1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
|
Delivery-date: Mon, 06 Jan 2025 05:21:11 -0800
Received: from mail-qv1-f59.google.com ([209.85.219.59])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDBL75NL5EKBBPNR565QMGQEIO64QIY@googlegroups.com>)
id 1tUn2d-0008C6-65
for bitcoindev@gnusha.org; Mon, 06 Jan 2025 05:21:11 -0800
Received: by mail-qv1-f59.google.com with SMTP id 6a1803df08f44-6d889fd0fd6sf234314986d6.0
for <bitcoindev@gnusha.org>; Mon, 06 Jan 2025 05:21:10 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1736169665; cv=pass;
d=google.com; s=arc-20240605;
b=TWLgZ2sIQSrInNvgOnIfvcgi6W0S8st0Vjrli7VzMiZJ5YPJzc+OZDhDZGe0ZxXkKs
W9yGXOI+zWrUWMI6aUblqlijFsezrstihWynFEqYRklB+jk0V0ttNv2iHliduY8hWxyU
XB9+8tGKNEbh2EzKStW4nkSVJxlVWL8m75d/hAmV2FZtFaS7FErwlobtjH6y+TcWfk5r
fZpjtEPUlv0cJikW58ubG0NSfU4O89EI4y+u0LazUIcBSGi+BGhSyoSwBaO+CuaEFCGY
UfuEzXJiA2lndxY7fOqg3HQjz05+oa79s7lkKMjBB0kuNC6T/HPBcFd4tcOPlrdJ8M/j
7XKw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:to:references:message-id
:content-transfer-encoding:cc:date:in-reply-to:from:subject
:mime-version:feedback-id:sender:dkim-signature;
bh=USpMua2IqezUbdsLZ71sYZgZYj/kSuqfSW2m+WIP3TY=;
fh=ODkjGbnaelmsxUfB5PcaL/4EXkS7FkNVMMyqVdAPdyM=;
b=EfXfz4rduQDU0DChpS4Wj91W+NsMnqX7Madq7+YXMy1PaJ7iTImSuSXiPpsonKPSOd
Ubt8UMJLhZBlUbd0a1xD+tnxjw6Y8+KYYlpriuZdWEd+RyhujWst+DNMSjBuQ5602NSn
cynlBCEi94fDQ285atevpYzpyjAaFxgkSdVQsVnyASmg9XhiNqRpl++Q1M3yEIitPjXQ
eZh5bbw38R7315f4xCfLWdB3vh6bhT9vL9/2vwLhMd3qqKysyIC/ncALHhMnNkHU3Bpe
w/NXWLvQ38rKhGa1el369R4vbMtbXtsWUiwQf7HCLBmeP2L1+YSlroz9TvyVRVDtuD1E
UJEg==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@sprovoost.nl header.s=fm3 header.b="V3N2mA/a";
dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=nB5e072I;
spf=pass (google.com: domain of sjors@sprovoost.nl designates 202.12.124.154 as permitted sender) smtp.mailfrom=sjors@sprovoost.nl;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sprovoost.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1736169665; x=1736774465; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:to:references:message-id
:content-transfer-encoding:cc:date:in-reply-to:from:subject
:mime-version:feedback-id:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=USpMua2IqezUbdsLZ71sYZgZYj/kSuqfSW2m+WIP3TY=;
b=DRmYr4nRqOUyhGEUtPYiqsz8X/4C9mg2weZFNIgA/RWbG78O04yFz84aYxl15jvIm1
l6LmtaehnpbYsCi6Ij9cLYUloB07Qt980seIMGrUmQNqkF3prEwUrqRUd15SlLUYA7Ax
LB/r/dqxKic5QfhXbU9aGlbuUkE7Qx2/OwlrD3gywRh+8v6AFR2ekU4SDmTCg5+0ZR/0
Ph7dffMb+PNMUPiv2NcH0gNImNUqsmr8l0reqNo5tTEKa6AB19FC5kDPtWQPx7gGpfhx
zNbVo6Tz+BB8hLW2aT9Ic/4W0hhgS5YsloN/t2DeZBl9Ex0AGDgFh2uYsu6q8Lm6wm1o
rduA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1736169665; x=1736774465;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:to:references:message-id
:content-transfer-encoding:cc:date:in-reply-to:from:subject
:mime-version:feedback-id:x-beenthere:x-gm-message-state:sender:from
:to:cc:subject:date:message-id:reply-to;
bh=USpMua2IqezUbdsLZ71sYZgZYj/kSuqfSW2m+WIP3TY=;
b=cExb8GqcZB00auA1WHS3UA25SmWXGFaO8WUZaTj/Et9OInrTK0jnvS091nEZpcNP8z
qqa8fYPrb1KpkiCCFioi6s/MdSlcL+CIj5jSdEJ4TXn/7GzSWPKIo8KRnKl2wozBaXAW
baxJdqo3Xo4DbvhY58FFo+oYXMRRp3jTv8G5HzviWp4cTNvbUInJrc72Rz4xJ1RdaFGV
t7j+Meej3FSXjkKVgdy7QiA2r79n/NXci1dth7MbvZPUAARPZpSGcfduvrdxtcNBKszB
ypH1/CKZNnhEdV3wYiF3PM0U1LD7d99tJheQypSmh37SDzRvwhDeEqTiiLxjhdh5aCay
LwoQ==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCXQ+du9VUHUMh1Tzw7cIZ3ZjwdKwkV0sA6qZuYrCX1jTSbon5oLknuKZFuSOxI3gHYSUT2kAIfkh1tR@gnusha.org
X-Gm-Message-State: AOJu0YxDzuU05O1lwaMyfQD3qc6n43jhyP5C6b1SSFtlYdV7/jfPqaDu
ZU2npQrJMwjP/ROxtZy/Tz/tI8b11ak0kaGNdw+ZlQA5q5psc7fv
X-Google-Smtp-Source: AGHT+IGCKHuxVXrpLHUOgfkS56Rs1h6jvE5W/VktT38eRM4OvIdWsE4v6GYkTpJ3wi3++d3/9JwL5A==
X-Received: by 2002:ad4:5bab:0:b0:6d8:ab3c:5d7 with SMTP id 6a1803df08f44-6dd23655202mr921489526d6.24.1736169664523;
Mon, 06 Jan 2025 05:21:04 -0800 (PST)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a05:6214:528d:b0:6d4:e40:5156 with SMTP id
6a1803df08f44-6ddd5b43817ls34479696d6.1.-pod-prod-00-us; Mon, 06 Jan 2025
05:21:01 -0800 (PST)
X-Received: by 2002:a05:620a:244f:b0:7b1:55b6:409a with SMTP id af79cd13be357-7b9aaad54fdmr11031579485a.30.1736169660962;
Mon, 06 Jan 2025 05:21:00 -0800 (PST)
Received: by 2002:a05:620a:470b:b0:7b6:dcc4:6708 with SMTP id af79cd13be357-7b9ab1e40f9ms85a;
Mon, 6 Jan 2025 05:08:11 -0800 (PST)
X-Received: by 2002:a05:622a:1a82:b0:466:91f3:12ca with SMTP id d75a77b69052e-46a3af9ea8bmr844933891cf.8.1736168890390;
Mon, 06 Jan 2025 05:08:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1736168890; cv=none;
d=google.com; s=arc-20240605;
b=Czw34VEpoxAMe8TpUfES3wBpewPx3GhlEYYuCFR8ysrARE3eQlch7EJT6a95vABqoo
N1VPkT7TbOaxI7KlGa7JRzwqowqGXUjFQ6l7cMDyjsXDRxEwOVMbj9mSsv/dKOvLq4Fo
6flFz+JsdKc7aDZlxxkI1uHi+IV/MzFRvNJ4r+LfWzIxF9tZA0Fe6HI5G5lDn9Jw5siY
nW/q+jfpjvgS10Q4/vWNlyQcL8Mq8XJu1Wq1f4+EXifHy5rJwxpCIPLzPvVaPr6xHjSj
eELjrzzIvTRWSXNVrsrFdSMUX7QI0dgZnMvV8F4zDwe2wgWRf/6cMqDo8v9bIL+GWPuT
nquw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=to:references:message-id:content-transfer-encoding:cc:date
:in-reply-to:from:subject:mime-version:feedback-id:dkim-signature
:dkim-signature;
bh=EksP008pK2T47JcPb+OfgjfXPfiBS6hF+RIDP2wKBEg=;
fh=C3MoiEA34yOFKNebU49TuxLM9cczukmFZL9PUsr/ENw=;
b=bQcSH32x4favR2HZfrTPx8zCkO+uZHP6ILkzfDmw3JuGRWTv7kGybyLkBfc/DbDY6I
N4UNzDQJK6N4+s6F4WF/slq+C47H+vDIko/OmBAIqIbpfTIcJRWyxcbhA57lXzk7wxtX
hNkhAjxcBOYo57HMCfX8yQ0aMn2t2fHq25dLNvGKFMZZaE2xQQoE7WK7EzjOWPb3oX7Q
+H2EF9quTcUTGvapq12UkEpHl3yXXFy4WndlrG1Z4L5JM+UJmcP4T5VOM05gMcBeTZxI
Xevr4yNtL6mPUOlYVmIyAbmg7qy8tQIvNtH/Li1lUJnXDv8lRiZbj0czHWbxBM3rGi2a
CbPw==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@sprovoost.nl header.s=fm3 header.b="V3N2mA/a";
dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=nB5e072I;
spf=pass (google.com: domain of sjors@sprovoost.nl designates 202.12.124.154 as permitted sender) smtp.mailfrom=sjors@sprovoost.nl;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sprovoost.nl
Received: from fhigh-b3-smtp.messagingengine.com (fhigh-b3-smtp.messagingengine.com. [202.12.124.154])
by gmr-mx.google.com with ESMTPS id d75a77b69052e-46a3e71e146si16509351cf.3.2025.01.06.05.08.10
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 06 Jan 2025 05:08:10 -0800 (PST)
Received-SPF: pass (google.com: domain of sjors@sprovoost.nl designates 202.12.124.154 as permitted sender) client-ip=202.12.124.154;
Received: from phl-compute-01.internal (phl-compute-01.phl.internal [10.202.2.41])
by mailfhigh.stl.internal (Postfix) with ESMTP id ECA762540188;
Mon, 6 Jan 2025 08:08:09 -0500 (EST)
Received: from phl-mailfrontend-01 ([10.202.2.162])
by phl-compute-01.internal (MEProxy); Mon, 06 Jan 2025 08:08:10 -0500
X-ME-Sender: <xms:udV7Z2ZxnnWNPTX-SEXiCFpJJvbileWNfTr5189SwL8ln5WnYUuYew>
<xme:udV7Z5YIVrSTKdGyFds4c49BBppxxtvH4tV6gslOHbzD9EeCO8F0UkyehQegJZ3hB
aC6Nyqdb5S91ctu2w>
X-ME-Received: <xmr:udV7Zw_EAAoThnwIhGNOGHJ1Ep1zGZcAHCH-NMqYZzrun3QB-LaWAd0QJ2_tTOtyj-ot>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrudegtddggeekucetufdoteggodetrfdotf
fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu
rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh
htshculddquddttddmnecujfgurheptggguffhjgffvefgkfhfvffosehtqhhmtdhhtdej
necuhfhrohhmpefujhhorhhsucfrrhhovhhoohhsthcuoehsjhhorhhssehsphhrohhvoh
hoshhtrdhnlheqnecuggftrfgrthhtvghrnhepueejgeehveelheekjeeguddtgeefkedt
uefgieeigfefheduudekiefgveeffeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrg
hrrghmpehmrghilhhfrhhomhepshhjohhrshesshhprhhovhhoohhsthdrnhhlpdhnsggp
rhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopegsihhttghoih
hnuggvvhesghhoohhglhgvghhrohhuphhsrdgtohhmpdhrtghpthhtohepnhhothhhihhn
ghhmuhgthhesfihoohgslhhinhhgrdhorhhg
X-ME-Proxy: <xmx:udV7Z4pgMPf7PYIXq6LDliWMJJqsfBYVXIF0Zawm7x3J6tZLQSUhDA>
<xmx:udV7Zxrb0J353DrP6pnv6F7u7eJx_OzxT_KFGbaKYiqyuUc0_m3VFQ>
<xmx:udV7Z2RCpd8XaXsiqre8uNqq76jEGoiNUhLt_nfjMTdkL_jRkS7REg>
<xmx:udV7Zxqu0BG4F4WZ35Jxo-d4uw1m71uaO6Yo_zkclhccveq2HO8ARw>
<xmx:udV7Z41xjp2637KhKfvd-OyzI6EK71kKhCe-KCDYFmZbgoDo96ozGXYi>
Feedback-ID: ie5e042df:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
6 Jan 2025 08:08:09 -0500 (EST)
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.300.87.4.3\))
Subject: Re: [bitcoindev] Reiterating centralized coinjoin (Wasabi & Samourai)
deanonymization attacks
From: Sjors Provoost <sjors@sprovoost.nl>
In-Reply-To: <CAAQdECCdRVV+3ZoJhOotKEvmUV4yrV7EYWE8SOWCE1CF9tZ6Yg@mail.gmail.com>
Date: Mon, 6 Jan 2025 14:07:58 +0100
Cc: Yuval Kogman <nothingmuch@woobling.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E26BEB3C-1345-487D-A98C-2A7E17494B5E@sprovoost.nl>
References: <CAAQdECCdRVV+3ZoJhOotKEvmUV4yrV7EYWE8SOWCE1CF9tZ6Yg@mail.gmail.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
X-Mailer: Apple Mail (2.3826.300.87.4.3)
X-Original-Sender: sjors@sprovoost.nl
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@sprovoost.nl header.s=fm3 header.b="V3N2mA/a"; dkim=pass
header.i=@messagingengine.com header.s=fm2 header.b=nB5e072I; spf=pass
(google.com: domain of sjors@sprovoost.nl designates 202.12.124.154 as
permitted sender) smtp.mailfrom=sjors@sprovoost.nl; dmarc=pass (p=NONE
sp=NONE dis=NONE) header.from=sprovoost.nl
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)
Thanks for the write-up.
I=E2=80=99m curious to learn if any of these attacks happened in practice,
and if there are methods to find out retroactively.
> In Whirlpool, the server's blind signing key is obtained by the client
> by extracting it from the response to the input registration
> request.[^2]
> Because the key is not announced a priori, nor is it signed by the
> participants' spending keys before output registration or signing[^5],
> the server can provide each input with a unique RSA key. Since the
> unblinded signatures are made by different keys, the server can learn
> the mapping from inputs to outputs.
Do we know based on observations or published server-side code whether
this key was:
1) the same for all time; or
2) unique for each round; or
3) unique for each registration request
In case of (1) and (2) it would have been possible to detect a targeted* at=
tack,
of course only if you were on the lookout.
Perhaps if the app kept sufficient logs, it would still be possible to retr=
oactively
check this.
> ### WabiSabi
>=20
> In the protocol clients register their Bitcoin UTXOs independently. A
> valid input registration request includes a BIP-322 ownership proof,
> which commits to the so called *Round ID*. This in turn is a hash
> commitment to the parameters of the round, including the server's
> anonymous credential issuance parameters (analogous to a public key).
>=20
> The parameters are obtained by polling the server for information
> about active rounds. If inconsistent round IDs are given to clients,
> this effectively partitions them, allowing deanonymization.
Are these round IDs logged by clients?
* =3D I=E2=80=99m thinking of an active attacker who wants to track specifi=
c UTXOs.
They could preemptively =E2=80=9Cpersuade=E2=80=9D the coordinator ser=
ver to provide
a different RSA key or round ID if they ever try to join a round.
- Sjors
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
E26BEB3C-1345-487D-A98C-2A7E17494B5E%40sprovoost.nl.
|
