path: root/40/a0c560d3043881bdd1ed8fbf26ef3b5aae6625

Return-Path: <max@towardsliberty.com>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 3AE7DC0012
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 30 Mar 2022 11:58:46 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp1.osuosl.org (Postfix) with ESMTP id 29CD1843B8
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 30 Mar 2022 11:58:46 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -0.351
X-Spam-Level: 
X-Spam-Status: No, score=-0.351 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1,
 RCVD_IN_BL_SPAMCOP_NET=1.347, SPF_HELO_NONE=0.001, SPF_NONE=0.001]
 autolearn=no autolearn_force=no
Authentication-Results: smtp1.osuosl.org (amavisd-new); dkim=neutral
 reason="invalid (public key: not available)"
 header.d=towardsliberty.com
Received: from smtp1.osuosl.org ([127.0.0.1])
 by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id L3pN-qy5yKU8
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 30 Mar 2022 11:58:45 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.8.0
Received: from subsea-epitome.host4coins.net (subsea-epitome.host4coins.net
 [185.150.162.112])
 by smtp1.osuosl.org (Postfix) with ESMTPS id D2668842ED
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 30 Mar 2022 11:58:44 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by subsea-epitome.host4coins.net (Postfix) with ESMTP id CBC8E81936
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 30 Mar 2022 11:58:39 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=
 towardsliberty.com; h=content-transfer-encoding:content-type
 :content-type:subject:subject:from:from:content-language
 :user-agent:mime-version:date:date:message-id; s=default; t=
 1648641470; x=1650455871; bh=JWjDeGwIQhXGjS58mNL/Xg8Wx840APlXZLX
 p9HuaPmc=; b=fU49lzZvxV8ne7LrPMz9vlImbO9eX28y//oSOnfZYf0aAEmfttP
 vTbcFY8hYRSDXK0U93TDf7Msg9xfZouLcKVpbH74LL7EatEqMs/8CPDpDGbJhkvd
 gQAutXHQeqsqeJw/937u5qJzVW0pKy/wRs6g7Nnc3SdsjYB9109uqPCs=
X-Virus-Scanned: Debian amavisd-new at subsea-epitome.host4coins.net
Received: from subsea-epitome.host4coins.net ([127.0.0.1])
 by localhost (subsea-epitome.host4coins.net [127.0.0.1]) (amavisd-new,
 port 10026)
 with LMTP id m3CtxXKnIEOw for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 30 Mar 2022 11:57:50 +0000 (UTC)
Received: from [10.137.0.32] (tor-exit-01.darklab.sh [89.58.27.84])
 (Authenticated sender: max@towardsliberty.com)
 by subsea-epitome.host4coins.net (Postfix) with ESMTPSA id 5245481726
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 30 Mar 2022 11:57:50 +0000 (UTC)
Message-ID: <fd3a433b-9e95-194e-bf91-47b61f981d1b@towardsliberty.com>
Date: Wed, 30 Mar 2022 13:57:47 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.7.0
Content-Language: en-US
From: Max Hillebrand <max@towardsliberty.com>
To: bitcoin-dev@lists.linuxfoundation.org
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Wed, 30 Mar 2022 13:11:52 +0000
Subject: [bitcoin-dev] WabiSabi P2EP / Wormhole 2.0
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2022 11:58:46 -0000

Hello List,

tl;dr, users of WabiSabi coinjoin can pay arbitrary amounts of bitcoin, 
so that the sender does not learn the address/output of the receiver, 
and the receiver does not learn the input of the sender. This improves 
the previously proposed 'Wormhole' for Chaumian blind signature 
coinjoin, by allowing arbitrary amount payments and by reducing block 
space for change decomposition. 
https://www.mail-archive.com/bitcoin-dev@lists.linuxfoundation.org/msg08622.html


Assume that the sender and the receiver are both online and have a 
direct communication channel [P2EP]. The sender registers an input 
[let's say 1 btc value] with a third-party WabiSabi coordinator. In 
exchange, the sender receives a keyed-verified-anonymous-credential. The 
sender can present the 1 btc credential, and request a reissuance of two 
new credentials worth for example 0.3 btc and 0.7 btc. Since Pedersen 
commitments are the attributes of the KVAC, the coordinator does not 
learn any of those amounts.

Next, the sender gives the receiver through the P2EP connection the KVAC 
corresponding to the amount that is due pay. Now the receiver presents 
this credential to the coordinator, and requests a reissuance, which can 
again be split up into two credentials, for example 0.1 and 0.2. At this 
point, the sender can no longer present the old credential, the 
coordinator ensures double spending protection.

Later during output registration, the sender registers with the 
coordinator his "payment change outputs", which again can be decomposed 
client side into multiple outputs, let's say 0.5 and 0.2. Likewise, the 
receiver presents his KVACs, and registers his desired output addresses 
directly with the coordinator.

After output registration, the coordinator aggregates the PSBT with all 
registered inputs and outputs, and presents the unsigned coinjoin 
transaction to all Alices [Tor identities who registered inputs]. Since 
the sender does not know what the receivers output address is, he has to 
ask the receiver through the P2EP connection if this coinjoin is good. 
If response is ACK, then the sender signs for his inputs and registers 
the signatures with the coordinator.

If all inputs sign, we have a successful coinjoin, which includes a 
payment, where the sender never learns the address of the receiver, and 
the receiver never learns the inputs or change outputs of the sender. 
The coordinator can not differentiate users who make self-spends from 
those who do payments, this is entirely client side.


Of course the sender still knows the amount of bitcoin of the credential 
that he passed on to the receiver [the invoiced payment amount]. 
However, similar to PayJoin, the receiver can likewise register inputs 
with the coordinator in the same round. Unlike PayJoin, there are many 
other inputs who do not belong to sender or receiver, which provides the 
desired anonymity set. Such a receiver will have the KVAC originated 
from his own input[s], as well as the KVAC that the sender gave him. Two 
KVACs can be reissued to one, thus anonymous consolidation of inputs + 
payment amount is possible. Since neither the coordinator, nor the 
sender, know the input[s] of the receiver, the final amount on-chain 
[even if only one receiver output is created] does not correspond to the 
payment amount, thus the sender can not identify the output of the 
receiver based on amounts.


A blinded coinjoin coordinator is a PSBT whiteboard, where users 
purchase eCash tokens by registering inputs, and users spend eCash 
tokens in order to register outputs. Users can self-spend the eCash to 
increase anonymity set of those access rights. However, nothing prevents 
the user to make an actual eCash "payment" to someone else, effectively 
abdicating the right to register outputs. If [and only if] the final 
coinjoin has sufficient number of inputs and outputs to provide 
effective blockchain ambiguity, then the resulting payment has 
breathtaking privacy guarantees.


Skol
Max Hillebrand