Nostr

Thanks for the clarification🫡 But this is still confusing. Wasn’t the original idea of the whirlpool to make the participating transactions indistinguishable?

Sure, somebody has to pay the fee, but I believe that it would be much more private if the service just pays the fee and spreads it over the participants (just like already does with the whirlpool commission…).

I thought the idea of the whole thing was to make all inputs and all outputs identical so that nobody (except you who knows the exact address) can figure out what went where. 🤷🏻‍♂️

Reply to this note

Please Login to reply.

Discussion

Arkad 2y ago

In a transaction you pay fees so it is impossible for both inputs and outputs to be equal. The important thing is that the 5 outputs are equal.

Whirpool has a system of premixers and postmixers similar to Joinmarket's system of takers and makers. But it forces you to be both. First you are premixer in the first transaction and then you will be postmixer in the following transactions being able to mix unlimitedly without paying extra.

Kruw 2y ago

The problem is that this allows Sybil attackers to mix "unlimitedly" without paying extra. Wasabi solves this problem by making attackers pay for their own mining fees.

Arkad 2y ago

First, you have to pay a tx0 to enter to whirlpool. You are gonna mix with a lot of users getting no clue because high anon set. You can check here:

https://bitcoinmagazine.com/technical/how-bitcoin-anonymity-sets-work

In wasabi you can have 20 open wallets mixing with less than 1 million sats in each one without pay coordinator fees. A Sybil attack can be possible in Wasabi.

Kruw 2y ago

You blend in with far fewer potential input and output addresses from a Whirlpool coinjoin than even a minimum sized Wasabi coinjoin. Take this transaction for example: https://mempool.space/tx/0d832b9db303d4f5934c52a061af9c3c378f0243f8cbb8783d14a1d52e8cbdbb

-138/145 unique input addresses were from outputs getting remixed from 68 previous coinjoin rounds. An observer of an output in this coinjoin would have a choice of 13,615 inputs within two hops.

-150/166 outputs became inputs for 60 future coinjoin rounds. An observer of an input in this coinjoin would have a choice of 14,528 outputs within two hops.

By comparison, observers of a Whirlpool output would have a choice between 17 inputs within two hops. Observers of a Whirlpool input would have a choice between 25 outputs within 2 hops (in the best case scenario).

Kruw 2y ago

You can make a coinjoin much more private than that. Wasabi improves the "all inputs and outputs are identical" structure of Whirlpool to allow private input consolidation within coinjoins, arbitrary amount payments, and elimination of non private change: https://mempool.space/tx/87d32a8756a5e3a3a366614994db1d6751205f81ad962e5382314f0fa613865f

Arkad 2y ago

Tradeoffs to the elimination of non-private change

https://github.com/zkSNACKs/WalletWasabi/issues/10462

I saw this problem since the first version of wasabi 2.0.

A coinjoin must be deterministic.

Kruw 2y ago

If it's fully deterministic using "greedy" amount decomposition every time, then an attacker could use that determinism as well to anticipate which values you claim as outputs (but not their specific addresses), which is why there's added client randomness. There's definitely still room for optimization though.