From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1W3ksJ-0005sD-Jc for bitcoin-development@lists.sourceforge.net; Thu, 16 Jan 2014 11:12:39 +0000 X-ACL-Warn: Received: from mout.perfora.net ([74.208.4.194]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1W3ksI-0000aA-58 for bitcoin-development@lists.sourceforge.net; Thu, 16 Jan 2014 11:12:39 +0000 Received: from netbook (c107-70.i07-27.onvol.net [92.251.107.70]) by mrelay.perfora.net (node=mrus3) with ESMTP (Nemesis) id 0Lh74Z-1VWpyA2Itj-00oO25; Thu, 16 Jan 2014 06:12:30 -0500 Received: by netbook (Postfix, from userid 1000) id 66C522E283F; Thu, 16 Jan 2014 12:12:23 +0100 (CET) Received: by flare (hashcash-sendmail, from uid 1000); Thu, 16 Jan 2014 12:12:21 +0100 Date: Thu, 16 Jan 2014 12:12:20 +0100 From: Adam Back To: Drak Message-ID: <20140116111220.GA30175@netbook.cypherspace.org> References: <20140113133746.GI38964@giles.gnomon.org.uk> <20140114225321.GT38964@giles.gnomon.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Hashcash: 1:20:140116:drak@zikula.org::xrBmlJr1Yn3YM38e:00155f X-Hashcash: 1:20:140116:jeremy@taplink.co::qBWoLiJLj7uw+J3f:00000000000000000000 0000000000000000000000002nh2 X-Hashcash: 1:20:140116:bitcoin-development@lists.sourceforge.net::Ju9jeGW7FSrhi zMd:000000000000000000009lsD X-Hashcash: 1:20:140116:adam@cypherspace.org::Q1yQ1+8lKvzXkRYS:00000000000000000 0000000000000000000000000fSc X-Provags-ID: V02:K0:IVPimoDEfjYfK8x5+9G+TjhcHoNTV3ErfPP8sBu8CbI tPhWgxqDfdkGMHlC+AM+bO869RDYjzaaBgqA4Z8jzsCPz11sO/ BowKs0H2hnPZ6QGllHjPc184jekBeHA9Dtg46Ezovykf/UWUGH wEz3gPI+QsIMlqIImyq7iS5tmdWeAj5S0Jx17e+6WRm4JRywq4 ppSEiEkqkUir5Wcb+ikMIZTCovTyha9WD63DAtA3om0yiKVcj+ XFWHvMkr9aFH6vpLYuKvrdH8C/KOAej0pHXF9oI45qlXko/Zp7 RXuvGvrj4OtpJ5v8IBF/+BDuz/lR4rJUWV8yr+fbWR73+W2RrK SwPRLXl3Esa5aFYbA1Va2+ORm3+LwaXabykUvHooQ X-Spam-Score: 2.9 (++) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [74.208.4.194 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 2.9 FH_RANDOM_SURE SARE Random in one rule. X-Headers-End: 1W3ksI-0000aA-58 Cc: "bitcoin-development@lists.sourceforge.net" Subject: [Bitcoin-development] reusable address privacy problems & fuzzy bait limitations (Re: Stealth Addresses) X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jan 2014 11:12:39 -0000 On Thu, Jan 16, 2014 at 10:14:24AM +0000, Drak wrote: > On 16 January 2014 00:05, Jeremy Spilman <[1]jeremy@taplink.co> wrote: > > Might I propose "reusable address". > > The problem is all addresses are reusable and to an average user, > addresses are already reusable so there is little to distinguish the > address format. > It might be better to call it a "public address" in common terminology. Yeah I called my variant "(unlinkable) public" but I also think I prefer Jeremy's "reusable address" which has the added bonus of being yet another implied admonishment not to reuse the non-reusable ones :) Anyway my primary concern so far is that the reusable addresses/(unlinkable) public addresses are actually worse for privacy than SPV bloom mechanism by any reasonable definition. So I think we have some work to do yet, on a tough problem which may not have an efficient index precomputable solution (or a solution period.) I would also have been promoting this as an alternative solution to bloom privcy mechanism and address-reuse, if I could've found a mechansim for the unlinkable public proposal... Whats different so far I think is that Peter just went with it anyway despite that problem, where as I put it in the pile of interesting but not quite workable for privacy reasons ideas. (Bearing in mind that my bloom bait concept is the same as the prefix concept so I had functional equivalence). The additional feature of Peter's variant is to stealthify the payment, which I do think is a useful additioanl consideration, however as I said I think its fair to say it so far largely fails to do that, because the exposed P parameter. (And using the input instead of the P parameter breaks CoinJoin, which is also thereby damaging to privacy). So also about Greg Maxwell's improved prefix/bloom bait (lets call it fuzzy bloom bait), while I agree that H(nonce)[rand(32)] ^ prefix is an interesting incremental improvement, over raw bloom bait/prefix (with an example 8-bit prefix, and [] being byte index, ^=xor), it is index-precomputable, but it still publicly allows statistical elimination which is still nearly as dangerous in lieu of the remarkable success people have had doing statistical network flow analysis. ie with probability (255/256)^32=88% it eliminates you as a payee of any given reusable payment. (And that effect remains with any parameter set and conflicts with bandwidth efficiency for the requestor - ie lower elimination probability seems unavoidably to imply higher false positive match, right down to the point of downloading the entire set, giving with 0 probability). Thinking-hats time people. (As I said I still like reusable-addr for full-node recipient scenarios.) Adam