From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 06 Jan 2025 05:21:11 -0800 Received: from mail-qv1-f59.google.com ([209.85.219.59]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1tUn2d-0008C6-65 for bitcoindev@gnusha.org; Mon, 06 Jan 2025 05:21:11 -0800 Received: by mail-qv1-f59.google.com with SMTP id 6a1803df08f44-6d889fd0fd6sf234314986d6.0 for ; Mon, 06 Jan 2025 05:21:10 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1736169665; cv=pass; d=google.com; s=arc-20240605; b=TWLgZ2sIQSrInNvgOnIfvcgi6W0S8st0Vjrli7VzMiZJ5YPJzc+OZDhDZGe0ZxXkKs W9yGXOI+zWrUWMI6aUblqlijFsezrstihWynFEqYRklB+jk0V0ttNv2iHliduY8hWxyU XB9+8tGKNEbh2EzKStW4nkSVJxlVWL8m75d/hAmV2FZtFaS7FErwlobtjH6y+TcWfk5r fZpjtEPUlv0cJikW58ubG0NSfU4O89EI4y+u0LazUIcBSGi+BGhSyoSwBaO+CuaEFCGY UfuEzXJiA2lndxY7fOqg3HQjz05+oa79s7lkKMjBB0kuNC6T/HPBcFd4tcOPlrdJ8M/j 7XKw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:feedback-id:sender:dkim-signature; bh=USpMua2IqezUbdsLZ71sYZgZYj/kSuqfSW2m+WIP3TY=; fh=ODkjGbnaelmsxUfB5PcaL/4EXkS7FkNVMMyqVdAPdyM=; b=EfXfz4rduQDU0DChpS4Wj91W+NsMnqX7Madq7+YXMy1PaJ7iTImSuSXiPpsonKPSOd Ubt8UMJLhZBlUbd0a1xD+tnxjw6Y8+KYYlpriuZdWEd+RyhujWst+DNMSjBuQ5602NSn cynlBCEi94fDQ285atevpYzpyjAaFxgkSdVQsVnyASmg9XhiNqRpl++Q1M3yEIitPjXQ eZh5bbw38R7315f4xCfLWdB3vh6bhT9vL9/2vwLhMd3qqKysyIC/ncALHhMnNkHU3Bpe w/NXWLvQ38rKhGa1el369R4vbMtbXtsWUiwQf7HCLBmeP2L1+YSlroz9TvyVRVDtuD1E UJEg==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@sprovoost.nl header.s=fm3 header.b="V3N2mA/a"; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=nB5e072I; spf=pass (google.com: domain of sjors@sprovoost.nl designates 202.12.124.154 as permitted sender) smtp.mailfrom=sjors@sprovoost.nl; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sprovoost.nl DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1736169665; x=1736774465; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:feedback-id:sender:from:to:cc:subject:date:message-id :reply-to; bh=USpMua2IqezUbdsLZ71sYZgZYj/kSuqfSW2m+WIP3TY=; b=DRmYr4nRqOUyhGEUtPYiqsz8X/4C9mg2weZFNIgA/RWbG78O04yFz84aYxl15jvIm1 l6LmtaehnpbYsCi6Ij9cLYUloB07Qt980seIMGrUmQNqkF3prEwUrqRUd15SlLUYA7Ax LB/r/dqxKic5QfhXbU9aGlbuUkE7Qx2/OwlrD3gywRh+8v6AFR2ekU4SDmTCg5+0ZR/0 Ph7dffMb+PNMUPiv2NcH0gNImNUqsmr8l0reqNo5tTEKa6AB19FC5kDPtWQPx7gGpfhx zNbVo6Tz+BB8hLW2aT9Ic/4W0hhgS5YsloN/t2DeZBl9Ex0AGDgFh2uYsu6q8Lm6wm1o rduA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736169665; x=1736774465; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:feedback-id:x-beenthere:x-gm-message-state:sender:from :to:cc:subject:date:message-id:reply-to; bh=USpMua2IqezUbdsLZ71sYZgZYj/kSuqfSW2m+WIP3TY=; b=cExb8GqcZB00auA1WHS3UA25SmWXGFaO8WUZaTj/Et9OInrTK0jnvS091nEZpcNP8z qqa8fYPrb1KpkiCCFioi6s/MdSlcL+CIj5jSdEJ4TXn/7GzSWPKIo8KRnKl2wozBaXAW baxJdqo3Xo4DbvhY58FFo+oYXMRRp3jTv8G5HzviWp4cTNvbUInJrc72Rz4xJ1RdaFGV t7j+Meej3FSXjkKVgdy7QiA2r79n/NXci1dth7MbvZPUAARPZpSGcfduvrdxtcNBKszB ypH1/CKZNnhEdV3wYiF3PM0U1LD7d99tJheQypSmh37SDzRvwhDeEqTiiLxjhdh5aCay LwoQ== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCXQ+du9VUHUMh1Tzw7cIZ3ZjwdKwkV0sA6qZuYrCX1jTSbon5oLknuKZFuSOxI3gHYSUT2kAIfkh1tR@gnusha.org X-Gm-Message-State: AOJu0YxDzuU05O1lwaMyfQD3qc6n43jhyP5C6b1SSFtlYdV7/jfPqaDu ZU2npQrJMwjP/ROxtZy/Tz/tI8b11ak0kaGNdw+ZlQA5q5psc7fv X-Google-Smtp-Source: AGHT+IGCKHuxVXrpLHUOgfkS56Rs1h6jvE5W/VktT38eRM4OvIdWsE4v6GYkTpJ3wi3++d3/9JwL5A== X-Received: by 2002:ad4:5bab:0:b0:6d8:ab3c:5d7 with SMTP id 6a1803df08f44-6dd23655202mr921489526d6.24.1736169664523; Mon, 06 Jan 2025 05:21:04 -0800 (PST) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:a05:6214:528d:b0:6d4:e40:5156 with SMTP id 6a1803df08f44-6ddd5b43817ls34479696d6.1.