Replying to Avatar XMR Future

This is Whirlpool 101 and the nature of perfectly uniform postmix coinjoins. It isn't "revealing" or "leaking" doxxic change. Doxxic change is split up before the mix, not after, so there is nothing revealed . Zero deterministic links to anything postmix.

Doxxic change is unavoidable if you want perfect coinjoins. The initial inputs before mixing are naturally not going to be equal to those of other mix participants. You can just mix the doxxic change again when you build up enough.

https://sovrnbitcoiner.com/perfect-coinjoins-are-the-points-of-reference-to-any-collaborative-tx/

Avatar
Kruw 2y ago

When you say "Doxxic change is split up before the mix so there is nothing revealed", that's obviously wrong because I clearly just revealed the doxxic change of the equal sized inputs being entered into the coinjoin.

A "perfect coinjoin" would not produce Doxxic change at all. As you can see, WabiSabi coinjoins do not create toxic change, nothing is "split up before the mix" so ALL of your coins are made private instead: https://mempool.space/tx/01a1a055719129397fb8344b5a09e6cfe72868c8e1d750e621d8b580c96bf77b

Reply to this note

Please Login to reply.

Discussion

Avatar
XMR Future 2y ago

You revealed nothing new that wasn't already known pre-mix.

I think you are getting too hung up on doxxic change. It isn't the important part. No one is spending that or claiming it is not deterministically linked. We spend what is being mixed, after it is mixed.

Assume you already know the location of 0.75 bitcoin before a mix. I split 0.25 bitcoin off to the side to park as doxxic change, and the other 0.50 bitcoin goes into the 0.50 pool to mix.

What new information did you gain that wasn't already known? Now point to the postmix 0.50 that is mine that I'm actually going to use (again, im not spending the doxxic change). You can't.

By perfect coinjoin I mean equal amounts on either side + maximum # of interpretations or N*(multiple of N) mix. Why does this matter? Because every given output is exactly as likely to be from a given input as any other. Max uniformity/fungibility = better for privacy:

https://kycp.org/#/323df21f0b0756f98336437aa3d2fb87e02b59f1946b714a7b09df04d429dec2

Avatar
Kruw 2y ago

You do reveal new information: tx0 shows multiple payments were sent to the same user since they are consolidated before entering the coinjoin. Each of the entities that sent these payments become aware of each other as well as aware of new addresses that you own that none of them interacted with at all, which is both the doxxic change address as well as the addresses of the first equal sized output you create to enter the first round.

WabiSabi coinjoins hide all this information since every transaction is a coinjoin instead of revealing these links through the self spending tx0. Multiple payments can't be deterministically linked to the same user with WabiSabi since your inputs are consolidated within a coinjoin instead of consolidated in a self spend. No doxxic change is created either in WabiSabi coinjoins unless a whale submits a non private input worth more than the rest of the round's participants combined.

Avatar
XMR Future 2y ago

Just saw this in my notifications.

A few thoughts...

-Do you mean entities that sent me bitcoin in the past, whirlpool participants, or both?

-I'm not worried about the tx0 being briefly known before it is mixed (not connected to my identity), buying KYC free makes it irrelevant if I'm only going to spend on the other side of a mix.

-To my knowledge, another big thing lacking from Wasabi that would make it a more robust protocol is postmix spending tools and paynyms

I want to caveat that I would never use Wasabi even if they had a superior method (imo they don't if you are remixing. As a single mix, I can maybe see your argument in isolation possibly). If they are going to censor inputs and work with chain analysis companies that already disqualifies them as a privacy tool. If they hadn't taken that stance, I might be more open to their new implementation.

To attempt fighting my bias, I'll leave you with this short article by Shinobi. He makes a measured criticism of both of us:

https://bitcoinmagazine.com/technical/wasabi-vs-samourai-for-bitcoin-mixing

Avatar
Louferlou 2y ago

You can also adopt good practices and mix in whirlpool utxo by utxo to avoid consolidating. He is just saying that tx0 in fact could force one more consolidation transaction if you are not careful. But it’s exactly the same for Wasabi users who certainly consolidate their utxo in order to fund their premix Wasabi wallet, and then start the mixing round.

Avatar
Kruw 2y ago

Submitting your transactions one by one instead of consolidating is disincentivized by the Whirlpool coordinator's fee structures. Since the fee is fixed at 5% of the size of the pool, merging your inputs before coinjoining is massively discounted compared to paying that 5% fee on every individual input.

Wasabi does not have "premix" transactions. Your coins are consolidated within a coinjoin with 150-400 other inputs, so no two payments are ever linked to each other. Anyone who sent you Bitcoin only knows a single address belongs to you: The one they paid.

Avatar
Louferlou 2y ago

You have to fund your Wasabi Wallet with a funding transaction before starting to mix right ? This is what all users are doing, they fund their wallet (Samourai or Wasabi) considering the amount they want to make private. They don't do it on a UTXO by UTXO basis they just fund it.

So the deterministic links are created by this funding tx in both cases and the tx0 don't add new links. It just creates the toxic change which have to be dealt with, which is not easy I confess. But the txO in itself is not a problem

Avatar
Kruw 2y ago

There is no "funding transaction" required in Wasabi Wallet. If you import your existing (segwit or taproot) keys, any your coins in your addresses would go directly into giant coinjoins without any intermediate transactions merging them & revealing common address ownership.

Avatar
Kruw 2y ago

-I mean that anyone with a copy of the blockchain can see those payments were made to the same user since they were merged by that user in a self spend transaction.

-Fair

-WabiSabi has even better privacy than "postmix spending" - You can send payments directly in a coinjoin. The recipient only sees their coins came from some combination of 150-400 inputs and no other information, such as the sender's change.

At the pinnacle of two way transactional privacy, WabiSabi enables discreet payments using key verified anonymous credentials . This means that a recipient can accept coins without even the sender knowing what their Bitcoin address is: https://twitter.com/MrKukks/status/1619294492854747138

Wasabi has even better remixing incentives than Whirlpool does: In addition to remixes being free of coordinator fees, change mixing is ALSO free as well. Whirlpool has backwards remixing incentives because sybil attackers have zero time preference when it comes to waiting in line to remix, placing legitimate users who want to gain privacy at an economic disadvantage to attackers.

I don't see any technical issues with Shinobi's article other than it's now outdated with the release of Wasabi 2.0/WabiSabi. You can find a brand new comparative analysis here: https://bitcoinmagazine.com/technical/toxic-change-wabisabi-bitcoin-coinjoin-privacy

Avatar
XMR Future 2y ago

Too bad there is such a big feud between both camps. Hard to sift thru FUD on both sides. Would be good to hash out the pros and cons of each and find common agreement and see where each could improve. I feel it is too late though. Too many harsh words and egos.

Wasabi contracting chain analysis makes it all a non-starter though. Wish they would have never done that, then we could at least have a small chance of good faith discussion. I'm still open to the technical conversation of the protocols themselves though.