Return-Path: Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id ED8F9C0881 for ; Fri, 27 Dec 2019 18:04:04 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id E732C8630A for ; Fri, 27 Dec 2019 18:04:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YbtFw-DkGvH6 for ; Fri, 27 Dec 2019 18:04:04 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-lj1-f178.google.com (mail-lj1-f178.google.com [209.85.208.178]) by whitealder.osuosl.org (Postfix) with ESMTPS id B992C84AF1 for ; Fri, 27 Dec 2019 18:04:03 +0000 (UTC) Received: by mail-lj1-f178.google.com with SMTP id w1so5722799ljh.5 for ; Fri, 27 Dec 2019 10:04:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=As9w+YjOMWv2RmtyQvmYko137jh/SoABfnL7vza2PaU=; b=OXnPOF13d3Cfl0wKVSgb7mBAswICk7PzEHsklCjQ9niX2FF0VXUhByAZRroZ4dgGZA OXqy+eSe75PmPQeY6SpaaAyKjx6eNakm91f+3CjJzjCOe/ednYVlHs22jkMj/no10ocn lhimRS9GuWQcOZf2IyBcpV1NrSTZW2fcuXaKYnMUzpn65tchyBW7fhTQFrvNSZu+Jd4s 82e9Pdn4EbJ6bGhUiYiRl001eBvWN6XymB/WrO3vWIrCiwQ24HC4IW0wvBKBJ+0O+Som PoSCNJ2wYBH5eHH9H3uvv3OUDJODHAhvLMMAxb52AGzfljXw5n6qgwBq7ZYNorhYz7VU wdCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=As9w+YjOMWv2RmtyQvmYko137jh/SoABfnL7vza2PaU=; b=fW0dYjVUROdx+fg4qZPUULqGatcEvX9SYc9/GjZqNbE91CkiA2G0ui+vNWpFguJjPp Av+7q6RBOAA7jmjqmlpncF7gcVBGx8WkU/k+54ZZxIvxy+CSyQM0ips9BSFgWVGQP2No NkiV+zjHZzkFFQjS4sq5pcvNMwXfUzCSVdPU18o78frAihg6l4mNCXg9quiNlKYgp743 XFYQztxxKo58u3N9hyDY5CldHigUV+7nyfUbk6OI//0mIJeazQR3qFMbrgd+1Abd+Hez AGqKgec+SakjV00ggtc8JSB4Fs/Z5v3KTa9kew9xMauqOBAAXs44VOXN2wX1qne8RGII B5Pw== X-Gm-Message-State: APjAAAWu1Yi1tOAQD+NGw4vU0Qd/V+pg2uqGyTyQ5DuVrTysZWrRDt38 lzM9CDsM+BM2RrwLjmUmSmLtsUvrBJD1xot/px628/kJLBE= X-Google-Smtp-Source: APXvYqx8bv/XgZOM3JdRtkDhpPYrF6kqNKwbKsTUhSkE6e2o/4/KMlHnW226GWIm7m5rVtdSVx2yAEcJU4yP7m+gvL4= X-Received: by 2002:a2e:9592:: with SMTP id w18mr28877952ljh.98.1577469841165; Fri, 27 Dec 2019 10:04:01 -0800 (PST) MIME-Version: 1.0 From: nopara73 Date: Fri, 27 Dec 2019 14:03:49 -0400 Message-ID: To: Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="00000000000086d4cc059ab35144" X-Mailman-Approved-At: Sat, 28 Dec 2019 01:29:33 +0000 Subject: [bitcoin-dev] Non-equal value CoinJoins. Opinions. X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Dec 2019 18:04:05 -0000 --00000000000086d4cc059ab35144 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable The CashFusion research came out of the Bitcoin Cash camp, thus this probably went under the radar of many of you. I would like to ask your opinions on the research's claim that, if non-equal value coinjoins can be really relied on for privacy or not. (Btw, there were also similar ideas in the Knapsack paper in 2017: https://www.comsys.rwth-aachen.de/fileadmin/papers/2017/2017-maurer-trustco= m-coinjoin.pdf ) https://github.com/cashshuffle/spec/blob/master/CASHFUSION.md#avoiding-amou= nt-linkages-through-combinatorics I copy the most relevant paragraphs here: ---------BEGIN QUOTE --------- Consider a transaction where 10 people have each brought 10 inputs of arbitary amounts in the neighborhood of ~0.1 BCH. One input might be 0.03771049 BCH; the next might be 0.24881232 BCH, etc. All parties have chosen to consolidate their coins, so the transaction has 10 outputs of around 1 BCH. So the transaction has 100 inputs, and 10 outputs. The first output might be 0.91128495, the next could be 1.79783710, etc. Now, there are 100!/(10!)^10 ~=3D 10^92 ways to partition the inputs into a list of 10 sets of 10 inputs, but only a tiny fraction of these partitions will produce the precise output list. So, how many ways produce this exact output list? We can estimate with some napkin math. First, recognize that for each partitioning, each output will typically land in a range of ~10^8 discrete possibilities (around 1 BCH wide, with a 0.00000001 BCH resolution). The first 9 outputs all have this range of possibilities, and the last will be constrained by the others. So, the 10^92 possibilies will land somewhere within a 9-dimensional grid that cointains (10^8)^9=3D10^72 possible distinct sites, one site which is our actual output list. Since we are stuffing 10^92 possibilties into a grid that contains only 10^72 sites, then this means on average, each site will have 10^20 possibilities. Based on the example above, we can see that not only are there a huge number of partitions, but that even with a fast algorithm that could find matching partitions, it would produce around 10^20 possible valid configurations. With 10^20 possibilities, there is essentially no linkage. The Cash Fusion scheme actually extends this obfuscation even further. Not only can players bring many inputs, they can also have multiple outputs. ---------END QUOTE --------- --=20 Best, =C3=81d=C3=A1m --00000000000086d4cc059ab35144 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
The CashFusion research came out of the Bitcoin Cash camp,= thus this probably went under the radar of many of you. I would like to as= k your opinions on the research's claim that, if non-equal value coinjo= ins can be really relied on for privacy or not.

