Nostr Web Client

In the early days of ecash a common narrative was that it provides "theoretically perfect anonymity", but there's more nuance to this.

It's correct that when the client presents an unblinded signed message, the mint cannot link this to any specific blinded cyphertext that it signed previously.

However, there is still three pieces of critical metadata that the client does reveal:

1. The number of inputs and outputs of the ecash transaction. Transactions with many inputs reveal that the same user got paid many times in the past. Transactions with many outputs reveal that one user is making many payments.

2. The value of each input and output. The mint uses a different key for each denomination value of the tokens. Thus a token worth 5 units is easily differentiated from a token worth 10 units. The anonymity set of a token depends on the number of tokens generated, so if a user is the only one with that specific denomination he has no privacy.

3. The IP address that connects to the mint to send the transaction api request. If the same IP address makes multiple payments, it's likely the same user, and his geolocation is also revealed.

Problems 1 and 2 can be mitigated on client side, but this adds substantial complexity in utxo management and transaction structure. If these mitigation are not specified and different clients have slightly different solutions, this opens up additional client fingerprinting attacks.

WabiSabi is designed to solve problems 1 and 2 on a protocol level. A WabiSabi transaction is required to have exactly two inputs and two outputs, and homomorphic value commitments hide the amounts of each input and output. The tradeoff is that the mint has to issue 0 value credentials, a user needs to make more transactions to prepare his desired amounts, and the proof size and creation time is larger.

Problem 3 is addressed by a client side networking anonymity layer. A VPN at least hides the actual users IP address, but if only one client uses this VPN to talk to this mint, it's still one IP per user. Tor is incredibly useful here, as it allows the creation of anonymous onion routes through the network with different exit IP addresses. A client can get a new IP for each api request! This does however increase bandwidth and latency cost.

We should assume "everyone knows what the mint knows", and so we need to be hardcore about privacy protections best baked into the protocol. If the protocol doesn't ensure the security of the user, client devs have to do an exponentially larger amount of research and development to fix the issues client side.

Reply to this note

Please Login to reply.

Discussion

Christian 1y ago

Thanks, interesting read! For those that are like me, not familiar with the term "homomorphic", AI says it's fancy 😅

"This is a fancy term for a way to keep the amounts of money being sent secret."

"homomorphic encryption allows for secure computations on encrypted data, preserving privacy while still enabling useful operations"

Max 1y ago

It is fancy indeed...

Naive example of homomorphic encryption:

Alice has a number 5, she multiplies it by a large number, and sends that to Bob.

Bob adds the number 3 to the large number, and sends back to Alice.

Alice now divides by her original large number, and receives 8. Bob just computed something for Alice, but Bob doesn't know the result of the computation.

Christian 1y ago

I'm steering down into the abyss of the cryptography rabbit hole.

Max 1y ago

Somewhat similar is when I orange pill someone, I'm a bit sorry for having derailed that person's life, most likely everything will change for him...

Anyhow, enjoy the adventure!

MindMining 1y ago

The battle between inconvenient truth and convenient lies...

One of those is going to help the other person in the future.

Just remember that when you mess up (/error correct) another person's worldview again 😂😉👊

kickerRocks 1y ago

💯

DRE 1y ago

Cash is king for privacy. Only thing it’s good at, but credit where it’s due

Arjen 1y ago

Thanks for sharing!

nostr:nprofile1qqszv6q4uryjzr06xfxxew34wwc5hmjfmfpqn229d72gfegsdn2q3fgpz9mhxue69uhkummnw3ezuamfdejj7qgjwaehxw309ahx7um5wf6k2tnrdakj7qg6waehxw309ac8junpd45kgtnxd9shg6npvchxxmmd9usc5pxf Let's make sure we account for this (mainly IP leaks)

Max 1y ago

What are you tinkering on? 👀

Arjen 1y ago

We're building Epoxy. Basically a way to proxy to a relay through one or more other relays. The cool thing here is those proxies can support tor/i2p/hyper as well. Meaning you can technically connect to a TOR relay from clearnet, like on iphone.

Using these proxies helps hide the requester's IP from the destination server and vice versa along with blurring the line between clearweb/tor/i2p. It will all seem like one network to the end user.

We want to address relays by pubkey (NIP-66), encrypt the Nostr requests going to the final relay to that relay's pubkey, that way the intermediate proxy relays can't read the contents.

Arjen 1y ago

Our WIP:

NERP (Nostr Epoxy Reverse Proxy), which you can put in front of any relay to support proxying: https://github.com/ArjenStens/nostr-epoxy-reverse-proxy

Client: https://github.com/hzrd149/nostr-epoxy-client

li'l miss strange 1y ago

🫂

waxwing 1y ago

Interesting point about zcash that most people missed is that it retained problem 1. (Also 3. but everyone knew that!)

Jimmy Bond 1y ago

Where can I read an introduction to how cashu ecash works?

Max 1y ago

Cashu.space

Or look for "Calle ecash" on youtube.

Soul Reaver 1y ago

Am I the only one not understanding why we're not just simply using vanilla lightning instead of ecashing it and iterating on problems created by ecash?

" A WabiSabi transaction is required to have exactly two inputs and two outputs, and homomorphic value commitments hide the amounts of each input and output." I like that it's going towards a Moneroesque design though.

Max 1y ago

An ecash transaction is two pings.

A lightning transaction is a gazillion state updates in many machines.