Skip to content

RSA blind signing superfluous and perpetuates toxic change problem #13

Description

@nothingmuch

a publicly verifiable scheme is not required for a coordinator, OPRF based blind DH e-cash tokens would suffice for the unit token.

however, using a set denomination and a unit token inherently forces linkage of post-spend change in subsequent coinjoins, and links those to the change-from-coinjoin. the only safe approach here is to strand all change from post coinjoin payments or even burn them as fees, obviously not an acceptable solution. the alternative, letting users use those coins and link them after the fact has serious implications for clustering. in particular the way it composes with Goldfeder et al's cluster intersection results (https://arxiv.org/pdf/1708.04748, see also introductory post by me) and wallet fingerprinting based clustering (https://arxiv.org/pdf/2107.05749, https://www.usenix.org/system/files/sec22-kappos.pdf)

additionally supporting just 1 input per registration request forces this information on chain (like scamourai's tx0 does, unlike wasabi 1.x)

the use of homomorphic value credentials would alleviate this at the cost of additional complexity and rounds of communication.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions