Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save nothingmuch/61968fde675a596758bffd4c278ac096 to your computer and use it in GitHub Desktop.
Save nothingmuch/61968fde675a596758bffd4c278ac096 to your computer and use it in GitHub Desktop.
personal notes on how to generalize chaumian coinjoin - superseded by https://github.com/zkSNACKs/WabiSabi

Building on the above protocol, we can consider different strategies for improving privacy/fungibility:

Equal Amount Mixing With One Or More Denominations

Preset denominations (can vary between rounds but should ideally be fixed, can be arbitrary pools, preferred value series like 1-2-5 ({1,2,5} * 10^i), or 2^i), and subject to minimal set size requirements to conclude.

Only these classes of outputs is considered to have an anonymity set size > 1.

Depending on fee structure and input constraints, change outputs may or may not be allowed.

Highly fungible inputs with unrelated histories confer fungibility to all similar outputs, but with diminishing returns the more they are related to already registered inputs. The coordinator may offer fee discounts or even negative fees to incentivize such higher quality tumbling.

Advantages: simple to analyze

Disadvantages: low efficiency, for small number of denominations anonymity set is split between them, but too many denominations constrains throughput and specific anon set size.

Knapsack Variant

Outputs are considered anonymous if they satisfy the amount relationships with other outputs.

Since knapsack outputs require splitting to be applied iteratively and in the original paper are specified as a peer to peer protocol, this should be adapted for the centralized coordinator setting.

This could be done by requiring token conversion during the output registration phase: clients submit requests for knapsack output class tokens using their input credit tokens, which may be splittable or non splittable.

The coordinator then aggregates these values to derive a final set of denominations using the knapsack splitting rule, or some other ruleset (e.g. cashfusion), and responds with final denominations, allowing clients to submit a new set of blinded tokens for signing.

These tokens must then be used separately, one for each unlinkable output, whereas potentially linkable outputs such as change with arbitrary amounts are simply are created with the remaining input credit tokens.

The reason for the intermediate token redeemable for an output of a certain size class is to ensure the coordinator can't link a client's split outputs. (aside: if using privacy pass style tokens, it may also be desirable to provide a batched DLEQ for each token type to ensure and publish redeemed tokens, to mitigate concerns about tagging users).

Non splittable outputs should pay a fee to compensate for the mining fees incurred by splittable inputs offset to account for potential mining fee increases, and to provide an incentive for users to opt in to splitting.

Advantages: Allows for flexible amounts with efficiency much closer to non-fungible output amounts

Disadvantages: Robustness of privacy/fungibility is more difficult to demonstrate, but may be adequate. A lower bound on the set of interpretations should be enforced, and find computational notions of hardness unsatisfying.

Since inputs and outputs are public information, signatures are unlinkable and network level identities are ephemeral, there should be no problem to publish a full transcript of all operations by the server.

This would let clients independently verify that a transaction was constructed according to the rules, and provides transparency with regards to claims of censorship.

Operations such as registration and reissuance are authoritatively linearized by the coordinator, who can publish a history tree of the full transcript, allowing clients to compute merkle inclusion proofs for their operations.

As described in cashfusion #22, before signing the transaction, clients could sign the merkle root of this history tree, and clients proceed with signing the transaction only once all have authorized the transcript resulting in the final transaction.

Since the coordinator effectively only verifying and linearizing operations, in principle it could eventually be substituted with byzantine fault tolerant consensus mechanism with a fixed set of participants per round, with (some subset of) participants blind signing tokens with their own credentials, and redemption messages including multiple unblinded tokens, similarly to scritcash.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment