From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1W3lLl-0003e9-CD for bitcoin-development@lists.sourceforge.net; Thu, 16 Jan 2014 11:43:05 +0000 X-ACL-Warn: Received: from mout.perfora.net ([74.208.4.195]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1W3lLj-000647-Hq for bitcoin-development@lists.sourceforge.net; Thu, 16 Jan 2014 11:43:05 +0000 Received: from netbook (c107-70.i07-27.onvol.net [92.251.107.70]) by mrelay.perfora.net (node=mrus1) with ESMTP (Nemesis) id 0Lm2Pp-1VU9Pa0PwH-00ZjQ5; Thu, 16 Jan 2014 06:42:53 -0500 Received: by netbook (Postfix, from userid 1000) id 8EF482E283F; Thu, 16 Jan 2014 12:42:44 +0100 (CET) Received: by flare (hashcash-sendmail, from uid 1000); Thu, 16 Jan 2014 12:42:43 +0100 Date: Thu, 16 Jan 2014 12:42:42 +0100 From: Adam Back To: Jeremy Spilman Message-ID: <20140116114242.GA30432@netbook.cypherspace.org> References: <20140113133746.GI38964@giles.gnomon.org.uk> <20140114225321.GT38964@giles.gnomon.org.uk> <20140115230901.GA25135@netbook.cypherspace.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Hashcash: 1:20:140116:jeremy@taplink.co::sbT/LB1fql5x8tCx:00000000000000000000 0000000000000000000000000XDD X-Hashcash: 1:20:140116:jgarzik@bitpay.com::K/iCAWXoqqX3kqC5:0000000000000000000 0000000000000000000000004L/M X-Hashcash: 1:20:140116:bitcoin-development@lists.sourceforge.net::Mu0wJJ6mYhUzH Hmg:000000000000000000002Kqg X-Hashcash: 1:20:140116:adam@cypherspace.org::00fXrqCYw3FoWG3F:00000000000000000 0000000000000000000000001Ce7 X-Provags-ID: V02:K0:VwPg2+On5kD/xriPh5ukXQ6X2REXOGKnwD8u8v8V1ZD tL+ngKdupGuDpRztyumUq0W8lWh/nGG6CLQFmkgEXqq+hA/6H0 JiDd2KCinGgT7AjLNNPxHDZ1UFN5ZkzMpadUIUYR8nOw+oZS3d e3qrB3rTBUA/YGuyjSfLQ99L4OQ11eerSV2OqqKiAsv0RmEh8F YPCIZPK/rnoZSqZVr7zykk8zFv8D7nvzw90XV/SNlBV7Pu979F cUZna0hItr0MX2KNciPoJgyTRCUGr8Zj5PxMU78R0dmITUpCtf hmZiV8JUWhrUUy3SYknoNJtgEjCd8Io3V+DZy+9Xz6eCzgTr1p /pV7einTMXU1evdpoLCuCE7Js92ieFp11+Fe0/Vvh X-Spam-Score: -0.0 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [74.208.4.195 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-Headers-End: 1W3lLj-000647-Hq Cc: "bitcoin-development@lists.sourceforge.net" Subject: Re: [Bitcoin-development] unlinakble static address? & spv-privacy (Re: Stealth Addresses) X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jan 2014 11:43:05 -0000 On Wed, Jan 15, 2014 at 05:02:10PM -0800, Jeremy Spilman wrote: >The second pubKey is useful [...] even just being able to scan for >transactions yourself without keeping bitcoin-encumbered private keys >decrypted in memory. Agreed. >On Wed, 15 Jan 2014 15:09:01 -0800, Adam Back wrote: >>But I think its moderately expensive for the full node because it has to >>do a DH calculation per transaction and its not precomputable so there is >>IO per query. (In the P version in fact only payments which are thereby >>reconizable as unlinkable static need to be processed). > >And of course, if you have multiple reuseable addresses, then you're >doing this calculation separately to check each one. > >So the load on a popular centralized service would be quite high, >which you may consider a feature. Well only a linear increase, which is not any kind of realistic security defense for even an academic researcher analysing flows. More concern is that it could be expensive enough discourage adoption by full-nodes as an open/free service to support SPV clients in finding their reusable address payments. Its possibly an I/O DoS multiplier: send requests to the full nodes at a moderate network rate and and watch as its disk thrashes. >But I think it's great people can choose how to trade privacy for >computation/bandwidth however they want, and services can compete to >offer monitoring for 0+ bit prefixes. Its not a decision with user localised effect. If most users use it with parameters giving high elimination probability, that affects everyone else's privacy also. Also statistical effects are accumulative as more plausibly related addresses are eliminated at each potentially linked transaction. I think once the network flow analysis guys are done with incorporating it, and if reusable addresses saw significant use, my prediction is the result will be pretty close to privacy game over and it will undo most if not all of the hard-won privacy benefit of CoinJoin. (Recalling CoinJoin is only adding a bit or two of entropy per join, this elimination effect could easily undo more than that). >>(And also there is proposed a version of the prefix computed via >>brute-force to make it somewhat stealthy still). > >I think in this case the hash grinding of the prefix would only being >used if thats how transactions are being indexed. I don't think it >adds any privacy, it's just added work we're forced to do in order >for the prefix to work as designed. The point of the stealth security objective is to avoid creating a new and smaller anonymity set. If all reusable addresses are easily recognizable as reusable, thats far more revealing and useful to the network flow analysis. Adam