYJbAJ7zUjWfxAjD
X-Received: by 2002:a2e:a916:0:b0:308:eabd:2996 with SMTP id
38308e7fff4ca-30f43798373mr2517791fa.5.1744165006572; Tue, 08 Apr 2025
19:16:46 -0700 (PDT)
MIME-Version: 1.0
References: <CAAQdECCdRVV+3ZoJhOotKEvmUV4yrV7EYWE8SOWCE1CF9tZ6Yg@mail.gmail.com>
<Z5JtilN2k7HwRRXt@petertodd.org> <CAAQdECD9MfVqU=BLgRpUnEMa=m0cnGj4SWCcviKzpRYJktMaNA@mail.gmail.com>
<Z_AMBe7CnGX_Rm14@petertodd.org> <35a802c4-b0dc-43a3-a087-de2babf12759n@googlegroups.com>
In-Reply-To: <35a802c4-b0dc-43a3-a087-de2babf12759n@googlegroups.com>
From: Yuval Kogman <nothingmuch@woobling.org>
Date: Wed, 9 Apr 2025 04:16:35 +0200
X-Gm-Features: ATxdqUFi-Odd5A3CQ-5uq76iAFtfC9TYxNJ344omihe_-3JMPZ9IKW7Vso42G5Y
Message-ID: <CAAQdECB2=FPiTkJ5HT813tcK1522j-J1+2=S=nir6kb33KoQjw@mail.gmail.com>
Subject: Re: [bitcoindev] Reiterating centralized coinjoin (Wasabi & Samourai)
deanonymization attacks
To: Javier Mateos <javierpmateos@gmail.com>
Cc: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Original-Sender: nothingmuch@woobling.org
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@woobling.org header.s=google header.b=TOCyFcjm; spf=none
(google.com: nothingmuch@woobling.org does not designate permitted sender
hosts) smtp.mailfrom=nothingmuch@woobling.org; dara=pass header.i=@googlegroups.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)
On Mon, 7 Apr 2025 at 12:35, Javier Mateos <javierpmateos@gmail.com> wrote:
> If the coordinator had malicious intentions in the beginning, these have =
been observed and brought to the table by a community that is always active=
and vigilant about these crucial issues. I believe this is already part of=
the healthy culture surrounding Bitcoin.
I don't see a reason to believe the privacy weaknesses I have
described have been exploited, due to the complexity of the attack. If
they are/were exploited as discussed with Sjors above in the thread,
users should be able to find evidence of that in their debug logs in
the case of wasabi. In regards to samourai, as far as I know no
coordinator is operating, and whirlpool functionality has been removed
from the fork that is still maintained.
That said, there also hasn't been much demand to actually fix these
issues. They've been publicly documented for years.
> -Overall Transparency: We need clear answers to questions such as: How ar=
e the residual funds calculated and allocated? Which wallet(s) are used? Ul=
timately, this information should be publicly verifiable on the blockchain.
As far as I know there are currently two compatible client
implementations, wasabi wallet and the btcpay coinjoin plugin. The
trezor feature was removed following the shutdown of the zksnacks
coordinator, as per
https://blog.trezor.io/important-update-transitioning-from-coinjoin-in-trez=
or-suite-9dfc63d2662f
It's not verifiable on the blockchain. To the extent that on chain
data can be inferred, liquisabi.com provides estimate, but it's just a
likely interpretation (in that it's consistent with well known
behavior of the client and backend implementations), not proof,
although there's no reason to doubt this information (see earlier in
the thread re acknowledgement of the figures' accuracy).
The source code for these clients is readily available, and has been
throughout. Backend code is also available, but it is not possible to
verify what software coordinator operators are running. In Samourai's
case, there are different archives of the source code, since their
self hosted gitlab instance was taken down, so I can't make strong
claims about its authenticity but regardless the service is no longer
in operation that doesn't matter as much.
> -Audit and Review of the Revenue Model: Is the current mechanism (which r=
etains residual funds) the best option? Could the excess be redistributed a=
mong users? Should it be handed over to a group of independent auditors, or=
what alternative is best? These are questions aimed at finding more transp=
arent options, especially if disclosed properly. They could even be address=
ed through a bounty, for example.
If there is demand for more transparent coordinators, no significant
barriers exist. Anyone switch to the ones that have posted disclosures
instead of misrepresenting the facts, or start their own, and lead by
example by clearly communicating the trust assumptions, e.g. the
coinjoin.nl coordinator does that, but gets very little volume. if
people want to operate for profit coordinators, or one that maybe
donate all the revenue to some specific cause (perhaps sponsoring
contributrions to fix these issues?), that's their business, though
ideally they wouldn't wouldn't advertise their service misleadingly.
Also note that the fee siphoning policy is trivial to revert, which
would mean that a 0 fee coordinator would really have revenue, with
any residues counting towards mining fees (decomposition can also be
improved to reduce these residues, as per #6580).
> -Audit and Review of the Protocol Architecture: The measures above would =
help and could pave the way for the adoption of technical mitigations.
In regards to wabisabi's architecture, that has already been done with
respect to what's in the paper. What matters more is the
implementation itself, not sure if that's what you meant by
architecture. Over several years I've made many critiques both before
I left (i.e. the aforementioned github links) as well as starting
after the mainnet release (mainly on twitter), but not a single one of
the concern I've raised has been addressed or refuted. My suggestion
would be that people qualified to audit or review should probably
start by verifying or refuting the claims I have already made.
One of the mitigations I described in this thread (using multiple tor
circuits to obtain the round information and introduce consistency
checks between these) was supposedly planned to be implemented, or so
I was told in private, but unfortunately I see no evidence of progress
on that in the github repository. If new contributors are interested
in implementing that, any of the other fixes described here or
elsewhere, I am happy to provide them with more details, but bear in
mind that some of the people still maintaining it dispute the
existence of these issues (the only rationale i've seen is "it's a
lightweigt client", which is irrelevant).
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
CAAQdECB2%3DFPiTkJ5HT813tcK1522j-J1%2B2%3DS%3Dnir6kb33KoQjw%40mail.gmail.co=
m.
|