-pod-prod-00-us; Mon, 06 Jan 2025 05:21:01 -0800 (PST) X-Received: by 2002:a05:620a:244f:b0:7b1:55b6:409a with SMTP id af79cd13be357-7b9aaad54fdmr11031579485a.30.1736169660962; Mon, 06 Jan 2025 05:21:00 -0800 (PST) Received: by 2002:a05:620a:470b:b0:7b6:dcc4:6708 with SMTP id af79cd13be357-7b9ab1e40f9ms85a; Mon, 6 Jan 2025 05:08:11 -0800 (PST) X-Received: by 2002:a05:622a:1a82:b0:466:91f3:12ca with SMTP id d75a77b69052e-46a3af9ea8bmr844933891cf.8.1736168890390; Mon, 06 Jan 2025 05:08:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1736168890; cv=none; d=google.com; s=arc-20240605; b=Czw34VEpoxAMe8TpUfES3wBpewPx3GhlEYYuCFR8ysrARE3eQlch7EJT6a95vABqoo N1VPkT7TbOaxI7KlGa7JRzwqowqGXUjFQ6l7cMDyjsXDRxEwOVMbj9mSsv/dKOvLq4Fo 6flFz+JsdKc7aDZlxxkI1uHi+IV/MzFRvNJ4r+LfWzIxF9tZA0Fe6HI5G5lDn9Jw5siY nW/q+jfpjvgS10Q4/vWNlyQcL8Mq8XJu1Wq1f4+EXifHy5rJwxpCIPLzPvVaPr6xHjSj eELjrzzIvTRWSXNVrsrFdSMUX7QI0dgZnMvV8F4zDwe2wgWRf/6cMqDo8v9bIL+GWPuT nquw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:feedback-id:dkim-signature :dkim-signature; bh=EksP008pK2T47JcPb+OfgjfXPfiBS6hF+RIDP2wKBEg=; fh=C3MoiEA34yOFKNebU49TuxLM9cczukmFZL9PUsr/ENw=; b=bQcSH32x4favR2HZfrTPx8zCkO+uZHP6ILkzfDmw3JuGRWTv7kGybyLkBfc/DbDY6I N4UNzDQJK6N4+s6F4WF/slq+C47H+vDIko/OmBAIqIbpfTIcJRWyxcbhA57lXzk7wxtX hNkhAjxcBOYo57HMCfX8yQ0aMn2t2fHq25dLNvGKFMZZaE2xQQoE7WK7EzjOWPb3oX7Q +H2EF9quTcUTGvapq12UkEpHl3yXXFy4WndlrG1Z4L5JM+UJmcP4T5VOM05gMcBeTZxI Xevr4yNtL6mPUOlYVmIyAbmg7qy8tQIvNtH/Li1lUJnXDv8lRiZbj0czHWbxBM3rGi2a CbPw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@sprovoost.nl header.s=fm3 header.b="V3N2mA/a"; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=nB5e072I; spf=pass (google.com: domain of sjors@sprovoost.nl designates 202.12.124.154 as permitted sender) smtp.mailfrom=sjors@sprovoost.nl; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sprovoost.nl Received: from fhigh-b3-smtp.messagingengine.com (fhigh-b3-smtp.messagingengine.com. [202.12.124.154]) by gmr-mx.google.com with ESMTPS id d75a77b69052e-46a3e71e146si16509351cf.3.2025.01.06.05.08.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 Jan 2025 05:08:10 -0800 (PST) Received-SPF: pass (google.com: domain of sjors@sprovoost.nl designates 202.12.124.154 as permitted sender) client-ip=202.12.124.154; Received: from phl-compute-01.internal (phl-compute-01.phl.internal [10.202.2.41]) by mailfhigh.stl.internal (Postfix) with ESMTP id ECA762540188; Mon, 6 Jan 2025 08:08:09 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-01.internal (MEProxy); Mon, 06 Jan 2025 08:08:10 -0500 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrudegtddggeekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh htshculddquddttddmnecujfgurheptggguffhjgffvefgkfhfvffosehtqhhmtdhhtdej necuhfhrohhmpefujhhorhhsucfrrhhovhhoohhsthcuoehsjhhorhhssehsphhrohhvoh hoshhtrdhnlheqnecuggftrfgrthhtvghrnhepueejgeehveelheekjeeguddtgeefkedt uefgieeigfefheduudekiefgveeffeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrg hrrghmpehmrghilhhfrhhomhepshhjohhrshesshhprhhovhhoohhsthdrnhhlpdhnsggp rhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopegsihhttghoih hnuggvvhesghhoohhglhgvghhrohhuphhsrdgtohhmpdhrtghpthhtohepnhhothhhihhn ghhmuhgthhesfihoohgslhhinhhgrdhorhhg X-ME-Proxy: Feedback-ID: ie5e042df:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 6 Jan 2025 08:08:09 -0500 (EST) Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.300.87.4.3\)) Subject: Re: [bitcoindev] Reiterating centralized coinjoin (Wasabi & Samourai) deanonymization attacks From: Sjors Provoost In-Reply-To: Date: Mon, 6 Jan 2025 14:07:58 +0100 Cc: Yuval Kogman Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Bitcoin Development Mailing List X-Mailer: Apple Mail (2.3826.300.87.4.3) X-Original-Sender: sjors@sprovoost.nl X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@sprovoost.nl header.s=fm3 header.b="V3N2mA/a"; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=nB5e072I; spf=pass (google.com: domain of sjors@sprovoost.nl designates 202.12.124.154 as permitted sender) smtp.mailfrom=sjors@sprovoost.nl; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sprovoost.nl Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) Thanks for the write-up. I=E2=80=99m curious to learn if any of these attacks happened in practice, and if there are methods to find out retroactively. > In Whirlpool, the server's blind signing key is obtained by the client > by extracting it from the response to the input registration > request.[^2] > Because the key is not announced a priori, nor is it signed by the > participants' spending keys before output registration or signing[^5], > the server can provide each input with a unique RSA key. Since the > unblinded signatures are made by different keys, the server can learn > the mapping from inputs to outputs. Do we know based on observations or published server-side code whether this key was: 1) the same for all time; or 2) unique for each round; or 3) unique for each registration request In case of (1) and (2) it would have been possible to detect a targeted* at= tack, of course only if you were on the lookout. Perhaps if the app kept sufficient logs, it would still be possible to retr= oactively check this. > ### WabiSabi >=20 > In the protocol clients register their Bitcoin UTXOs independently. A > valid input registration request includes a BIP-322 ownership proof, > which commits to the so called *Round ID*. This in turn is a hash > commitment to the parameters of the round, including the server's > anonymous credential issuance parameters (analogous to a public key). >=20 > The parameters are obtained by polling the server for information > about active rounds. If inconsistent round IDs are given to clients, > this effectively partitions them, allowing deanonymization. Are these round IDs logged by clients? * =3D I=E2=80=99m thinking of an active attacker who wants to track specifi= c UTXOs. They could preemptively =E2=80=9Cpersuade=E2=80=9D the coordinator ser= ver to provide a different RSA key or round ID if they ever try to join a round. - Sjors --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= E26BEB3C-1345-487D-A98C-2A7E17494B5E%40sprovoost.nl.