public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: popo <PoliceTerror@dyne.org>
To: bitcoin-dev@lists.linuxfoundation.org
Subject: Re: [bitcoin-dev] Draft BIP for SNICKER
Date: Fri, 22 Nov 2019 15:57:10 +0100	[thread overview]
Message-ID: <adad1616-a8c2-9d76-4a14-2160e37fc8b2@dyne.org> (raw)
In-Reply-To: <B6OyNJfSL9qQgAr7ktQzWvLW_Q3t5b9zHKb4CRd2sH_VdpW5ZsRUSNhG133JA64ZQ-TjjDZHlf8sBMhduzLpptTQo71iwhLoDqMx9GPPlVc=@protonmail.com>

Hi, AFAIK snicker is limited to 2 party mixes for the foreseeable future.
What makes this a useful anonymity system for cryptocurrency/Bitcoin?

Thanks

On 11/22/19 3:02 PM, AdamISZ via bitcoin-dev wrote:
> Hi Riccardo,
> Apologies for not answering before, this slipped my mind.
> Clearly what you propose is possible, and adding the proposer's own
> signed transaction is a nice touch to make it more privacy-viable.
> For now my inclination is not to add this complexity, especially because
> of the cost implication.
> I'd note though that your idea about adding in second-stage transactions
> aligns with the CoinJoinXT idea (or perhaps, just the segwit idea!).
> Proposers could send sequences of transactions with various patterns,
> including backouts and promises, but it would clearly be way more
> complicated than what we're considering right now.
> Regards,
> Adam/waxwing
> 
> 
> Sent with ProtonMail <https://protonmail.com> Secure Email.
> 
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Wednesday, November 6, 2019 4:52 PM, Riccardo Casatta via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> 
>> Hello Adam,
>>
>> are you sure you can't tackle the watch-only issue?
>>
>> What if the proposer create the coinjoin-tx, plus another tx
>> (encrypted with the shared secret) which is a 1 input-1 output (1to1)
>> tx which spend his output to another of his key.
>> At this point when the receiver accept the proposal tx he could create
>> other tx 1to1 which are spending his tweaked output to pure bip32
>> derived key, he than broadcast together the coinjoin tx and for every
>> output of the coinjoin tx one other tx which is a 1to1 tx.
>>
>> Notes:
>> * We are obviously spending more fee because there are more txs
>> involved but the receiver ends up having only bip32 derived outputs.
>>
>> * The receiver must create the 1to1 tx or the receiver lose privacy by
>> being the only one to create 1to1 tx
>> * a good strategy could be to let the coinjoin tx have a very low fee,
>> while the 1to1 tx an higher one so there is less risk that only the
>> coinjoin gets mined
>> * Whit this spending strategy, the wallet initial scan does not need
>> to be modified
>>
>>
>> Il giorno mar 22 ott 2019 alle ore 15:29 AdamISZ via bitcoin-dev
>> <bitcoin-dev@lists.linuxfoundation.org
>> <mailto:bitcoin-dev@lists.linuxfoundation.org>> ha scritto:
>>
>>     Just to chime in on these points:
>>
>>     My discussions with ghost43 and ThomasV led me to the same
>>     conclusion, at least in general, for the whole watch-only issue:
>>
>>     It's necessary that the key tweak (`c` as per draft BIP) be known
>>     by Proposer (because has to add it to transaction before signing)
>>     and Receiver (to check ownership), but must not be known by anyone
>>     else (else Coinjoin function fails), hence it can't be publically
>>     derivable in any way but must require information secret to the
>>     two parties. This can be a pure random sent along with the
>>     encrypted proposal (the original concept), or based on such, or
>>     implicit via ECDH (arubi's suggestion, now in the draft, requiring
>>     each party to access their own secret key). So I reached the same
>>     conclusion: the classic watch-only use case of monitoring a wallet
>>     in real time with no privkey access is incompatible with this.
>>
>>     It's worth mentioning a nuance, however: distinguish two
>>     requirements: (1) to recover from zero information and (2) to
>>     monitor in real time as new SNICKER transactions arrive.
>>
>>     For (2) it's interesting to observe that the tweak `c` is not a
>>     money-controlling secret; it's only a privacy-controlling secret.
>>     If you imagined two wallets, one hot and one cold, with the second
>>     tracking the first but having a lower security requirement because
>>     cold, then the `c` values could be sent along from the hot to the
>>     cold, as they are created, without changing the cold's security
>>     model as they are not money-controlling private keys. They should
>>     still be encrypted of course, but that's largely a technical
>>     detail, if they were exposed it would only break the effect of the
>>     coinjoin outputs being indistinguishable.
>>
>>     For (1) the above does not apply; for there, we don't have anyone
>>     telling us what `c` values to look for, we have to somehow
>>     rederive, and to do that we need key access, so it reverts to the
>>     discussion above about whether it might be possible to interact
>>     with the cold wallet 'manually' so to speak.
>>
>>     To be clear, I don't think either of the above paragraphs describe
>>     things that are particularly likely to be implemented, but the
>>     hot/cold monitoring is at least feasible, if there were enough
>>     desire for it.
>>
>>     At the higher level, how important is this? I guess it just
>>     depends; there are similar problems (not identical, and perhaps
>>     more addressable?) in Lightning; importing keys is generally
>>     non-trivial; one can always sweep non-standard keys back into the
>>     HD tree, but clearly that is not really a solution in general; one
>>     can mark out wallets/seeds of this type as distinct; not all
>>     wallets need to have watch-only (phone wallets? small wallets?
>>     lower security?) one can prioritise spends of these coins. Etc.
>>
>>     Some more general comments:
>>
>>     Note Elichai's comment on the draft (repeated here for local
>>     convenience:
>>     https://gist.github.com/AdamISZ/2c13fb5819bd469ca318156e2cf25d79#gistcomment-3014924)
>>     about AES-GCM vs AES-CBC, any thoughts?
>>
>>     I didn't discuss the security of the construction for a Receiver
>>     from a Proposer who should after all be assumed to be an attacker
>>     (except, I emphasised that PSBT parsing could be sensitive on this
>>     point); I hope it's clear to everyone that the construction Q = P
>>     + cG is only controllable by the owner of the discrete log of P
>>     (trivial reduction: if an attacker who knows c, can find the
>>     private key q of Q, he can derive the private key p of P as q - c,
>>     thus he is an ECDLP cracker).
>>
>>     Thanks for all the comments so far, it's been very useful.
>>
>>     AdamISZ/waxwing/Adam Gibson
>>
>>     Sent with ProtonMail Secure Email.
>>
>>     ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>     On Monday, October 21, 2019 4:04 PM, SomberNight via bitcoin-dev
>>     <bitcoin-dev@lists.linuxfoundation.org
>>     <mailto:bitcoin-dev@lists.linuxfoundation.org>> wrote:
>>
>>     > > The SNICKER recovery process is, of course, only required for
>>     wallet
>>     >
>>     > recovery and not normal wallet use, so I don't think a small
>>     amount of
>>     > round-trip communication between the hot wallet and the cold
>>     wallet is
>>     > too much to ask---especially since anyone using SNICKER with a
>>     > watching-only wallet must be regularly interacting with their cold
>>     > wallet anyway to sign the coinjoins.
>>     >
>>     > What you described only considers the "initial setup" of a
>>     watch-only wallet. There are many usecases for watch-only wallets.
>>     There doesn't even necessarily need to be any offline-signing
>>     involved. For example, consider a user who has a hot wallet on
>>     their laptop with xprv; and wants to watch their addresses using
>>     an xpub from their mobile. Or consider giving an xpub to an
>>     accountant. Or giving an xpub to your Electrum Personal Server
>>     (which is how it works).
>>     >
>>     > Note that all these usecases require "on-going" discovery of
>>     addresses, and so they would break.
>>     >
>>     > ghost43
>>     >
>>     > (ps: Apologies Dave for the double-email; forgot to cc list
>>     originally)
>>     >
>>     > bitcoin-dev mailing list
>>     > bitcoin-dev@lists.linuxfoundation.org
>>     <mailto:bitcoin-dev@lists.linuxfoundation.org>
>>     > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>>
>>     _______________________________________________
>>     bitcoin-dev mailing list
>>     bitcoin-dev@lists.linuxfoundation.org
>>     <mailto:bitcoin-dev@lists.linuxfoundation.org>
>>     https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>>
>>
>> -- 
>> Riccardo Casatta - @RCasatta <https://twitter.com/RCasatta>
> 
> 
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> 


  reply	other threads:[~2019-11-22 15:07 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-20  0:29 [bitcoin-dev] Draft BIP for SNICKER SomberNight
2019-10-21  0:06 ` David A. Harding
2019-10-21 11:00   ` Riccardo Casatta
2019-10-21 15:04   ` SomberNight
2019-10-22 13:21     ` AdamISZ
2019-11-06 16:52       ` Riccardo Casatta
2019-11-22 14:02         ` AdamISZ
2019-11-22 14:57           ` popo [this message]
2019-11-23 12:43             ` AdamISZ
  -- strict thread matches above, loose matches on Subject: below --
2019-09-01 13:46 AdamISZ

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=adad1616-a8c2-9d76-4a14-2160e37fc8b2@dyne.org \
    --to=policeterror@dyne.org \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox