1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
|
Delivery-date: Mon, 06 Jan 2025 06:31:42 -0800
Received: from mail-qt1-f187.google.com ([209.85.160.187])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDDJ7LVFRIHRBRGS565QMGQE5IN7FEI@googlegroups.com>)
id 1tUo8r-0001ys-GE
for bitcoindev@gnusha.org; Mon, 06 Jan 2025 06:31:41 -0800
Received: by mail-qt1-f187.google.com with SMTP id d75a77b69052e-46791423fc9sf276770381cf.2
for <bitcoindev@gnusha.org>; Mon, 06 Jan 2025 06:31:41 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1736173895; cv=pass;
d=google.com; s=arc-20240605;
b=AG72HrAHcG8SnZQBoAwoIsLGV8f5lYPyuUYMoTxe5G35PkexA15VuzlFWR1WXrcFhl
AbVEKs4Mhf1EW70fhtQd1Z6x4yNy1fMMvKz0tb3m/13Uj7aN2UjJd0IuyfpE2988TFSU
yUGst8njjnUq9h1cbqAARKCE6QkKx7cmC4OX+6X/l1ultVoiKmP0sjbZqxFrhXDAG0bg
ERbSCCe2F9GEbSWBTJmGC6lhI3wMRTqbnPvj4tgdT/mBwN3k9IH1ES9G2ZYFMZ8ZSLJU
31IiRPpLhaIEvJxgK8Siy3n6KiDKpQmyjufafdyd9zkih/hHAceE91yzMmY+vX+UXCeP
xMmA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:content-transfer-encoding:cc:to
:subject:message-id:date:from:in-reply-to:references:mime-version
:sender:dkim-signature;
bh=fGC/Ra9VnxH5ceicWp5VMhtN8LmDLIV8HRAhMjbkfhA=;
fh=BgmtOiI27XWLqNNH3HCpSUJ5DCh2CbvcZHLSQo3Oej4=;
b=MH/qSvWBNNMVVLqBIYpr4fYnVIbjWJTmD4LUdchdhE04gIG4lPi4EgbF9E/nlnME8Y
2yajXZ+QvR0zDc5raJ17rtXtwvx4PYWXbuv7PI+2pX+AMXtW0MQyFSRwB7nv42SBi7M4
TlE3R2wiNUKp4rpE1Dtn/6HhhRYX9Kd7U34LQoj8Ut51pnbrtktDmt+d2eIE8HMOWqAj
JMDmYIg0qfBZ1YIXpeEhiygC19OcjI3IkULBFWocBRigcD9XNLylOS+9nZbY7a7+SQVu
GNtQTvFsM6a5NCHNN/nKn2FzDLHt39P+nAWnJ3Ot2vXVoJFqhAPoV7DLEIn49X3SCg5K
X0kg==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@woobling.org header.s=google header.b=VzLHWcRl;
spf=none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) smtp.mailfrom=nothingmuch@woobling.org;
dara=pass header.i=@googlegroups.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1736173895; x=1736778695; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-transfer-encoding:cc:to:subject
:message-id:date:from:in-reply-to:references:mime-version:sender
:from:to:cc:subject:date:message-id:reply-to;
bh=fGC/Ra9VnxH5ceicWp5VMhtN8LmDLIV8HRAhMjbkfhA=;
b=RO6uOORZY5lw8NmoGXUm96rQS4BHrAeKfGpg9ABN7nLF87E70N02vyId/k1sssNRCp
ROoLGOvzVsTG66s23BhXOqLKsPhJ8+kCnFQV9koOx7H552Bjf3IkjwTa1jFFX7WmdDNr
2dJCQEoK6Ihg+eJsuWmmZ7iL9Pq++YM9P49M/ovtlEuN9omTFwTdxGCCztphUU9GSEDl
f63BJLzXpa9KKojhauChtoO7vpfW0XczD8q3ZNY1I/14JnbSpGZ0SPMCfRO0G3MMfu/r
zGWKJqP6H8fiV+Ge1FpAt4fZ5D+B/muk1rNxE3R/kXjrC3BWkZPMTndHv/3rFNFZHbXC
2Sqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1736173895; x=1736778695;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-transfer-encoding:cc:to:subject
:message-id:date:from:in-reply-to:references:mime-version
:x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date
:message-id:reply-to;
bh=fGC/Ra9VnxH5ceicWp5VMhtN8LmDLIV8HRAhMjbkfhA=;
b=IQR/84giophM7+k35ssvFNChbKEqUyykisBmUts+4VU0zakZGdlZU1GkA7HBPrXqX9
A68YHpQRoBoJZALwZxBmz4nSCJYtUpzi9VngfgZiKDxWgBsUFdtMPIAvTtpexntd4IsY
wfUYf/IWt0VvhJBjX1i7Eh4+ekiF3WU7lykOoCpf0jTe3QXKNxlNTCtUQJz88HPi6NOL
xDr37kjcLQEzBzrtN+LWnqhm4lKisCKOly1GsqrVbqn4DwV3kCzQl3/dtSlnP+0nOQMY
vabHUoSy5PA/ft+dQ4wz6ehmmymh6bCuvOuw90MfMV9ehcSgCngIog0QjhVow+u8KPtN
ttiA==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCUC0bfE+cphZVPAhb6BzygEYhho3JbQpe/wD0Lxi0wr4WWRayqsVTJYDk+ip83S9bG99bkeX0FiSE/b@gnusha.org
X-Gm-Message-State: AOJu0Yw1LrcM9OgTHbt/54J3fvL20xSi0NFGCj9BiKZzVbYSo+PvBVem
x5WSWvD+O46jnmIbEdHF0WflSODkqol8vkxNleoGHKwGpAE8IzQu
X-Google-Smtp-Source: AGHT+IGGHRMPUxT5w3Gt2EjjAj8M6I6wzgJ8KHRfFEwSsTd23675ZMqvIe6HzhgP6taKeOnbaViQkw==
X-Received: by 2002:ac8:7d92:0:b0:466:9ab3:c2d0 with SMTP id d75a77b69052e-46a4a9a6c2fmr1027323941cf.44.1736173894521;
Mon, 06 Jan 2025 06:31:34 -0800 (PST)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:ac8:1189:0:b0:467:5082:dafc with SMTP id d75a77b69052e-46a3b1955eals3709471cf.2.-pod-prod-02-us;
Mon, 06 Jan 2025 06:31:31 -0800 (PST)
X-Received: by 2002:a05:620a:bcb:b0:7b7:142d:53a9 with SMTP id af79cd13be357-7b9ba80ee41mr9537658285a.51.1736173891640;
Mon, 06 Jan 2025 06:31:31 -0800 (PST)
Received: by 2002:a05:620a:9042:b0:7b6:67a8:4fcd with SMTP id af79cd13be357-7b9b9653322ms85a;
Mon, 6 Jan 2025 06:30:38 -0800 (PST)
X-Received: by 2002:a05:600c:4ecc:b0:434:a802:e9b2 with SMTP id 5b1f17b1804b1-4366854887cmr492892635e9.4.1736173836276;
Mon, 06 Jan 2025 06:30:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1736173836; cv=none;
d=google.com; s=arc-20240605;
b=CL9gaXWtypLmT0Mc7NPUMUnlbP5d5d7Q8RunaqVnWABTMK61Cu5HqqO3qHRFaXFzLo
CwbIu0WWM+WZbUSZaZmbzsNRIiRz+75EeyDRYrO5SXk8qIC+QT2bIJycn6NtKvp2r8Iq
fX1zq8blFWtz4RGpbqWFDHJZdDET4iCSt6KpNL0jcR8QoKv4doCT2t6cEdgxfg7eoRRX
APqlA0qYwRBrw5JZ/Ye6Ua2Fe/ucHBL0JEG0s8o1cFSfhkTSAxBacwGuTTmYN5V8Wb6+
aKeVS59QyLBtLlSuqN+2JcIVp3lAtxHVpZIY+n39byRQjGtIQjdVioE7cIDa4T4LhHwS
onyw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=content-transfer-encoding:cc:to:subject:message-id:date:from
:in-reply-to:references:mime-version:dkim-signature;
bh=bhsmU46wEDdH0o3t/kRZ0opL21yIeklwAUXZKA2J/RQ=;
fh=N2Pu5XCHnzvnsultChc+zExBixvv5wRPKr9UF/aBNKU=;
b=LBm7fnFYOJJ5Uk1l7v4LqG9f7ObPnRkhY2u+jSjz3EBinRWbLimJliPwH8Wb0ZD3z/
hexs5Z4G/RXzntqQywP57SDzTr89UrzRyjjLwjpiI054B2sBPzU9B8dEoY7/9UrBU3NL
Lki6d1dq6bje9e4OuOtLPfqmbqprTq7u38KoSM6rNlUPmd8EszuT/01m90I57gIeDnJG
yofTkkqiSGKdQY519iHLFBa5sNF58zdbu8mND+rn/N7+nMfVSz0Q/65ccTXaFiqz0dy0
BLyPye16hrXMRfTGMAnLMlAdw/r2zc0Qzs3UeIt0VhXpXCpRrG6pOaCzjuENVTWbNmhC
KKKA==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@woobling.org header.s=google header.b=VzLHWcRl;
spf=none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) smtp.mailfrom=nothingmuch@woobling.org;
dara=pass header.i=@googlegroups.com
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com. [2a00:1450:4864:20::131])
by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-43656b119f8si7102875e9.2.2025.01.06.06.30.35
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Mon, 06 Jan 2025 06:30:35 -0800 (PST)
Received-SPF: none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) client-ip=2a00:1450:4864:20::131;
Received: by mail-lf1-x131.google.com with SMTP id 2adb3069b0e04-5401ab97206so14946468e87.3
for <bitcoindev@googlegroups.com>; Mon, 06 Jan 2025 06:30:35 -0800 (PST)
X-Gm-Gg: ASbGncuoewuFYqbLUHWpIZIwUBrDsnG5+5LiRGI+kCZDH5R81blNFaDsu4Wc25TEgcz
sUH6gOwY0hrQH9lsI7xRo2wYQbQFnPUeH4UOMzA==
X-Received: by 2002:a05:6512:1592:b0:542:19ef:95c2 with SMTP id
2adb3069b0e04-5422953fee7mr16214163e87.23.1736173835239; Mon, 06 Jan 2025
06:30:35 -0800 (PST)
MIME-Version: 1.0
References: <CAAQdECCdRVV+3ZoJhOotKEvmUV4yrV7EYWE8SOWCE1CF9tZ6Yg@mail.gmail.com>
<E26BEB3C-1345-487D-A98C-2A7E17494B5E@sprovoost.nl>
In-Reply-To: <E26BEB3C-1345-487D-A98C-2A7E17494B5E@sprovoost.nl>
From: Yuval Kogman <nothingmuch@woobling.org>
Date: Mon, 6 Jan 2025 15:30:24 +0100
Message-ID: <CAAQdECCq5n7zkRJboVwjLMWkGUP7-G2U7tK4Ekf5M9NqLypLQA@mail.gmail.com>
Subject: Re: [bitcoindev] Reiterating centralized coinjoin (Wasabi & Samourai)
deanonymization attacks
To: Sjors Provoost <sjors@sprovoost.nl>
Cc: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Original-Sender: nothingmuch@woobling.org
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@woobling.org header.s=google header.b=VzLHWcRl; spf=none
(google.com: nothingmuch@woobling.org does not designate permitted sender
hosts) smtp.mailfrom=nothingmuch@woobling.org; dara=pass header.i=@googlegroups.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)
On Mon, 6 Jan 2025 at 14:08, Sjors Provoost <sjors@sprovoost.nl> wrote:
> Do we know based on observations or published server-side code whether
> this key was:
> 1) the same for all time; or
> 2) unique for each round; or
> 3) unique for each registration request
>
> In case of (1) and (2) it would have been possible to detect a targeted* =
attack,
> of course only if you were on the lookout.
Only (2) would be correct behavior. If (3) was performed, then that is
just the tagging attack. If (1) was done, then that would have allowed
clients to stockpile blind signatures in earlier rounds, and register
excess outputs during the output registration phase of later ones to
disrupt them (wasabi 1 had this bug FWIW).
if the archived code is considered reliable, then it seems (2) was the
implemented behavior:
https://github.com/Archive-Samourai-Wallet/whirlpool-server/blob/develop/sr=
c/main/java/com/samourai/whirlpool/server/beans/Mix.java#L67
> Perhaps if the app kept sufficient logs, it would still be possible to re=
troactively
> check this.
I'm not aware of any such observation efforts. They would require
modifying the client, at least with the archived version that I saw
the `blindingParams` member is not used that way (there are other
debug logs in the whirlpool client, but not with this data).
However, since the public key is only given in response to input
registration, i.e. after the server has learned of the intended UTXO,
and because in many cases an xpub linking that coin may have also been
revealed to the server, and the server controls the grouping of coins
into sets of 5, it seems to me that if it was controlled by a rational
attacker it would not use the overt key tagging attack when covert
ways of deanonymizing are available and just as effective.
> * =3D I=E2=80=99m thinking of an active attacker who wants to track speci=
fic UTXOs.
> They could preemptively =E2=80=9Cpersuade=E2=80=9D the coordinator s=
erver to provide
> a different RSA key or round ID if they ever try to join a round.
While this is certainly possible, maintaining plausible deniability is
easier if the server merely maliciously control the placement of
UTXOs, ensuring that targeted UTXOs end up only with xpub-revealed
and/or adversary controlled peers.
> Are these round IDs logged by clients?
In the case of wasabi, both my recollection and a cursory search
indicates that yes:
https://github.com/WalletWasabi/WalletWasabi/blob/42e7963d7fffc7f8f37fd9b6e=
8973235859ee7fb/WalletWasabi/WabiSabi/LoggerTools.cs#L36
I did not check in detail where this information is logged, and I
don't think a list of all published round IDs is logged.
I would not encourage users to share such logs, or their data, without
careful considerations. Even if logs were scrubbed, revealing a/the
set of rounds in which a user participated can significantly harm
privacy, especially since participation in rounds and coin selection
does not take into account history intersection attacks. See also
these issues re log scrubbing
https://github.com/WalletWasabi/WalletWasabi/issues/6770
https://github.com/WalletWasabi/WalletWasabi/issues/6670 (first was
closed without fixing, deemed duplicate of 2nd - i'd say it isn't -
which is still open...).
One of the developers still working on wasabi indicated that there
will finally be some efforts to mitigate this class of attack:
1. redundant queries from isolated tor circuits of the round status
information where round IDs are published, and consistency checks for
the data returned
2. use of deterministic shuffling in the transaction, ensuring that
signatures can only be aggregated in the absence of equivocation
(assuming the corresponding Lehmer code has enough bits of entropy)
Since round IDs are published ahead of time in the status requests,
and clients explicitly choose which round to join before revealing any
of their intended inputs, the first mitigation is straightforward and
would present a significant barrier.
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
CAAQdECCq5n7zkRJboVwjLMWkGUP7-G2U7tK4Ekf5M9NqLypLQA%40mail.gmail.com.
|
