Published on: 2020-02-22T18:01:14+00:00
In a recent email conversation between Ádám Ficsór and ZmnSCPxj, the topic of non-equal value CoinJoins and their privacy implications was discussed. The conversation focused on a paragraph from the CashFusion specification that claimed there is essentially no linkage with 10^92 possibilities. However, ZmnSCPxj argued that most users would not have the same output value of "around 1 BTC" in a real live mainnet scenario. He suggested that if the math requires equal-valued outputs per user, it would be more practical to use equal-valued CoinJoins. ZmnSCPxj also pointed out that change outputs in equal-valued CoinJoins have similar linkability to CashFusion outputs. The CashFusion research proposes a combinatorial approach to avoid amount linkages in non-equal value CoinJoins, but ZmnSCPxj argues that it is not as effective as equal-outputs transactions. The Knapsack paper in 2017 also had a similar idea, splitting original outputs into partitions that match selected groups of outputs. However, the simulation showed exponential growth in the number of valid transactions, making it impossible to determine the real ones. Additionally, there are concerns about the effectiveness and security of this mechanism. In contrast, Knapsack provides a general solution with good mathematical backing and has been backtested against historical data from Bitcoin's blockchain. Overall, Knapsack is currently considered the best solution for unequal inputs/outputs CoinJoins.The limitations of CoinJoin and ZeroLink protocols in terms of preventing linkage between pre- and post-mix coins were discussed in the email thread. The author proposed a new protocol that introduces chaumian reissuable/redenominatable tokens as an intermediary stage between input/output phases. This allows for unequal amounts while retaining the advantages of fixed denominations. The protocol includes several subtypes of mixing rounds and suggests subsidizing mining fees and batching to preserve exact denomination sizes. The author also mentions the possibility of keeping low hamming weight outputs virtual to make the approach size-efficient, but further exploration is needed.Another email conversation between Yuval and ZmnSCPxj focused on privacy issues related to CoinJoin transactions. They discussed broader criticisms of CoinJoin-based privacy and the assertion of 0 linkability. ZmnSCPxj expressed concern about perspectives that analyze linkability information in isolation, as the post/pre mix transaction graph presents a more complex problem. They mentioned ZeroLink protocol as a solution, but noted that it is not purely implemented in Wasabi and still has some privacy concerns. Equal-valued CoinJoins were suggested as a solution with a Chaumian bank constraining value transfers. CashFusion was also discussed, but there are doubts about its privacy guarantees and the involvement of a server.In an email exchange, Yuval Kogman made a mistake in his calculation regarding the number of inputs and indistinguishable outputs. He later corrected himself, stating that n is actually the smaller of the two numbers. While this correction did not affect his arguments, it was important to clarify the mistake.In a bitcoin-dev email thread, nopara73 responded to a document about CoinJoin-based privacy called "The Breaking of Mixing Secrets". They questioned the premises and implications of the document, highlighting the potential efficiency of computational strategies in deanonymization. Nopara73 also expressed concerns about analyzing linkability information in isolation and mentioned Cash Fusion's extension of obfuscation by allowing multiple inputs and outputs. They cautiously mentioned the potential of small popcounts/Hamming weights and the use of OP_CHECKTEMPLATEVERIFY and Taproot to mitigate overhead. Doubts were raised about the proof and its applicability due to trust in servers and a dubious hardness assumption.CashFusion is a privacy-enhancing technique developed by the Bitcoin Cash community. It claims that non-equal value CoinJoins can be relied on for privacy. The research highlights the large number of ways to partition inputs into sets, making it hard to track transactions. The Cash Fusion scheme allows players to bring many inputs and outputs, further extending obfuscation. However, equal-valued CoinJoins offer unlinked equal-valued outputs, making them a viable alternative if the math requires such outputs. CashFusion involves a single UTXO value, while equal-valued CoinJoin has zero linkability between inputs and outputs.In summary, CashFusion is a privacy-focused approach for Bitcoin Cash transactions that offers obfuscation through combinatorial techniques. However, there are potential attacks and limitations that need to be addressed. Knapsack is considered the best solution for unequal inputs/outputs CoinJoins, while equal-valued CoinJoins provide unlinked equal-valued outputs. Privacy concerns related to CoinJoin transactions still need to be addressed, and there are doubts about the proof and its applicability.
Updated on: 2023-08-02T01:43:31.866332+00:00