Pages:
Author

Topic: Can Coinjoin transactions be traced? Busting Bitcoin privacy myths! - page 4. (Read 2139 times)

legendary
Activity: 1512
Merit: 7340
Farewell, Leo
What do you think of the dust problem in Whirlpool that wastes money for even smaller outputs?  https://web.archive.org/web/20231025112756/https://code.samourai.io/wallet/samourai-wallet-android/-/issues/461
You have already received your reply. Users are free to mess with their privacy and money. The client should not recommend them to do so, but if they nonetheless want to create dust outputs, they are free to do so. In the given transaction, it is clear that this was a conscious choice made by the user.

Using a different derivation path for the change output didn't stop those Whirlpool addresses from being linked together.
... yes? That's because spending your received coins and change together is generally considered a feature?

Furthermore, I showed the proof of how I linked postmix Whirlpool outputs to the premix transaction that generated it, which no one ever addressed at all
You showed proof of a Whirlpool user consolidating the many post-mix outputs into one, which agrees with my initial statement that the user is free to mess up with their privacy. If you use Whirlpool in Sparrow wallet, trying to consolidating all these will warn you that it will appear as a self-transfer, and instead will suggest you into adding a mix partner.

Okay, since you seem to think there's a problem, what is the solution to the problem you are describing?  How should the coinjoin protocol be changed?
I don't think there's a problem with the user consciously deciding to harm their privacy and pocket. I think the problem lies with software that harms the user's privacy without them knowing.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
A segwitv0 output is 31 vbytes, but a witness input is around 68. That's 99 vb, multiplied by 37.5 = 3712.5. Yes, it is less than I wrongly calculated, but it is still waste of money for such a small output.

What do you think of the dust problem in Whirlpool that wastes money for even smaller outputs?  https://web.archive.org/web/20231025112756/https://code.samourai.io/wallet/samourai-wallet-android/-/issues/461

Tell me why anyone would ever lose their sats deliberately by creating these traceable Whirlpool dust outputs:

https://mempool.space/address/bc1qp25y8kfywz88myuh7ed3dmx3vv2z2dwuxhjnlv

Value of output: 305 sats
Mining fee paid to create output: 369 sats
Mining fee paid to spend input: 1,776 sats
Net loss from dust bug: 1,840 sats
New transactions clustered: 5 txs

https://mempool.space/address/bc1q83sfgfefwupz8w3faawxjr5v8uf03ttjclrkda

Value of output: 933 sats
Mining fee paid to create output: 1,234 sats
Mining fee paid to spend input: 4,333 sats
Net loss from dust bug: 4,634 sats
New transactions clustered: 12 txs

I'm good at quoting old posts as well:
As has been explained to Kruw dozens of times, the change output from Tx0s are sent to a separate account and deliberately segregated from your other UTXOs. There is no way to accidentally include them in a transaction. Any user consolidating their change output as has been done in the transaction he has linked to above is doing so deliberately. I understand that Kruw gets angry when people spend their bitcoin in ways that he personally doesn't approve of, but there is no bug here, just Kruw either being deliberately misleading or simply not understanding what is happening.

Using a different derivation path for the change output didn't stop those Whirlpool addresses from being linked together.

Furthermore, I showed the proof of how I linked postmix Whirlpool outputs to the premix transaction that generated it, which no one ever addressed at all:

The first is the fee to Whirlpool itself, which is a flat fee depending on the pool you are joining.

The flat pool entry fee structure is designed to incentivize worst privacy practices.  Since fees are not collected directly based on volume, it is cheaper to participate in a smaller pool and create more outputs than participate in a larger pool and create less outputs. Additionally, it incentivizes revealing common inputs ownership of premix UTXOs since it is cheaper to consolidate them to enter the pool once than to enter the pool with each UTXO individually.  Samourai has never explained why they purposely chose a fee structure that heavily penalizes the most private usage of their protocol.

Because of this backwards design, you can easily link premix inputs to postmix outputs in many cases.  Notice how this Whirlpool tx0 premix creates 70 outputs for 0.05 BTC - https://mempool.space/tx/63679c9ec82f246811acbab0c04cc0fc77ba050e1b6c23661d78afcfc13cf8aa

Notice how every single input of this Whirlpool exit transaction is a direct descendant of rounds created by the aforementioned premix transaction: https://mempool.space/tx/ce2f84f7c5ff74fb1da103acb7b279bd34f02f5e9e3a2e1b6417ce8b9b7392db

When many inputs used in the postmix exit transaction are created directly from a round that the premix transaction entered, it makes it trivial to trace the user through Whirlpool.  Fortunately, the user abandoned Whirlpool and upgraded to using the WabiSabi coinjoin protocol instead, which made him completely untraceable: https://mempool.space/address/bc1qjjw5gaglkycu2lm5fskl7qhktk0hec4a5me3da

As you noted already, the service does not choose the addresses, users choose their own addresses
B-b-but, I thought this ethos was unacceptable.  Sad

I guess I can't argue against someone who takes the stance "Wasting your Bitcoin and ruining your privacy should be allowed."

I know, I know... Just another confusion in the name of privacy!  Cheesy

Okay, since you seem to think there's a problem, what is the solution to the problem you are describing?  How should the coinjoin protocol be changed?
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Your math is wrong:  At 37.5 sats/vbyte, it costs 1163 sats to create a segwitv0 output (31 vbytes) and 1612.5 sats to create a Taproot output (43 vbytes).  Smart WabiSabi clients make sure to choose outputs that aren't dust: https://github.com/zkSNACKs/WalletWasabi/issues/10675
A segwitv0 output is 31 vbytes, but a witness input is around 68. That's 99 vb, multiplied by 37.5 = 3712.5. Yes, it is less than I wrongly calculated, but it is still waste of money for such a small output.

(quoting old soundbites)
I'm good at quoting old posts as well:
As has been explained to Kruw dozens of times, the change output from Tx0s are sent to a separate account and deliberately segregated from your other UTXOs. There is no way to accidentally include them in a transaction. Any user consolidating their change output as has been done in the transaction he has linked to above is doing so deliberately. I understand that Kruw gets angry when people spend their bitcoin in ways that he personally doesn't approve of, but there is no bug here, just Kruw either being deliberately misleading or simply not understanding what is happening.

As you noted already, the service does not choose the addresses, users choose their own addresses
B-b-but, I thought this ethos was unacceptable.  Sad

I guess I can't argue against someone who takes the stance "Wasting your Bitcoin and ruining your privacy should be allowed."

I know, I know... Just another confusion in the name of privacy!  Cheesy
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
BlackHatCoiner, you still haven't followed up on our original conversation about me linking Whirlpool addresses together:

BlackHatCoiner, you merited a post above but you haven't responded to your previous conversation:

Look. I agree you believe you educate people about Bitcoin privacy, but we have repeated this conversation around solutions for privacy quite a lot of times. The fact that you still quote these whirlpool messages, as if they even mean something substantial, shows with what tenacity you're trying to sabotage Samourai.

What do you mean "as if they even mean something substantial"?  These Whirlpool addresses are linked to each other.

What's dust? Gimme my 5000 sat that costed more than double that amount to be created!

Your math is wrong:  At 37.5 sats/vbyte, it costs 1163 sats to create a segwitv0 output (31 vbytes) and 1612.5 sats to create a Taproot output (43 vbytes).  Smart WabiSabi clients make sure to choose outputs that aren't dust: https://github.com/zkSNACKs/WalletWasabi/issues/10675

However, Whirlpool clients create traceable dust outputs that cost more than their value to create.  I reported this to Samourai, but the bug report was deleted without comment: https://web.archive.org/web/20231025112756/https://code.samourai.io/wallet/samourai-wallet-android/-/issues/461

Tell me why anyone would ever lose their sats deliberately by creating these traceable Whirlpool dust outputs:

https://mempool.space/address/bc1qp25y8kfywz88myuh7ed3dmx3vv2z2dwuxhjnlv

Value of output: 305 sats
Mining fee paid to create output: 369 sats
Mining fee paid to spend input: 1,776 sats
Net loss from dust bug: 1,840 sats
New transactions clustered: 5 txs

https://mempool.space/address/bc1q83sfgfefwupz8w3faawxjr5v8uf03ttjclrkda

Value of output: 933 sats
Mining fee paid to create output: 1,234 sats
Mining fee paid to spend input: 4,333 sats
Net loss from dust bug: 4,634 sats
New transactions clustered: 12 txs

Oh! It's supposed to confuse the observers of the coinjoin, that explains everything! Let's start reusing addresses in both inputs and outputs then, as in Wasabi 1.0. That will definitely help, because we will confuse chain analysis even more. Why kind of a clown service reuses addresses in both sides in the first place? That will leave them so speechless that they will give up!

