1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
|
Return-Path: <adam.ficsor73@gmail.com>
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
by lists.linuxfoundation.org (Postfix) with ESMTP id ED8F9C0881
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 27 Dec 2019 18:04:04 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by whitealder.osuosl.org (Postfix) with ESMTP id E732C8630A
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 27 Dec 2019 18:04:04 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id YbtFw-DkGvH6
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 27 Dec 2019 18:04:04 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-lj1-f178.google.com (mail-lj1-f178.google.com
[209.85.208.178])
by whitealder.osuosl.org (Postfix) with ESMTPS id B992C84AF1
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 27 Dec 2019 18:04:03 +0000 (UTC)
Received: by mail-lj1-f178.google.com with SMTP id w1so5722799ljh.5
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 27 Dec 2019 10:04:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:from:date:message-id:subject:to;
bh=As9w+YjOMWv2RmtyQvmYko137jh/SoABfnL7vza2PaU=;
b=OXnPOF13d3Cfl0wKVSgb7mBAswICk7PzEHsklCjQ9niX2FF0VXUhByAZRroZ4dgGZA
OXqy+eSe75PmPQeY6SpaaAyKjx6eNakm91f+3CjJzjCOe/ednYVlHs22jkMj/no10ocn
lhimRS9GuWQcOZf2IyBcpV1NrSTZW2fcuXaKYnMUzpn65tchyBW7fhTQFrvNSZu+Jd4s
82e9Pdn4EbJ6bGhUiYiRl001eBvWN6XymB/WrO3vWIrCiwQ24HC4IW0wvBKBJ+0O+Som
PoSCNJ2wYBH5eHH9H3uvv3OUDJODHAhvLMMAxb52AGzfljXw5n6qgwBq7ZYNorhYz7VU
wdCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=As9w+YjOMWv2RmtyQvmYko137jh/SoABfnL7vza2PaU=;
b=fW0dYjVUROdx+fg4qZPUULqGatcEvX9SYc9/GjZqNbE91CkiA2G0ui+vNWpFguJjPp
Av+7q6RBOAA7jmjqmlpncF7gcVBGx8WkU/k+54ZZxIvxy+CSyQM0ips9BSFgWVGQP2No
NkiV+zjHZzkFFQjS4sq5pcvNMwXfUzCSVdPU18o78frAihg6l4mNCXg9quiNlKYgp743
XFYQztxxKo58u3N9hyDY5CldHigUV+7nyfUbk6OI//0mIJeazQR3qFMbrgd+1Abd+Hez
AGqKgec+SakjV00ggtc8JSB4Fs/Z5v3KTa9kew9xMauqOBAAXs44VOXN2wX1qne8RGII
B5Pw==
X-Gm-Message-State: APjAAAWu1Yi1tOAQD+NGw4vU0Qd/V+pg2uqGyTyQ5DuVrTysZWrRDt38
lzM9CDsM+BM2RrwLjmUmSmLtsUvrBJD1xot/px628/kJLBE=
X-Google-Smtp-Source: APXvYqx8bv/XgZOM3JdRtkDhpPYrF6kqNKwbKsTUhSkE6e2o/4/KMlHnW226GWIm7m5rVtdSVx2yAEcJU4yP7m+gvL4=
X-Received: by 2002:a2e:9592:: with SMTP id w18mr28877952ljh.98.1577469841165;
Fri, 27 Dec 2019 10:04:01 -0800 (PST)
MIME-Version: 1.0
From: nopara73 <adam.ficsor73@gmail.com>
Date: Fri, 27 Dec 2019 14:03:49 -0400
Message-ID: <CAEPKjgdtgDbyLoj6FV+cjY1Djca_FBtd9Kt_eB4zWU+at=wfYQ@mail.gmail.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="00000000000086d4cc059ab35144"
X-Mailman-Approved-At: Sat, 28 Dec 2019 01:29:33 +0000
Subject: [bitcoin-dev] Non-equal value CoinJoins. Opinions.
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Dec 2019 18:04:05 -0000
--00000000000086d4cc059ab35144
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
The CashFusion research came out of the Bitcoin Cash camp, thus this
probably went under the radar of many of you. I would like to ask your
opinions on the research's claim that, if non-equal value coinjoins can be
really relied on for privacy or not.
(Btw, there were also similar ideas in the Knapsack paper in 2017:
https://www.comsys.rwth-aachen.de/fileadmin/papers/2017/2017-maurer-trustco=
m-coinjoin.pdf
)
https://github.com/cashshuffle/spec/blob/master/CASHFUSION.md#avoiding-amou=
nt-linkages-through-combinatorics
I copy the most relevant paragraphs here:
---------BEGIN QUOTE ---------
Consider a transaction where 10 people have each brought 10 inputs of
arbitary amounts in the neighborhood of ~0.1 BCH. One input might be
0.03771049 BCH; the next might be 0.24881232 BCH, etc. All parties have
chosen to consolidate their coins, so the transaction has 10 outputs of
around 1 BCH. So the transaction has 100 inputs, and 10 outputs. The first
output might be 0.91128495, the next could be 1.79783710, etc.
Now, there are 100!/(10!)^10 ~=3D 10^92 ways to partition the inputs into a
list of 10 sets of 10 inputs, but only a tiny fraction of these partitions
will produce the precise output list. So, how many ways produce this exact
output list? We can estimate with some napkin math. First, recognize that
for each partitioning, each output will typically land in a range of ~10^8
discrete possibilities (around 1 BCH wide, with a 0.00000001 BCH
resolution). The first 9 outputs all have this range of possibilities, and
the last will be constrained by the others. So, the 10^92 possibilies will
land somewhere within a 9-dimensional grid that cointains (10^8)^9=3D10^72
possible distinct sites, one site which is our actual output list. Since we
are stuffing 10^92 possibilties into a grid that contains only 10^72 sites,
then this means on average, each site will have 10^20 possibilities.
Based on the example above, we can see that not only are there a huge
number of partitions, but that even with a fast algorithm that could find
matching partitions, it would produce around 10^20 possible valid
configurations. With 10^20 possibilities, there is essentially no linkage.
The Cash Fusion scheme actually extends this obfuscation even further. Not
only can players bring many inputs, they can also have multiple outputs.
---------END QUOTE ---------
--=20
Best,
=C3=81d=C3=A1m
--00000000000086d4cc059ab35144
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">The CashFusion research came out of the Bitcoin Cash camp,=
thus this probably went under the radar of many of you. I would like to as=
k your opinions on the research's claim that, if non-equal value coinjo=
ins can be really relied on for privacy or not.<br><br>(Btw, there were als=
o similar ideas in the Knapsack paper in 2017:=C2=A0<a href=3D"https://www.=
comsys.rwth-aachen.de/fileadmin/papers/2017/2017-maurer-trustcom-coinjoin.p=
df">https://www.comsys.rwth-aachen.de/fileadmin/papers/2017/2017-maurer-tru=
stcom-coinjoin.pdf</a>=C2=A0)=C2=A0<br><br><a href=3D"https://github.com/ca=
shshuffle/spec/blob/master/CASHFUSION.md#avoiding-amount-linkages-through-c=
ombinatorics">https://github.com/cashshuffle/spec/blob/master/CASHFUSION.md=
#avoiding-amount-linkages-through-combinatorics</a>=C2=A0=C2=A0<br><br>I co=
py the most relevant paragraphs here:<br clear=3D"all"><div><br>=C2=A0 ----=
-----BEGIN QUOTE
---------=C2=A0<br>=C2=A0<br><p style=3D"box-sizing:border-box;margin-top:0=
px;margin-bottom:16px;color:rgb(36,41,46);font-family:-apple-system,BlinkMa=
cSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Col=
or Emoji","Segoe UI Emoji";font-size:16px">Consider a transa=
ction where 10 people have each brought 10 inputs of arbitary amounts in th=
e neighborhood of ~0.1 BCH. One input might be 0.03771049 BCH; the next mig=
ht be 0.24881232 BCH, etc. All parties have chosen to consolidate their coi=
ns, so the transaction has 10 outputs of around 1 BCH. So the transaction h=
as 100 inputs, and 10 outputs. The first output might be 0.91128495, the ne=
xt could be 1.79783710, etc.</p><p style=3D"box-sizing:border-box;margin-to=
p:0px;margin-bottom:16px;color:rgb(36,41,46);font-family:-apple-system,Blin=
kMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple =
Color Emoji","Segoe UI Emoji";font-size:16px">Now, there are=
100!/(10!)^10 ~=3D 10^92 ways to partition the inputs into a list of 10 se=
ts of 10 inputs, but only a tiny fraction of these partitions will produce =
the precise output list. So, how many ways produce this exact output list? =
We can estimate with some napkin math. First, recognize that for each parti=
tioning, each output will typically land in a range of ~10^8 discrete possi=
bilities (around 1 BCH wide, with a 0.00000001 BCH resolution). The first 9=
outputs all have this range of possibilities, and the last will be constra=
ined by the others. So, the 10^92 possibilies will land somewhere within a =
9-dimensional grid that cointains (10^8)^9=3D10^72 possible distinct sites,=
one site which is our actual output list. Since we are stuffing 10^92 poss=
ibilties into a grid that contains only 10^72 sites, then this means on ave=
rage, each site will have 10^20 possibilities.</p><p style=3D"box-sizing:bo=
rder-box;margin-top:0px;margin-bottom:16px;color:rgb(36,41,46);font-family:=
-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-=
serif,"Apple Color Emoji","Segoe UI Emoji";font-size:16=
px">Based on the example above, we can see that not only are there a huge n=
umber of partitions, but that even with a fast algorithm that could find ma=
tching partitions, it would produce around 10^20 possible valid configurati=
ons. With 10^20 possibilities, there is essentially no linkage. The Cash Fu=
sion scheme actually extends this obfuscation even further. Not only can pl=
ayers bring many inputs, they can also have multiple outputs.</p>---------E=
ND QUOTE
---------
</div>-- <br><div dir=3D"ltr" class=3D"gmail_signature" data-smartmail=3D"g=
mail_signature"><div dir=3D"ltr"><div><div dir=3D"ltr"><div><div dir=3D"ltr=
"><div><div><span style=3D"font-size:13.3333339691162px">Best,<br>=C3=81d=
=C3=A1m</span></div></div></div></div></div></div></div></div></div>
--00000000000086d4cc059ab35144--
|
