From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 06 Jan 2025 06:31:42 -0800 Received: from mail-qt1-f187.google.com ([209.85.160.187]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1tUo8r-0001ys-GE for bitcoindev@gnusha.org; Mon, 06 Jan 2025 06:31:41 -0800 Received: by mail-qt1-f187.google.com with SMTP id d75a77b69052e-46791423fc9sf276770381cf.2 for ; Mon, 06 Jan 2025 06:31:41 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1736173895; cv=pass; d=google.com; s=arc-20240605; b=AG72HrAHcG8SnZQBoAwoIsLGV8f5lYPyuUYMoTxe5G35PkexA15VuzlFWR1WXrcFhl AbVEKs4Mhf1EW70fhtQd1Z6x4yNy1fMMvKz0tb3m/13Uj7aN2UjJd0IuyfpE2988TFSU yUGst8njjnUq9h1cbqAARKCE6QkKx7cmC4OX+6X/l1ultVoiKmP0sjbZqxFrhXDAG0bg ERbSCCe2F9GEbSWBTJmGC6lhI3wMRTqbnPvj4tgdT/mBwN3k9IH1ES9G2ZYFMZ8ZSLJU 31IiRPpLhaIEvJxgK8Siy3n6KiDKpQmyjufafdyd9zkih/hHAceE91yzMmY+vX+UXCeP xMmA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:content-transfer-encoding:cc:to :subject:message-id:date:from:in-reply-to:references:mime-version :sender:dkim-signature; bh=fGC/Ra9VnxH5ceicWp5VMhtN8LmDLIV8HRAhMjbkfhA=; fh=BgmtOiI27XWLqNNH3HCpSUJ5DCh2CbvcZHLSQo3Oej4=; b=MH/qSvWBNNMVVLqBIYpr4fYnVIbjWJTmD4LUdchdhE04gIG4lPi4EgbF9E/nlnME8Y 2yajXZ+QvR0zDc5raJ17rtXtwvx4PYWXbuv7PI+2pX+AMXtW0MQyFSRwB7nv42SBi7M4 TlE3R2wiNUKp4rpE1Dtn/6HhhRYX9Kd7U34LQoj8Ut51pnbrtktDmt+d2eIE8HMOWqAj JMDmYIg0qfBZ1YIXpeEhiygC19OcjI3IkULBFWocBRigcD9XNLylOS+9nZbY7a7+SQVu GNtQTvFsM6a5NCHNN/nKn2FzDLHt39P+nAWnJ3Ot2vXVoJFqhAPoV7DLEIn49X3SCg5K X0kg==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@woobling.org header.s=google header.b=VzLHWcRl; spf=none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) smtp.mailfrom=nothingmuch@woobling.org; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1736173895; x=1736778695; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version:sender :from:to:cc:subject:date:message-id:reply-to; bh=fGC/Ra9VnxH5ceicWp5VMhtN8LmDLIV8HRAhMjbkfhA=; b=RO6uOORZY5lw8NmoGXUm96rQS4BHrAeKfGpg9ABN7nLF87E70N02vyId/k1sssNRCp ROoLGOvzVsTG66s23BhXOqLKsPhJ8+kCnFQV9koOx7H552Bjf3IkjwTa1jFFX7WmdDNr 2dJCQEoK6Ihg+eJsuWmmZ7iL9Pq++YM9P49M/ovtlEuN9omTFwTdxGCCztphUU9GSEDl f63BJLzXpa9KKojhauChtoO7vpfW0XczD8q3ZNY1I/14JnbSpGZ0SPMCfRO0G3MMfu/r zGWKJqP6H8fiV+Ge1FpAt4fZ5D+B/muk1rNxE3R/kXjrC3BWkZPMTndHv/3rFNFZHbXC 2Sqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736173895; x=1736778695; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date :message-id:reply-to; bh=fGC/Ra9VnxH5ceicWp5VMhtN8LmDLIV8HRAhMjbkfhA=; b=IQR/84giophM7+k35ssvFNChbKEqUyykisBmUts+4VU0zakZGdlZU1GkA7HBPrXqX9 A68YHpQRoBoJZALwZxBmz4nSCJYtUpzi9VngfgZiKDxWgBsUFdtMPIAvTtpexntd4IsY wfUYf/IWt0VvhJBjX1i7Eh4+ekiF3WU7lykOoCpf0jTe3QXKNxlNTCtUQJz88HPi6NOL xDr37kjcLQEzBzrtN+LWnqhm4lKisCKOly1GsqrVbqn4DwV3kCzQl3/dtSlnP+0nOQMY vabHUoSy5PA/ft+dQ4wz6ehmmymh6bCuvOuw90MfMV9ehcSgCngIog0QjhVow+u8KPtN ttiA== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCUC0bfE+cphZVPAhb6BzygEYhho3JbQpe/wD0Lxi0wr4WWRayqsVTJYDk+ip83S9bG99bkeX0FiSE/b@gnusha.org X-Gm-Message-State: AOJu0Yw1LrcM9OgTHbt/54J3fvL20xSi0NFGCj9BiKZzVbYSo+PvBVem x5WSWvD+O46jnmIbEdHF0WflSODkqol8vkxNleoGHKwGpAE8IzQu X-Google-Smtp-Source: AGHT+IGGHRMPUxT5w3Gt2EjjAj8M6I6wzgJ8KHRfFEwSsTd23675ZMqvIe6HzhgP6taKeOnbaViQkw== X-Received: by 2002:ac8:7d92:0:b0:466:9ab3:c2d0 with SMTP id d75a77b69052e-46a4a9a6c2fmr1027323941cf.44.1736173894521; Mon, 06 Jan 2025 06:31:34 -0800 (PST) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:ac8:1189:0:b0:467:5082:dafc with SMTP id d75a77b69052e-46a3b1955eals3709471cf.2.-pod-prod-02-us; Mon, 06 Jan 2025 06:31:31 -0800 (PST) X-Received: by 2002:a05:620a:bcb:b0:7b7:142d:53a9 with SMTP id af79cd13be357-7b9ba80ee41mr9537658285a.51.1736173891640; Mon, 06 Jan 2025 06:31:31 -0800 (PST) Received: by 2002:a05:620a:9042:b0:7b6:67a8:4fcd with SMTP id af79cd13be357-7b9b9653322ms85a; Mon, 6 Jan 2025 06:30:38 -0800 (PST) X-Received: by 2002:a05:600c:4ecc:b0:434:a802:e9b2 with SMTP id 5b1f17b1804b1-4366854887cmr492892635e9.4.1736173836276; Mon, 06 Jan 2025 06:30:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1736173836; cv=none; d=google.com; s=arc-20240605; b=CL9gaXWtypLmT0Mc7NPUMUnlbP5d5d7Q8RunaqVnWABTMK61Cu5HqqO3qHRFaXFzLo CwbIu0WWM+WZbUSZaZmbzsNRIiRz+75EeyDRYrO5SXk8qIC+QT2bIJycn6NtKvp2r8Iq fX1zq8blFWtz4RGpbqWFDHJZdDET4iCSt6KpNL0jcR8QoKv4doCT2t6cEdgxfg7eoRRX APqlA0qYwRBrw5JZ/Ye6Ua2Fe/ucHBL0JEG0s8o1cFSfhkTSAxBacwGuTTmYN5V8Wb6+ aKeVS59QyLBtLlSuqN+2JcIVp3lAtxHVpZIY+n39byRQjGtIQjdVioE7cIDa4T4LhHwS onyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=bhsmU46wEDdH0o3t/kRZ0opL21yIeklwAUXZKA2J/RQ=; fh=N2Pu5XCHnzvnsultChc+zExBixvv5wRPKr9UF/aBNKU=; b=LBm7fnFYOJJ5Uk1l7v4LqG9f7ObPnRkhY2u+jSjz3EBinRWbLimJliPwH8Wb0ZD3z/ hexs5Z4G/RXzntqQywP57SDzTr89UrzRyjjLwjpiI054B2sBPzU9B8dEoY7/9UrBU3NL Lki6d1dq6bje9e4OuOtLPfqmbqprTq7u38KoSM6rNlUPmd8EszuT/01m90I57gIeDnJG yofTkkqiSGKdQY519iHLFBa5sNF58zdbu8mND+rn/N7+nMfVSz0Q/65ccTXaFiqz0dy0 BLyPye16hrXMRfTGMAnLMlAdw/r2zc0Qzs3UeIt0VhXpXCpRrG6pOaCzjuENVTWbNmhC KKKA==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@woobling.org header.s=google header.b=VzLHWcRl; spf=none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) smtp.mailfrom=nothingmuch@woobling.org; dara=pass header.i=@googlegroups.com Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com. [2a00:1450:4864:20::131]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-43656b119f8si7102875e9.2.2025.01.06.06.30.35 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 06 Jan 2025 06:30:35 -0800 (PST) Received-SPF: none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) client-ip=2a00:1450:4864:20::131; Received: by mail-lf1-x131.google.com with SMTP id 2adb3069b0e04-5401ab97206so14946468e87.3 for ; Mon, 06 Jan 2025 06:30:35 -0800 (PST) X-Gm-Gg: ASbGncuoewuFYqbLUHWpIZIwUBrDsnG5+5LiRGI+kCZDH5R81blNFaDsu4Wc25TEgcz sUH6gOwY0hrQH9lsI7xRo2wYQbQFnPUeH4UOMzA== X-Received: by 2002:a05:6512:1592:b0:542:19ef:95c2 with SMTP id 2adb3069b0e04-5422953fee7mr16214163e87.23.1736173835239; Mon, 06 Jan 2025 06:30:35 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Yuval Kogman Date: Mon, 6 Jan 2025 15:30:24 +0100 Message-ID: Subject: Re: [bitcoindev] Reiterating centralized coinjoin (Wasabi & Samourai) deanonymization attacks To: Sjors Provoost Cc: Bitcoin Development Mailing List Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Original-Sender: nothingmuch@woobling.org X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@woobling.org header.s=google header.b=VzLHWcRl; spf=none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) smtp.mailfrom=nothingmuch@woobling.org; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) On Mon, 6 Jan 2025 at 14:08, Sjors Provoost wrote: > Do we know based on observations or published server-side code whether > this key was: > 1) the same for all time; or > 2) unique for each round; or > 3) unique for each registration request > > In case of (1) and (2) it would have been possible to detect a targeted* = attack, > of course only if you were on the lookout. Only (2) would be correct behavior. If (3) was performed, then that is just the tagging attack. If (1) was done, then that would have allowed clients to