(Btw, there were als= o similar ideas in the Knapsack paper in 2017:=C2=A0https://www.comsys.rwth-aachen.de/fileadmin/papers/2017/2017-maurer-tru= stcom-coinjoin.pdf=C2=A0)=C2=A0

https://github.com/cashshuffle/spec/blob/master/CASHFUSION.md= #avoiding-amount-linkages-through-combinatorics=C2=A0=C2=A0

I co= py the most relevant paragraphs here:

=C2=A0 ----= -----BEGIN QUOTE ---------=C2=A0
=C2=A0

Consider a transa= ction where 10 people have each brought 10 inputs of arbitary amounts in th= e neighborhood of ~0.1 BCH. One input might be 0.03771049 BCH; the next mig= ht be 0.24881232 BCH, etc. All parties have chosen to consolidate their coi= ns, so the transaction has 10 outputs of around 1 BCH. So the transaction h= as 100 inputs, and 10 outputs. The first output might be 0.91128495, the ne= xt could be 1.79783710, etc.

Now, there are= 100!/(10!)^10 ~=3D 10^92 ways to partition the inputs into a list of 10 se= ts of 10 inputs, but only a tiny fraction of these partitions will produce = the precise output list. So, how many ways produce this exact output list? = We can estimate with some napkin math. First, recognize that for each parti= tioning, each output will typically land in a range of ~10^8 discrete possi= bilities (around 1 BCH wide, with a 0.00000001 BCH resolution). The first 9= outputs all have this range of possibilities, and the last will be constra= ined by the others. So, the 10^92 possibilies will land somewhere within a = 9-dimensional grid that cointains (10^8)^9=3D10^72 possible distinct sites,= one site which is our actual output list. Since we are stuffing 10^92 poss= ibilties into a grid that contains only 10^72 sites, then this means on ave= rage, each site will have 10^20 possibilities.

Based on the example above, we can see that not only are there a huge n= umber of partitions, but that even with a fast algorithm that could find ma= tching partitions, it would produce around 10^20 possible valid configurati= ons. With 10^20 possibilities, there is essentially no linkage. The Cash Fu= sion scheme actually extends this obfuscation even further. Not only can pl= ayers bring many inputs, they can also have multiple outputs.

---------E= ND QUOTE ---------
--
Best,
=C3=81d= =C3=A1m
--00000000000086d4cc059ab35144--