Good morning Yuval,
> Additionally (though is a broader criticism of CoinJoin based privacy and not > specific to unequal amounts, and in particular refers to ZmnSCPxj's assertion > of 0 linkability) I am very worried that perspectives that focus on > linkability information revealed by a single coinjoin transaction in > isolation. This problem was alluded in the document, to but I don't see that > it was addressed. Naively the post/pre mix transaction graph would seem to > present a computationally much harder problem when looking at the > combinatorics through the same lens, but reality it can also be used to place > many constraints on valid partitions/sub-transaction assignments for a single > transaction with equal amounts. The trivial example is post mix linking of > outputs, but there are many other ways to draw inferences or eliminate > possible interpretations of a single transaction based on its wider context, > which in turn may be used to attack other transactions. Indeed, this is a problem still of equal-valued CoinJoin. In theory the ZeroLink protocol fixes this by strongly constraining user behavior, but ZeroLink is not "purely" implemented in e.g. Wasabi: Wasabi still allows spending pre- and post-mix coins in the same tx (ZeroLink disallows this) and any mix change should be considered as still linked to the inputs (though could be unlinked from the equal-valued output), i.e. returned to pre-mix wallet. > Finally, the proof as well as its applicability seems suspect to me, since > seems to involve trusting the server: > "Since the distinct list [...] [is] kept on the server and not shared with > the players" > "The server knows the linkages of the commitments but does not participate as > a verifier " > "If there is a problem [...] each component is assigned to another player at > random for verification" > these 3 statements together seems to suggest the server is trusted to not use > sybils in order the compromise privacy by participating in the verification > process? Equal-valued CoinJoins fix this by using a Chaumian bank, which constrains value transfers to specific fixed amounts. Since an equal-valued CoinJoin uses a single fixed amount anyway, it is not an additional restriction. CashFusion cannot use the same technique without dropping into something very much like an equal-valued CoinJoin. Regards, ZmnSCPxj _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev