path: root/99/5ad0da6c23dfb6ac4c420e17a4358181e3567e

Delivery-date: Sat, 21 Dec 2024 06:26:32 -0800
Received: from mail-qt1-f187.google.com ([209.85.160.187])
	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <bitcoindev+bncBDDJ7LVFRIHRBDVATO5QMGQEZYNK45Y@googlegroups.com>)
	id 1tP0R5-0001vi-8F
	for bitcoindev@gnusha.org; Sat, 21 Dec 2024 06:26:31 -0800
Received: by mail-qt1-f187.google.com with SMTP id d75a77b69052e-467a0a6c846sf65688261cf.1
        for <bitcoindev@gnusha.org>; Sat, 21 Dec 2024 06:26:30 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1734791184; cv=pass;
        d=google.com; s=arc-20240605;
        b=Gd9mD/qMhq/wlvNn2vToetZveGRakOjlsfsCbaGhOQOQo0RsYP7hGpgQWRhjQYeCv8
         EpQxIxYkWHOASvg+LuqQMN7QbIcPKoOZn3MHDQ0hxacuGYTmljatJy1VOqhsK2pQLJdo
         WuL2t7ASHqgvhxWUI1tdXlycZWTroZmEpL1N25s3XWH2iXakspCoRzdhZYQTs8To061R
         mHEwwoQVpvy1iek1pQc0IH2gXWlW6Jvc8LDy4jUKN+frkDlldPlpYbvMKCL52T13+5je
         oGbAq6PdJXsK8hhi9AqHfXx9vtKSe86jZrfbqWZk14sFpo1OrzAmDz2+eWOZMXCQfXVS
         cttg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:to:subject:message-id:date:from
         :mime-version:sender:dkim-signature;
        bh=UeEqfRUCFmj9/OHnkY+QsSxmRK2wDM1PY40KHV0FcW4=;
        fh=iyimZC6ud0HGfoahwsxVeQiitFHKUidxeSk3tsgF0W4=;
        b=IeAaOZegsBW1vmG1yy1PepFidm3jW/cFB7IYQCUsGV+g2EX9Cs8VPBepYJH1MFCzBt
         1adGlpWJOzaNnjbqn3ZgThvIaLysxKs4qgVJmqpRXAvAviUQ4VOEwzpuMJOkk/EZ7PQV
         GtAheCh6bag0noUm0Q6jCwZBAhq8ykkMQ+Cj8quJ6t8WCB04gOT3aQOsrYB4uQtPRF+f
         JMHpi4om/mrkZ9+8cT7IOgFPWdPyXRs66a7egDkk65LKkwoCogXxi7WoFAqmjpASKiL3
         6RKEeco4UDRQQ50PVNy/7BoSwfx+iojEUc6/oJuuGOcTFVBEkqCmieMIys9j6rs2TzV1
         DnvQ==;
        darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@woobling.org header.s=google header.b=ScO4pTMN;
       spf=none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) smtp.mailfrom=nothingmuch@woobling.org;
       dara=pass header.i=@googlegroups.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1734791184; x=1735395984; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:to:subject:message-id:date:from:mime-version
         :sender:from:to:cc:subject:date:message-id:reply-to;
        bh=UeEqfRUCFmj9/OHnkY+QsSxmRK2wDM1PY40KHV0FcW4=;
        b=wRRLZvbTIoLShEdcWYW66Oi5ysRDF4+pOAi1dg5juWXw39d72ThBJMbh+SD/quZHVZ
         ZJD1px2CHkyblfV8dKKgekOIT//V+dkrZCzPstXX5n4qaa4QeWSxX2esu1frILvqFYx2
         t673X1CAZJ1lU6OlYVsczxayHh4jLYwIN6N7ZTHZpbakUuGWd7x6rgMW4VR07eeTxtL4
         DabgpO04+tPwuGusclpeGk5Ws/1ctLoWmTbli5SunYAD2dmMC8l+0P0RmhA3c+pWlV5R
         Z4LASCLmATSe399YZsNqHR+XAjtdZ00oJ91w8yT+ixNnU8yCtSDnL6AgMQhc0Ulnzu0j
         YT6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734791184; x=1735395984;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:to:subject:message-id:date:from:mime-version
         :x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date
         :message-id:reply-to;
        bh=UeEqfRUCFmj9/OHnkY+QsSxmRK2wDM1PY40KHV0FcW4=;
        b=uk1hglL/+op3UDkqtJLJMq4cYCtvjXVLg5aGsS7ediu5P7gHQbdRC003PEgdA+nMqJ
         wK98PJ4PV9Ck9Kz+noWToGTLSadMYwAXQBTDWR/ifsp8FxUNe1g53SUHTuMJUD/us9Ht
         y+MWdv7GZyt01SXq+pgJel0OToAluwtY2vuVryQToB/V/mvC3hrkc+ffHx02YrJHsZms
         jifyvWOp3qCjNOQAydxYn/2OpXJJP+OMyARrdwP4mnUUkH9RgP8sslYkeDeBhCqpCQar
         5y4w/aADPeZ3e87yV87oUSNkQKpA3TNBbj/CKKiimC31GhKb0GpJqr7Ee0YMi3MD5qDe
         zEOg==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCW9ZenL00nzErogLymOex8ZMZ0cTTIWekM676/ueXqpw+mvw7LpeYlWON3r7a4/PRwutPC2yVb0ayn7@gnusha.org
X-Gm-Message-State: AOJu0Yx+8YWLiDjHpiPNx8pS6Mll3rb7bMah7LY7qq44ESm9tylzCXBt
	BbI6Bmm1nzMH8OTirJiysbA2PfK66maNL0tYCv5QOmRmR50tuUN6
X-Google-Smtp-Source: AGHT+IElIhFPGIGco5+ZRMI64+qyi3JI7br6/2wWbjeTYAetUwiidWBPMjQ5xxlBLM90MmyhSjBZjA==
X-Received: by 2002:ac8:59c4:0:b0:467:6b59:423 with SMTP id d75a77b69052e-46a4a9a4378mr116620331cf.55.1734791184493;
        Sat, 21 Dec 2024 06:26:24 -0800 (PST)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:ac8:4609:0:b0:468:f965:339d with SMTP id d75a77b69052e-46a3b07bccdls44601751cf.0.-pod-prod-09-us;
 Sat, 21 Dec 2024 06:26:22 -0800 (PST)
X-Received: by 2002:a05:620a:1790:b0:7b6:cb4c:10e8 with SMTP id af79cd13be357-7b9ba716c09mr1061332585a.11.1734791179554;
        Sat, 21 Dec 2024 06:26:19 -0800 (PST)
Received: by 2002:a05:620a:22a:b0:7b6:d314:a4e5 with SMTP id af79cd13be357-7b9b9633366ms85a;
        Sat, 21 Dec 2024 06:16:24 -0800 (PST)
X-Received: by 2002:a05:600c:3b23:b0:434:a525:7257 with SMTP id 5b1f17b1804b1-43668b49a05mr50984885e9.21.1734790582701;
        Sat, 21 Dec 2024 06:16:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1734790582; cv=none;
        d=google.com; s=arc-20240605;
        b=OqsPAPyI1jmbdvKFd6kuDn+z4AqPyL3i1qyQ1BzTgI4mPXxD6b+xG8XBV5RhfrM4ln
         dPEHx0YUozREeaT0fP5llMMix/GWw+vB9Zxzgkg7TYAa42lcOEOqnbudYsCB/QyyMYlq
         ene6HxM65dJ973qvyWYhgFnv/9bKhNQBAipRmF3WafW1ex2rf0t07SaMTrNYWc+RGDAF
         WRjeKvBGm8R45UBFuKFoObvSa6NzoitxBVEXSaFul2VkNOiVQMxBaqZlSM3od9eEytXI
         0SUsMz9ghNFEPm3CgBdpSwWefq2WHkDlhuZiKDmqhql5YKQcpbC3x6L58Y02yal3ruB/
         jndg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=to:subject:message-id:date:from:mime-version:dkim-signature;
        bh=/Jom5Znrw/ZzI99w4otSKRzMCZLg52T2WAl/MuFQcbA=;
        fh=DMP0F9ULS1guKiqimntQRCN8ZraraesEgQuVcn7F0Z0=;
        b=HlRDLdfwVqHVqLY5yZfEUlOsy3u6nyiiqrRkKPs4aWMkSYVFmOXzxNCkO9rXJVCT85
         DA/vIS6GM1y/5zHNsld3nZc+0TQ6jt6jNMWXT50h8EHYiK9jOsaUYt9RiU6rhirKjS+D
         YC2yPUElr8hR1hrZ5fYWcycQqZmxfb/jxJy+QsuE86UnUO4HxK51GNAM/iNqFCajQrPN
         1uVNgRi4UUc283OKmleakC3r0fwlwsrz6Zx1Zo1Kmj9IFw/nfVXTyo+sNuW/HZmvX+r1
         SNLD4Tk30Y3ZKoKbBT1mOYxqbFNndh08YDuxuupDyUD5BL/A1IKc3aToNSMNTLLveuLh
         lcLw==;
        dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@woobling.org header.s=google header.b=ScO4pTMN;
       spf=none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) smtp.mailfrom=nothingmuch@woobling.org;
       dara=pass header.i=@googlegroups.com
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com. [2a00:1450:4864:20::22c])
        by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-4364b058038si7604405e9.1.2024.12.21.06.16.22
        for <bitcoindev@googlegroups.com>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Sat, 21 Dec 2024 06:16:22 -0800 (PST)
Received-SPF: none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) client-ip=2a00:1450:4864:20::22c;
Received: by mail-lj1-x22c.google.com with SMTP id 38308e7fff4ca-30167f4c1e3so30601681fa.3
        for <bitcoindev@googlegroups.com>; Sat, 21 Dec 2024 06:16:22 -0800 (PST)
X-Gm-Gg: ASbGnctwdme7pWKl9gi1qUa36rAuvGYpH6oiHWXBVPtEGS0naz8o4d3RfmfSRGxWp1w
	szvkwuwozW4hqi8lpo2nHRIVloOZtEiva5bYAFQ==
X-Received: by 2002:a05:6512:230d:b0:53f:8c46:42bb with SMTP id
 2adb3069b0e04-5422955ff80mr1815982e87.40.1734790580325; Sat, 21 Dec 2024
 06:16:20 -0800 (PST)
MIME-Version: 1.0
From: Yuval Kogman <nothingmuch@woobling.org>
Date: Sat, 21 Dec 2024 15:16:09 +0100
Message-ID: <CAAQdECCdRVV+3ZoJhOotKEvmUV4yrV7EYWE8SOWCE1CF9tZ6Yg@mail.gmail.com>
Subject: [bitcoindev] Reiterating centralized coinjoin (Wasabi & Samourai)
 deanonymization attacks
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
X-Original-Sender: nothingmuch@woobling.org
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@woobling.org header.s=google header.b=ScO4pTMN;       spf=none
 (google.com: nothingmuch@woobling.org does not designate permitted sender
 hosts) smtp.mailfrom=nothingmuch@woobling.org;       dara=pass header.i=@googlegroups.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)

Following the recent Wasabi & GingerWallet vulnerability report[^1]
and its "fix", I would like to bring up (reiterate, but for the first
time on the mailing lists) some broader deanonymization issues with
both Wasabi / GingerWallet and Samourai wallet's CoinJoin protocols.

These vulnerabilities were never truly discovered and consequentially
not disclosed, responsibly or otherwise, because they had always been
in the protocols. Neither team seems capable of addressing these for a
variety of reasons.

Personal disclosure: I was involved in the design of WabiSabi, as well
as its implementation but left in protest before its release. I
maintain that this software is not fit for purpose and should not be
used unless users trust the coordinators with their privacy.
Furthermore, I allege that rent seeking behavior explains the apparent
incompetence and willful ignorance, and caution against applying
Hanlon's razor too charitibly.

In regards to Wasabi/GingerWallet, especially in light of the various
"community" WabiSabi protocol coordinators, it's important to make
users aware of the degree of trust they place in these services.
Wasabi developers are still claiming that these issues are not
fixable, which is incorrect to say the least, especially considering
that when I was contributing to the project and taking for granted
that these issues would be addressed I got no pushback, nor any
indication that they did not understand the issue at the time.

Whirlpool is now defunct, but Samourai proponents are claiming that
their developers have warned about the Wasabi vulnerability, despite
the Whirlpool protocol having a more blatant and easily exploitable
version of the same category of attack, so it's worth setting the
record straight. The whirlpool client code was included in Sparrow
wallet until v1.9.0 when it was removed following the shutdown of the
whirlpool service.

[^1]: https://bitcoinops.org/en/newsletters/2024/12/13/#deanonymization-vulnerability-affecting-wasabi-and-related-software

## Preliminaries

Both protocols facilitate multiparty transaction construction,
ostensibly utilizing cryptography for privacy preserving denial of
service protection. TxOut addition requires authorization tokens, an
unblinded signature in Whirlpool's case, or an anonymous credential in
WabiSabi's, that is supposed to not be linkable to any of the client's
added TxIns.

In both protocols a malicious coordinator can trick the existing
client implementations into making fully deanonymized requests. In
Whirlpool this means a TxOut is linkable to a TxIn. In WabiSabi this
means that the set of TxOuts is  linkable to the set of TxIns of a
single client.

### Whirlpool

This is a trivial deanonymization attack reliant on the fact that the
client completely trusts the server with regards to the consistency of
the blind signing key.

In Whirlpool, the server's blind signing key is obtained by the client
by extracting it from the response to the input registration
request.[^2]

Subsequently, this key is used to make blind signing requests during
the confirmation phase.[^3]

After a blind signature is given to the client the unblinded signature
is used to request an output registration.[^4]

Because the key is not announced a priori, nor is it signed by the
participants' spending keys before output registration or signing[^5],
the server can provide each input with a unique RSA key. Since the
unblinded signatures are made by different keys, the server can learn
the mapping from inputs to outputs.

This description along with some preliminaries is also posted on github.[^6].

[^2]:  https://github.com/Archive-Samourai-Wallet/whirlpool-client/blob/99c1acc101f53fef21fbcc5d23cb05eafb7324e9/src/main/java/com/samourai/whirlpool/client/mix/MixProcess.java#L140-L141
[^3]: https://github.com/Archive-Samourai-Wallet/whirlpool-client/blob/99c1acc101f53fef21fbcc5d23cb05eafb7324e9/src/main/java/com/samourai/whirlpool/client/mix/MixProcess.java#L146
[^4]: https://github.com/Archive-Samourai-Wallet/whirlpool-client/blob/99c1acc101f53fef21fbcc5d23cb05eafb7324e9/src/main/java/com/samourai/whirlpool/client/mix/MixProcess.java#L185
[^5]: https://github.com/Archive-Samourai-Wallet/whirlpool-client/blob/99c1acc101f53fef21fbcc5d23cb05eafb7324e9/src/main/java/com/samourai/whirlpool/client/mix/MixProcess.java#L216
[^6]:  https://gist.github.com/nothingmuch/74d0b0bd63a2d663efce5e8a82d32bca

### WabiSabi

This affects Wasabi Wallet, and Ginger Wallet which is a fork of
Wasabi. Trezor Suite was also affected, but has subsequently removed
support for coinjoins[^18]. They too were made aware of various issues
and chose to ignore them, despite contributing the limited (read:
purely theater for privacy, only addressing hardware wallet specific
theft scenario) ownership proof verification.

Here the issue is more complex, but ultimately reduces to key
consistency as well.

In the protocol clients register their Bitcoin UTXOs independently. A
valid input registration request includes a BIP-322 ownership proof,
which commits to the so called *Round ID*. This in turn is a hash
commitment to the parameters of the round, including the server's
anonymous credential issuance parameters (analogous to a public key).

The parameters are obtained by polling the server for information
about active rounds. If inconsistent round IDs are given to clients,
this effectively partitions them, allowing deanonymization.

Although clients obtain the ownership proofs of other clients and
seemingly verify them, BIP-322 proofs verification requires knowledge
of the spent outputs `scriptPubKey` which light clients cannot obtain
on their own. This public key is included alongside the ownership
proofs, which makes their verification non-binding, the server can
generate unrelated public keys, and create ownership proofs with those
keys that commit to the per-client round IDs, which the client will
accept as valid.

This issue was described before the initial release[^7] but never
addressed. Although subsequently ownership proofs were given to
clients[^8], this change only addressed the use of ownership proofs to
identify a wallet's own inputs in a stateless signing device, without
addressing the consistency issues. Because the server provides the
public key against which unknown inputs ownership proofs must be
verified, that places them under adversarial control.

Related issues and comments I have posted over the years:

- unimplemented consistency check that does not depend on prevout also
not implemented[^9]
- no commitment to coordinator address in the round parameters[^10],
although this was temporarily fixed the fix was reverted[^11]
- additional missing fields in the round parameter commitments, and
rationale addressing tagging attacks[^12]
- initial description of blind signature based protocol, which
predates my collaboration and design of the anonymous credential based
protocol which also addresses this explicitly[^13]

Finally, although not in scope I will also note that poor coin
selection (bad randomization and de-randomization), improper
randomization of input registration timing, and tor circuit management
increase the probability of the success of such an attack, by making
it easier to target specific users. Additional concerns exist for
alternative clients due to use of JSON and HTTP in the protocol, in
the C# implementation serialization by a 3rd party JSON library, which
may canonicalize JSON differently (e.g. ordering of properties in JSON
objects), etc. Additionally, although designed with coordination fees
in mind, the anonymous credential mechanism did not enforce that
coordination fees are fair or incentive compatible (nor can it with
non-binding ownership proofs, though the main privacy concern there is
the coordinator lying about the values of other clients' prevouts
leading to poor amount decomposition), resulting in thefts of user
funds[^14][^15], but this has now been removed[^16].

Again a version of this with some preliminaries is also on github.[^17]

[^7]: https://github.com/WalletWasabi/WalletWasabi/issues/5533
[^8]: https://github.com/WalletWasabi/WalletWasabi/pull/8708
[^9]: https://github.com/WalletWasabi/WalletWasabi/issues/6394#issuecomment-920225648
[^10]: https://github.com/WalletWasabi/WalletWasabi/issues/5992
[^11]: https://github.com/WalletWasabi/WalletWasabi/pull/8708/files#diff-04b849802b4adf5b34756a49b498f2ac97247cbb64424e5a69ee64c28a7033bcR120
[^12]: https://github.com/WalletWasabi/WalletWasabi/issues/5439
[^13]: https://gist.github.com/nothingmuch/61968fde675a596758bffd4c278ac096
[^14]: https://github.com/WalletWasabi/WalletWasabi/discussions/13249
[^15]: https://bitcointalk.org/index.php?topic=5499439.msg64309927#msg64309927
[^16]: https://archive.is/xFRHO
[^17]: https://gist.github.com/nothingmuch/4d717e12e451ff4ce43474972e41c6ba
[^18]: https://blog.trezor.io/important-update-transitioning-from-coinjoin-in-trezor-suite-9dfc63d2662f

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAAQdECCdRVV%2B3ZoJhOotKEvmUV4yrV7EYWE8SOWCE1CF9tZ6Yg%40mail.gmail.com.