As you noted already, the service does not choose the addresses, users choose their own addresses:

Come on, kayirigi. Get over it, it's clearly the user's fault!
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
15 address reuses
13 exit merges
233 inputs linked
236 outputs linked
Come on, kayirigi. Get over it, it's clearly the user's fault!  Grin

Cya privacy! And extra extra bonus of HUNDREDS of outputs ground in to dust. 5000sats? 6561sats? Losing money for Wabisabi coinjoins which don't work!
What's dust? Gimme my 5000 sat that costed more than double that amount to be created!

This is exactly the sort of confusion a coinjoin is designed to cause
Oh! It's supposed to confuse the observers of the coinjoin, that explains everything! Let's start reusing addresses in both inputs and outputs then, as in Wasabi 1.0. That will definitely help, because we will confuse chain analysis even more. Why kind of a clown service reuses addresses in both sides in the first place? That will leave them so speechless that they will give up!
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
So exit merge on Wabisabi good. But exit merge on Whirlpool bad. LOL. And you think people believe this BS from a Wasabi worker?

As you demonstrated, you weren't you able to identify the inputs owned by the user who merged their outputs in WabiSabi.

WabiSabi exit: https://mempool.space/tx/9273410e2994fa02fb1baa071d84a44fb4ad12ceba50a46eadfd24cf0dd7efa6
WabiSabi entrance: Huh

As I demonstrated, I was clearly able to identify the inputs owned by the user who merged their outputs in Whirlpool:

Whirlpool exit: https://mempool.space/tx/ce2f84f7c5ff74fb1da103acb7b279bd34f02f5e9e3a2e1b6417ce8b9b7392db
Whirlpool entrance: https://mempool.space/tx/63679c9ec82f246811acbab0c04cc0fc77ba050e1b6c23661d78afcfc13cf8aa

Only WabiSabi preserved privacy in this case, while Whirlpool leaked the origin of the funds.
jr. member
Activity: 35
Merit: 35
blah blah blah stupidity

So exit merge on Wabisabi good. But exit merge on Whirlpool bad. LOL. And you think people believe this BS from a Wasabi worker?

And you ignore 100% deterministic links. And address reuse.  Grin Grin Grin

Wabisabi is a scam.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
BlackHatCoiner, you merited a post above but you haven't responded to your previous conversation:

Look. I agree you believe you educate people about Bitcoin privacy, but we have repeated this conversation around solutions for privacy quite a lot of times. The fact that you still quote these whirlpool messages, as if they even mean something substantial, shows with what tenacity you're trying to sabotage Samourai.

What do you mean "as if they even mean something substantial"?  These Whirlpool addresses are linked to each other.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Feel free to try to trace a WabiSabi coinjoin yourself, no one else has been able to do it:

https://kycp.org/#/1ca4743bd12bc54cd19233f0807ae8b7faec7fdce695f72f345b99d0200ef3d5

15 address reuses
13 exit merges
233 inputs linked
236 outputs linked

This is exactly the sort of confusion a coinjoin is designed to cause Grin  You mistakenly thought that multiple inputs being spent together meant that they were linked to the same owner, but a coinjoin has inputs from multiple owners in the same transaction!

https://kycp.org/#/ad5516f70697af7c9b14297bb4eb1249bee216b7976b7c50f2369a89afb86975

2 address reuses
2 exit merges
This one with extra bonus of 100% deterministic link between input and output!

Here is the exit merge transaction spending 2 outputs from the coinjoin worth 0.1 BTC each - 9273410e2994fa02fb1baa071d84a44fb4ad12ceba50a46eadfd24cf0dd7efa6 - let's analyze them:

In the coinjoin, there are 13 outputs for 0.1 BTC:

bc1qzy2dlcau905jwaktrlnqd7q2uu8m6296xe0y0t <- Exit merged
bc1qykz79d67prjv73wej032kreyysumvg54wlqsc3
bc1qfdt9na0vqu94y0ltz97fg6ep0nztqrlhj4e6as
bc1q26vktzc3uqhld6kgf0c0zgldh4t7wp665kfwm7
bc1qvged8zxdpcsxc3qe2pl62lsl3neprltrvtspn3
bc1qsl2sp0t87rsau6tusy465p9e5vq7r9y0ldns6a
bc1qjpmncaadtk5ef32km44xa5z0mzsden78ev66ws
bc1q5t00axlmeyg7crkq4rlh2qevdz8lcud8gl2q8h <- Exit merged
bc1qe3s0vlsvu3rhd7w7dsswsgdj5k2t99e0f90a9n
bc1q7whl0n3dvu5n3tjqd4g4r7antz70t96mhepn6v
bc1q7cnu23w5rxlktdhm7322y7spe8kyj98dl6stwf
bc1pdu3xkqcpwd6x9uhhy5rh536nevj9vzqkpqmnqjqkhuwpqp9zgrssjh3gwa
bc1pkmkkpug5z2w6pn80kwlyev7v5nw6rukjae4cha2mz6vusz0ef98q5vcv9d

By consolidating two inputs for 0.1 BTC in the payment, the owner retroactively reveals a coinjoin output value of 0.2 BTC.  Does this cause him to lose any privacy?  Let's check the original coinjoin transaction to find out...

In the coinjoin, there are are 9 outputs for 0.2 BTC:

bc1qxcfcgdqey4yc3cqjknea2spe8mw2r0k7n083t2
bc1qwezuexwx4lvafeg34ctzpny64fu3t9w8ngtngg
bc1qs3ztep3w80pm3wz4htj2h9x4ewdug4hzaphfve
bc1quqzcseygmad87g4plgf9yuxzss5r5q72w9g3w2
bc1qu7uj5tcdj5s2e23t08v0rsneejvfd6n0qrxf36
bc1qu77gevtnq6uky0vpjpl2ru96lus58p38qmpywc
bc1p2mzlp34rqsyv7u28y6xdpypqapc8aeeuczuaaqzkv9snmnsenj2sw0uny9
bc1p742nnv0774t5gk8lt72t02wuupapt47dx00ddsq45zl9gedcw22qp3ayg2
bc1plmzmhejjuqykvnf00mue54egap3kjtl5qtcdzf4q6k7v87q34lqs37z3t5

The user stayed anonymous when merging his two 0.1 BTC outputs together since there's many possible ways to create 0.2 BTC as an output from the inputs of the original coinjoin.  This transaction demonstrates how the "smart clients" arrange their output values so that merging smaller matching outputs together results in creating a larger amount with additional matches!

This exit merge proves that even smaller denominations than 0.1 BTC are now also possible combinations that would add up to 0.2 BTC, adding even more anonymity!  Let's check the original coinjoin transaction again to find some...

In the coinjoin, there are are 13 outputs for 0.05 BTC:

bc1qyttl3f9wu2zm3dwnytavs6eqk00glc3xng43ea
bc1qye0g8qdjdl48c5hx7a69t5ekcgcemfrhx9z6sr
bc1qxrgu0lv0ps50c9nf2efjq5zfdfruxejmfu8g8y
bc1qgpwc5803au9cs95u38yz64jhdjrkpp4j249n9u
bc1qt2wugrvm5nts263he4aj2ky2pghhdl90j0lx03
bc1qvzanwhhyf2tfcds3rts958jun84ves3xtc3gcp
bc1qvgmnh5fzrqzx7uhhrcw6emzmktj4atqpn7ev9m
bc1qdm9ae8rq0403ga5rshvw4vjd507t8chu4fn40k
bc1q0ltpdzchc6eeytaafl7muhscdfejr2w269a8xl
bc1q3z5cj7sx53lq8sqdkmflce0dzsaj6437zzqj3p
bc1qhm4cd97znryr6rx4wqrsjj2shcpl44hhmsf8hz
bc1qcww2qypj47vz52uw5y8m7cn7y8vvfxx7tnrajq
bc1pncyek7s2m3tc9kwkswqnja8309gtmjgsykpa5jyahhv7yuavyugqlfpee5

On top of the possibilities of creating one output for 0.2 BTC, or two outputs for 0.1 BTC, it's also possible a user with 0.2 BTC on the input side created 4 outputs for 0.05 BTC instead!

___________________________________________________________________

How does this compare to Whirlpool exit transactions?  Here's the kycp analysis of the Whirlpool exit transaction I traced in the OP: https://kycp.org/#/ce2f84f7c5ff74fb1da103acb7b279bd34f02f5e9e3a2e1b6417ce8b9b7392db

All 20 postmix outputs merged were a direct descendant the same premix transaction, making it trivial to unmix.  Unlike JoinMarket or WabiSabi, this user is not in control of remixing, he is dependent on the Whirlpool coordinator to push his coins deeper into the pool.
jr. member
Activity: 35
Merit: 35

Feel free to try to trace a WabiSabi coinjoin yourself, no one else has been able to do it:


https://kycp.org/#/1ca4743bd12bc54cd19233f0807ae8b7faec7fdce695f72f345b99d0200ef3d5

15 address reuses
13 exit merges
233 inputs linked
236 outputs linked

Cya privacy! Let's do another!

https://kycp.org/#/ad5516f70697af7c9b14297bb4eb1249bee216b7976b7c50f2369a89afb86975

2 address reuses
2 exit merges
This one with extra bonus of 100% deterministic link between input and output!

Cya privacy! And extra extra bonus of HUNDREDS of outputs ground in to dust. 5000sats? 6561sats? Losing money for Wabisabi coinjoins which don't work!
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Chainalysis can demix Wabisabi protocol and do this for OFAC. Wabisabi is the only one of three coinjoin protocols which can be demixed like this.

Here is government contract with Chainalysis
https://archive.is/1zU9t

You are lying, the document you linked was published a year before the WabiSabi protocol was in production.

Feel free to try to trace a WabiSabi coinjoin yourself, no one else has been able to do it:

you don't need to be a "whale" at all in order to receive absolutely zero privacy from a Wasabi coinjoin.

Okay then, I'll call your bluff again- Here's 20 non whale non matching outputs from WabiSabi coinjoins, try to identify the inputs owned by even a single one of the 20 outputs (which would be 5%):

01 bc1q032caguldmlrrztmrwhv5wqveyywdu2rtmd740
02 bc1q6vgwhsfkg343mmh27vc6prg3clsd4xu3p68vyd
03 bc1qre8jjpu8p9taw8j44r39z56vfr4sw64d4wyaj4
04 bc1qarharg76gfcrvskfw46f67vtqzd6hxa9pnspp5
05 bc1q4sexgt2p96x3ytnjjttp59w6mkj00kedal3xze
06 bc1qwrf50wpjws5mhdg2rhdu5hy7nqdtl8z94lp75n
07 bc1qz0tal2udfpr20x793fdw6v8lzp2qze7z5zje64
08 bc1qqw2h7fa3n8vyxgqru664fmft2trl9sqh9kz3fp
09 bc1qsud748whmum4gpt2qu52z8gqlgzcjyvhd5w2a5
10 bc1qctvxddyvxupjj8w82m8w5grzn59arstlrnaauw
11 bc1qq2fl05cmmhkr3pzg8elyr859v2fpcltynrk2j5
12 bc1qvwkrd3aecrvql5j8mqkmketvw6g6qwzt4juprq
13 bc1qhc2565fac4lrgyfq6n0mzc0l86jeptfnv2um9x
14 bc1qat6445gutyl3qdz3zhmdng9cdt92mevjlvaljs
15 bc1qk5f3mz0fetccey4nyyjedlrmqstkz2hmun96ha
16 bc1q4tpvm378a9d4n0xcnjtwfwujtr8eatjzvru8dx
17 bc1qd5epyjpj6vuejdppj24wew5n4n5rzepjx2xnay
18 bc1qgafud63me5mffn00g90ch08jjn5h20umzwxd62
19 bc1q5u3f2ldrtqa7ea79a8hcd8kssgw2gmalk4uej9
20 bc1qa6n7g7r4j3nv78gzgzmuvg56em4guppckqpz7r
jr. member
Activity: 35
Merit: 35
Chainalysis can demix Wabisabi protocol and do this for OFAC. Wabisabi is the only one of three coinjoin protocols which can be demixed like this.

Here is government contract with Chainalysis
https://archive.is/1zU9t
Quote
Chainalysis Rumker licenses include Observations and Nodes, which help locate where server nodes are running.  This license also includes Wasabi Demixing services at no additional cost to OFAC, and with no limits to the number of requests.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
There's 0 mention of keyword "tor" or "onion" on it's documentation though https://docs.btcpayserver.org/Wabisabi/. Although i didn't watch included youtube video.

Yes, it doesn't appear the docs are extremely thorough for the coinjoin plugin.  Here's the big red /!\ warning message that appears in BTCPay Server if you try to coinjoin with Tor off: https://github.com/raspiblitz/raspiblitz/issues/3729

I would go further and say you absolutely should connect it to your own node. Samourai suffers from the same issue as does every light wallet, in that the entity running the server you connect to can link all your addresses together (as well as your IP, but obviously you should be running over Tor).

Whirlpool does use a central coordinator, so it is absolutely vital that you use it with your own node and Tor to keep your privacy from the central coordinator.

Whirlpool clients have Tor disabled by default, so I opened an issue to get a warning added to Samourai Wallet about the privacy leak, but they said that any PR that adds this warning will not be merged: https://web.archive.org/web/20230417145554/https://code.samourai.io/wallet/samourai-wallet-android/-/issues/458
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
At very least, BTCPay doesn't use Tor by default and in certain cases i expect to detect whether it's deanonymization attempt or network problem.

Tor is used by default for the WabiSabi coinjoin plugin in BTCPay Server.

There's 0 mention of keyword "tor" or "onion" on it's documentation though https://docs.btcpayserver.org/Wabisabi/. Although i didn't watch included youtube video.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
That makes sense. But it heavily depends on whether client or software you use have ability to mitigate those attack.

Yep, I'm excluding any wallet level implementation details and focusing on the protocols. As you indicated further on, the most trivial way to forfeit privacy in this process is reuse the same IP address for each "identity" you assume:

At very least, BTCPay doesn't use Tor by default and in certain cases i expect to detect whether it's deanonymization attempt or network problem.

Tor is used by default for the WabiSabi coinjoin plugin in BTCPay Server.

Is that from section 7.1.2? What exactly do you mean by marginal cost?

Yes, that's the section.  There's 0 marginal cost for an attacker to DoS a WabiSabi coinjoin round just like there's 0 marginal cost to get another plate of food at an all-you-can-eat buffet.  Since you will pay to transfer any UTXO you own at some point anyways, there's no disincentive for attacking with it before giving up ownership in the future.

In the JoinMarket framework, this 0 cost attack applies to malicious takers who propose offers to makers without ever intending to complete them.  Makers will reveal common ownership of their unspent coins to the taker, who never ends up paying the mining fees to mix that maker's coins. See https://reyify.com/blog/poodle and https://github.com/JoinMarket-Org/joinmarket/issues/156 for the defense against this attack.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
A malicious coordinator may tag users by providing them with different issuer parameters. When registering inputs a proof of ownership must be provided. If signatures are used, by covering the issuer parameters and a unique round identifier these proofs allow other participants to verify that everyone was given the same parameters.

As noted, you can register multiple inputs with WabiSabi to verify that the parameters match each other.

A malicious coordinator could also delay the processing of requests in order to learn more through timing and ordering leaks. In the worst case, the coordinator can attempt to linearize all requests by delaying individual to recover the full set of labelled edges. This is possible when k = 1 and users have minimal dependencies between their requests and tolerate arbitrary timeouts but issue requests in a timely manner.

As noted, clients would be able to detect this and defeat it by disallowing arbitrary timeouts.

Similarly the coordinator may delay information such as the set of ownership proofs or the final unsigned transaction. In the case of the latter, this can be used to learn about links between inputs. This is because a signature can only be made after the details of the transaction are known. If the unsigned was only known to one user but multiple inputs have provided signatures, it follows that those inputs are owned by the same user.

