[bitcoin-dev] Non-equal value CoinJoins. Opinions.

ZmnSCPxj ZmnSCPxj at protonmail.com
Sun Dec 29 10:23:39 UTC 2019


Good morning Yuval,


> Additionally (though is a broader criticism of CoinJoin based privacy and not specific to unequal amounts, and in particular refers to ZmnSCPxj's assertion of 0 linkability) I am very worried that perspectives that focus on linkability information revealed by a single coinjoin transaction in isolation. This problem was alluded in the document, to but I don't see that it was addressed. Naively the post/pre mix transaction graph would seem to present a computationally much harder problem when looking at the combinatorics through the same lens, but reality it can also be used to place many constraints on valid partitions/sub-transaction assignments for a single transaction with equal amounts. The trivial example is post mix linking of outputs, but there are many other ways to draw inferences or eliminate possible interpretations of a single transaction based on its wider context, which in turn may be used to attack other transactions.

Indeed, this is a problem still of equal-valued CoinJoin.
In theory the ZeroLink protocol fixes this by strongly constraining user behavior, but ZeroLink is not "purely" implemented in e.g. Wasabi: Wasabi still allows spending pre- and post-mix coins in the same tx (ZeroLink disallows this) and any mix change should be considered as still linked to the inputs (though could be unlinked from the equal-valued output), i.e. returned to pre-mix wallet.

> Finally, the proof as well as its applicability seems suspect to me, since seems to involve trusting the server:
> "Since the distinct list [...] [is] kept on the server and not shared with the players"
> "The server knows the linkages of the commitments but does not participate as a verifier "
> "If there is a problem [...] each component is assigned to another player at random for verification"
> these 3 statements together seems to suggest the server is trusted to not use sybils in order the compromise privacy by participating in the verification process?

Equal-valued CoinJoins fix this by using a Chaumian bank, which constrains value transfers to specific fixed amounts.
Since an equal-valued CoinJoin uses a single fixed amount anyway, it is not an additional restriction.
CashFusion cannot use the same technique without dropping into something very much like an equal-valued CoinJoin.

Regards,
ZmnSCPxj


More information about the bitcoin-dev mailing list