stockpile blind signatures in earlier rounds, and register excess outputs during the output registration phase of later ones to disrupt them (wasabi 1 had this bug FWIW). if the archived code is considered reliable, then it seems (2) was the implemented behavior: https://github.com/Archive-Samourai-Wallet/whirlpool-server/blob/develop/sr= c/main/java/com/samourai/whirlpool/server/beans/Mix.java#L67 > Perhaps if the app kept sufficient logs, it would still be possible to re= troactively > check this. I'm not aware of any such observation efforts. They would require modifying the client, at least with the archived version that I saw the `blindingParams` member is not used that way (there are other debug logs in the whirlpool client, but not with this data). However, since the public key is only given in response to input registration, i.e. after the server has learned of the intended UTXO, and because in many cases an xpub linking that coin may have also been revealed to the server, and the server controls the grouping of coins into sets of 5, it seems to me that if it was controlled by a rational attacker it would not use the overt key tagging attack when covert ways of deanonymizing are available and just as effective. > * =3D I=E2=80=99m thinking of an active attacker who wants to track speci= fic UTXOs. > They could preemptively =E2=80=9Cpersuade=E2=80=9D the coordinator s= erver to provide > a different RSA key or round ID if they ever try to join a round. While this is certainly possible, maintaining plausible deniability is easier if the server merely maliciously control the placement of UTXOs, ensuring that targeted UTXOs end up only with xpub-revealed and/or adversary controlled peers. > Are these round IDs logged by clients? In the case of wasabi, both my recollection and a cursory search indicates that yes: https://github.com/WalletWasabi/WalletWasabi/blob/42e7963d7fffc7f8f37fd9b6e= 8973235859ee7fb/WalletWasabi/WabiSabi/LoggerTools.cs#L36 I did not check in detail where this information is logged, and I don't think a list of all published round IDs is logged. I would not encourage users to share such logs, or their data, without careful considerations. Even if logs were scrubbed, revealing a/the set of rounds in which a user participated can significantly harm privacy, especially since participation in rounds and coin selection does not take into account history intersection attacks. See also these issues re log scrubbing https://github.com/WalletWasabi/WalletWasabi/issues/6770 https://github.com/WalletWasabi/WalletWasabi/issues/6670 (first was closed without fixing, deemed duplicate of 2nd - i'd say it isn't - which is still open...). One of the developers still working on wasabi indicated that there will finally be some efforts to mitigate this class of attack: 1. redundant queries from isolated tor circuits of the round status information where round IDs are published, and consistency checks for the data returned 2. use of deterministic shuffling in the transaction, ensuring that signatures can only be aggregated in the absence of equivocation (assuming the corresponding Lehmer code has enough bits of entropy) Since round IDs are published ahead of time in the status requests, and clients explicitly choose which round to join before revealing any of their intended inputs, the first mitigation is straightforward and would present a significant barrier. --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= CAAQdECCq5n7zkRJboVwjLMWkGUP7-G2U7tK4Ekf5M9NqLypLQA%40mail.gmail.com.