If I understand it correctly, this is handled by using a different Tor identity for listening to round updates than the Tor identities you register inputs with.  Because the coordinator does not know which Tor identity is listening for which inputs, they do not know who to target with this delay.

Since the coordinator must be trusted with regards to denial of service a more practical variant of this attack would involve more subtle delays followed by sabotaging multiple successive rounds during the signing phase in order to learn of correlations between registrations while maintaining deniability.

Clients abandon rounds after multiple successive failures as a basic way to prevent this.

That makes sense. But it heavily depends on whether client or software you use have ability to mitigate those attack. At very least, BTCPay doesn't use Tor by default and in certain cases i expect to detect whether it's deanonymization attempt or network problem.

I know you didn't mention it, but I disagree with this conclusion in section 7 of the WabiSabi paper:

Denial of service is not costless because unspent transaction outputs are a limited resource.

This is incomplete because the marginal cost of a DoS attack is zero if you are going to spend your UTXO anyways.

Is that from section 7.1.2? What exactly do you mean by marginal cost?
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
The saddest thing of all is that you don't even recognize your mistake, let alone show any remorse. It is pathetic.

But, I still wish for someone to stand by you in your time of need, someone who will love you no matter what.

What mistake did I make?  Use a direct quote and I'll update it with a correction.
hero member
Activity: 1456
Merit: 940
🇺🇦 Glory to Ukraine!
Lol, you didn't fall for that did you?  The scammers who promote custodial "Mixer Sites" formed a mob to leave false accusations against anyone who tells the truth that Bitcoin is untraceable.

The saddest thing of all is that you don't even recognize your mistake, let alone show any remorse. It is pathetic.

But, I still wish for someone to stand by you in your time of need, someone who will love you no matter what.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
This is my last post to you since you don't seem to care and I am tired of wasting my time.

I care deeply about Bitcoin privacy, that's why I spend so much time to educate people about it.

You are 100% correct ordinals has absolutely nothing to do with coinjoins.
Ordinals are filling blocks with transactions that are obviously not coinjoins. And the rest is Crateology.
https://en.wikipedia.org/wiki/Crateology

As I said take out ordinals, take out known TXs, take out what else they know from other services and you have a very small pool of txs moving at the moment.
Keeping an eye on all of them and figuring out what is going on where is a lot less difficult then if all the txs in blocks were 'real' transactions.

You don't seem to understand: Equal output coinjoins from JoinMarket, Whirlpool, and WabiSabi have a distinct on chain footprint that distinguish them from all other transactions regardless of whether those transactions are ordinals or not.

Could 1 person do it looking at a list? Probably not. Can a lot of people with a lot of computing power and resources following all transactions do it. Probably yes.

You can easily scan the blockchain yourself to identify any equal output transaction (including coinjoins) using this tool: https://supertestnet.github.io/coinjoin-explorer/

Here's what the footprints of each coinjoin protocol look like:

-JoinMarket - https://mempool.space/tx/c270b84767431eae0aabcd4f99f93f1d299518aebb7529650dbbf41815561d03
-WabiSabi - https://mempool.space/tx/d465033214fd2309dcce5a90c45fcaa788aa4394ee36debe07aad8d8a37907d2
-Whirlpool - https://mempool.space/tx/3cef999a3c006be772f7f63fc87b718cd01146ab593644e0eeb3d61e753f02b8

Merely knowing a coinjoin transaction has occurred does not actually make it any easier to determine what happened within the coinjoin transaction.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Ordinals has absolutely nothing to do with coinjoins.

This is my last post to you since you don't seem to care and I am tired of wasting my time.

You are 100% correct ordinals has absolutely nothing to do with coinjoins.
Ordinals are filling blocks with transactions that are obviously not coinjoins. And the rest is Crateology.
https://en.wikipedia.org/wiki/Crateology

As I said take out ordinals, take out known TXs, take out what else they know from other services and you have a very small pool of txs moving at the moment.
Keeping an eye on all of them and figuring out what is going on where is a lot less difficult then if all the txs in blocks were 'real' transactions.

Could 1 person do it looking at a list? Probably not. Can a lot of people with a lot of computing power and resources following all transactions do it. Probably yes.

You also seem to think that there are not a ton of tor nodes that are not run by and fully monitored by the government too.

-Dave




Pages:
Jump to: