1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
|
Delivery-date: Thu, 26 Sep 2024 07:43:29 -0700
Received: from mail-qt1-f187.google.com ([209.85.160.187])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDD5RM5R7QJRBCHG2W3QMGQEQFHLFTI@googlegroups.com>)
id 1stpiL-00058q-Ai
for bitcoindev@gnusha.org; Thu, 26 Sep 2024 07:43:29 -0700
Received: by mail-qt1-f187.google.com with SMTP id d75a77b69052e-45832b277d9sf14806581cf.1
for <bitcoindev@gnusha.org>; Thu, 26 Sep 2024 07:43:29 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1727361803; cv=pass;
d=google.com; s=arc-20240605;
b=OKs+QOAicoI++j158/AiX+0nDlfWb0M233zSbLV7bQ7D1RvXICCw5+2CT0quAz8Z0y
7N6K4Y6u0r6w5DLkBcLnvTkaegg3CkLMiNPuuATzCIfrsfRYIRSsd7oOIm0uDwbbEKmJ
eEDUj1NkFMvLTXrfmoWCGkWEeyNjJheDatjTVtQ57IV1yt9JSPU1KZ42Ck/TC4NEFxet
DexM5j+VSl8LYgsdKemZcLyTUOl4NDqX/Y3OvSQLp9givKYyz0lzTe1nRF0gI/i5HycY
J1a5R3coRb6Eg3KE3mIEbXpr/0m4jW2GNgHKaUuEhIgjGKQhGVT8FLuVl8hPUOJ7uhtm
nuVA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:in-reply-to:from:content-language
:references:to:subject:user-agent:mime-version:date:message-id
:sender:dkim-signature;
bh=GUSIGfLjDqsiH8MSqYgSh42bQWysqGspyB6c/K/K5/g=;
fh=qA7AeG3HusmkNO2P8zmRhAOWPtu+RxNpJwFMj7ili78=;
b=LkJZmFKlCbhleLrN+VopT7Iur2d3B+kXerGVLZTaG1Rb3rEIbrLVYFZupYsb3E1GkH
BmfyojxP1QmNTez7FedNocPKSJhyYeSkYuTMR4PFfApiJMzPI4cxzfg2EuEhiOInWmUo
H/pbcm1KUYKYsCT2M1hdD2xzX1DeujVhIk1/alxkPyEUQoTb9aEEYMXQCg+46y1tVvlK
KGqHdy6/TgRstR4GFb58hFM+YZyLA9MX04qgPMjUyj4hB0VOW86XCtSGQfH/NKXv2hUR
1iSDCWw/hg+Lot/VRbAga2QQXD0CzbtSZbv8EgQDCkEXkOzQDvMksFj7lybgHZQZUucy
Tn9A==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=WD0izwJy;
spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::436 as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=pass header.i=@googlegroups.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1727361803; x=1727966603; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:in-reply-to:from:content-language:references:to
:subject:user-agent:mime-version:date:message-id:sender:from:to:cc
:subject:date:message-id:reply-to;
bh=GUSIGfLjDqsiH8MSqYgSh42bQWysqGspyB6c/K/K5/g=;
b=VC1u5PVfvrO/PBkoW0iKTNiUjn4EZzX/wzTUnrCPMjxMub6rToAl7/U7Vy48qjb2pY
E7DyzhalvczlyGnoYl7KFTVmRvuY9xl2CQHK3UwDQkooX5MOg9F+pFGZYZpSTMlg0jeU
xtcTBmDvGsp8K2D9KPduNDbcyGXEbz5OxgXFf5ttGvFQiYEmmruQxlyw88BvEkxwuVce
hnaUpZUDD/sPTbDY6wlOvSaktRLCgQ1B5d78KJYXFAxZOHUN6bUdDU6AG0+au+AoAOLo
cx+M842Tuqgzqsgux35KmdOwk4t47pyFtXSgWfzI2+p7GSQKZvn4RDAQSfsZHqYcZ4YB
kFMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1727361803; x=1727966603;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:in-reply-to:from:content-language:references:to
:subject:user-agent:mime-version:date:message-id:sender:x-beenthere
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=GUSIGfLjDqsiH8MSqYgSh42bQWysqGspyB6c/K/K5/g=;
b=fiX/Yu9F54L7p1NSbQj56oSpjhRXUq0FFlKQVBfPxPl7eOA/6WJZ5bWtR4KbYNhxfZ
M0+az3hzRdqIdh5SkwWHhmQi4Lfdc0j04SZY3aQ8BAaeD/3woWf3dyiFUhRD4haxgB1o
tRP+ZHm4oQUz3J/R6kgRRRTlsmz9U7b0ets6p8Wu+xIdw/AtdW/f2zYrgrmClrBx0AI8
yKs2zeHY49o8aIRaNwqo9hQqd4NHFeeWps22sTkNwGWLo4obznBCw7s4rtHOhyOTOIp2
9rQbsS3YIJQQzkvUi374IC0zTER0306eKkjFC0G/123a0SS9hRRTsk9+m07qcXbcFLMe
pnGQ==
X-Forwarded-Encrypted: i=2; AJvYcCXYXYDtGJbq7Ef4NIV3R6uiVhOqV/fUcMjd3wna+7R7LyVmwO8jeTsI9vomlcfMP34xcnGAJJ0jX/Az@gnusha.org
X-Gm-Message-State: AOJu0YyEn8JP9hcRyG7EyMgTGTGg8nHh3tY6zbAxoPOij73mrVM7HxPA
ezutgc+ihUgce4ON8fK25TQSBjS94nE/LkE2ODhASEjImXwV5+TP
X-Google-Smtp-Source: AGHT+IG17On7OEitamGw0Dg42x44bfgme+82FX+uLLhP5LJNx/QvRVsoOgtx0o39WPp6Dp7kT2ogkw==
X-Received: by 2002:a05:622a:490:b0:451:a0f4:c037 with SMTP id d75a77b69052e-45b5def46aemr112091541cf.31.1727361802962;
Thu, 26 Sep 2024 07:43:22 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:ac8:7dc7:0:b0:45b:5cdf:9724 with SMTP id d75a77b69052e-45c94a2d36dls5654231cf.0.-pod-prod-03-us;
Thu, 26 Sep 2024 07:43:20 -0700 (PDT)
X-Received: by 2002:a05:620a:43a2:b0:7ac:e839:df76 with SMTP id af79cd13be357-7ace839e0e9mr891793885a.43.1727361800375;
Thu, 26 Sep 2024 07:43:20 -0700 (PDT)
Received: by 2002:a05:620a:12d7:b0:7a1:d643:94b4 with SMTP id af79cd13be357-7ae2f1ea2c7ms85a;
Thu, 26 Sep 2024 07:34:51 -0700 (PDT)
X-Received: by 2002:a5d:43c7:0:b0:37c:cc67:8b1f with SMTP id ffacd0b85a97d-37ccc678cfemr2994949f8f.48.1727361289779;
Thu, 26 Sep 2024 07:34:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1727361289; cv=none;
d=google.com; s=arc-20240605;
b=bO/YTKCeSutG5Qq2hKNeM99E7BGSn6ZvkULl1EY1BRjgsWvk2d9C20SMQfcH1F4HRf
Ky5BF3CekzE+DRCCSLaZ8OZZaatkjjaoWV7VBw2U/GXwdKzL8eO64zIM99m6f3y4lul3
hzWxqoS0cGQnsKNf17ymc+Ji9fTKZwFURjwOz0YggQK6DU0+vmAMTMgNBkbrQ8U3Ddzv
PB8aQtE6y8ZbUIT7fhBTQBep7MP60xqhD/WMlEwv5WxsvIH28nC7gtHDH9aoyhm3CjLs
Tm5ZP5HQCDbt3mEvNhZAUXB4/tNDiVbPWNLksbcTFEksjefvv83rzTKPy3eRk+7WYdCd
0VMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=content-transfer-encoding:in-reply-to:from:content-language
:references:to:subject:user-agent:mime-version:date:message-id
:sender:dkim-signature;
bh=1SZnIUAjEBzJ0mubug+uT50aR8RUSV4Z54d+bIQncus=;
fh=VcGcg+Zjs9gw1uDcHbxsAILhBAcecnbJzZRdxgKVDIc=;
b=fRV087X+EfNKLEnFC64EUdpIsb4EZrh7XtKHAFP3Ll9xIREYYIPh0LMy/Rz7v1bF4R
BSpV4wzd+JYU/EQvkSUNBv/2cips6O5OZHRJ8yfTuHi98kyOetFWax0tvJzzrjNq1nP7
lRhcADUUp0rHQJBU6VygIbqDofa7QlDvRBYVaX9qifmOkmSCU0x1ts6GVxradA2wUBi/
FaNDQW2eFKstMmXBEEFwmD5wiFAYRUN9YqcJnH1oSL0OjE0kA60+5kHMOoDR4p5hr2PU
Zb2/Iu+sr9jD80bSfSaInsdAJLMxd02FvxHN1og9/LRo35aGUtV0QrSpyv12D+ydWoBh
befw==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=WD0izwJy;
spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::436 as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=pass header.i=@googlegroups.com
Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com. [2a00:1450:4864:20::436])
by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-42e9025c19esi3759435e9.0.2024.09.26.07.34.49
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Thu, 26 Sep 2024 07:34:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::436 as permitted sender) client-ip=2a00:1450:4864:20::436;
Received: by mail-wr1-x436.google.com with SMTP id ffacd0b85a97d-37ccebd7f0dso543007f8f.1
for <bitcoindev@googlegroups.com>; Thu, 26 Sep 2024 07:34:49 -0700 (PDT)
X-Received: by 2002:a5d:58eb:0:b0:37c:d227:d193 with SMTP id ffacd0b85a97d-37cd227d254mr880021f8f.10.1727361289015;
Thu, 26 Sep 2024 07:34:49 -0700 (PDT)
Received: from [10.11.10.42] (p54b84e49.dip0.t-ipconnect.de. [84.184.78.73])
by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-37cbc3187e6sm6671170f8f.92.2024.09.26.07.34.47
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Thu, 26 Sep 2024 07:34:48 -0700 (PDT)
Sender: Jonas Nick <jonasdnick@gmail.com>
Message-ID: <14b8d064-1097-4cc5-a0f4-56bbd4f9417b@gmail.com>
Date: Thu, 26 Sep 2024 14:34:47 +0000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [bitcoindev] Re: Shielded CSV: Private and Efficient Client-Side Validation
To: bitcoindev@googlegroups.com
References: <b0afc5f2-4dcc-469d-b952-03eeac6e7d1b@gmail.com>
<33cd30ab-c5c2-4785-9815-4a2da3c7e267n@googlegroups.com>
Content-Language: en-US
From: Jonas Nick <jonasd.nick@gmail.com>
In-Reply-To: <33cd30ab-c5c2-4785-9815-4a2da3c7e267n@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"; format=flowed
X-Original-Sender: jonasdnick@gmail.com
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@gmail.com header.s=20230601 header.b=WD0izwJy; spf=pass
(google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::436
as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com; dmarc=pass
(p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)
Hi Antoine,
Thank you for your comments. They are touching on some of the key aspects of the
protocol.
> in this proposed CSV scheme it sounds each nullifier verification participant
> needs the banwidth cost to read the whole of the blockchain.
You're correct. Shielded CSV nodes need to have access to the current best
blockchain, similar to regular Bitcoin nodes. Shielded CSV nodes scan for
64-byte nullifiers, verify their half-aggregate signatures and place them in a
data structure we call "nullifier accumulator".
There's potential for a light client scheme, where users don't validate blocks,
but infer the best blockchain via proof-of-work (similar to SPV) and obtain the
corresponding nullifier accumulator value from somewhere. In addition, they
receive a succinct proof that the blockchain is valid and the nullifier
accumulator value is correct.
This model allows the light client to receive transactions. However, to create
transactions, they need to prove inclusion in the nullifier accumulator, which
requires knowledge of the nullifiers in the blockchain. There are some ideas for
how to do this in a relatively light fashion, but nothing concrete yet. It's
certainly an interesting area for further exploration.
> there could be a way to hide the coin creation time
A coin (the data sent to the recipient) contains the exact location of the
nullifier that created the coin. This is indeed a noteworthy issue and we
discuss the implications in section 6.3 of the paper. In particular, revealing
the nullifier location implies that outputs of the same transaction are
linkable. We therefore suggest that regular wallets should just create a single
output.
A fundamental limitation of the Shielded CSV model appears to be that the sender
must reveal an upper bound on when the coin has been created ("This coin is
older than the block at height..."). Otherwise, the receiver would not know how
long to wait until the coin has sufficient confirmations.
In fact, a previous version of the Shielded CSV protocol did exactly that. But
we moved away from that because it was incompatible with our ideas to support
pruning the wallet state (i.e., removing old transaction history), which is an
important aspect in holistic privacy.
We came up with a version of the protocol that supported prunable wallet state
and only leaked the block in which the coin was created and not the exact
nullifier. However, this version has two drawbacks:
1. The state the wallet needs to keep for the unpruned transaction history is
larger: 256 bits per received coin (one hash) instead of about 60 bits (the
blockchain location).
2. The privacy improvement is fuzzy and difficult to understand. In the extreme
case, such as when there's only one nullifier in the block, there's no
improvement over the current Shielded CSV version.
But I agree, if possible without significant drawbacks, this privacy leak should
be mitigated.
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/14b8d064-1097-4cc5-a0f4-56bbd4f9417b%40gmail.com.
|