search

JoinMarket-Org / joinmarket

CoinJoin implementation with incentive structure to convince people to take part
398 stars 119 forks source link

Use ring signatures to increase anonymity #600

Open ChristopherKing42 opened 8 years ago

ChristopherKing42 commented 8 years ago

I suggest that ring signatures could be used for increased anonymity. That way participants aren't able to know who owns which address, even within the same coinjoin group. In particular, one-time ring signatures would probably be the most useful.

chris-belcher commented 8 years ago

Please could you explain a bit more about this.

I thought bitcoin transactions needed to be signed with normal ECDSA signatures not ring signatures. But I haven't looked in detail how they work so I might be missing something.

ChristopherKing42 commented 8 years ago

Sorry, I should've explained.

You are correct that bitcoin transactions can't be signed by ring signatures, but I'm not saying to use them that way.

During a coin-join transaction, the participants have to tell one someone their new address, either the server or each other if your are doing it in a decentralized manner. What I'm saying is that when a participant announces their new bitcoin address, they should the message using a ring signature. This allows the server and the other participants to know that it is the address of a participant, but not which participant it is. In this way, only the participant knows their new address.

AdamISZ commented 8 years ago

There are at least two known ways to achieve the goal of preventing other participants knowing which of N addresses belongs to participant P;

1/ use blind signing + network level de-linking: P (and others) proposes a set of inputs to one party C (server, Taker, whatever) and a blinded output address, C signs the blinded output address, gives that back to P, P then unblinds the signature of the output address, reconnects anonymously and sends (address, inputs, sig) to C and C can verify that each output address was part of the blinded set (by verifying the sig), but doesn't know whose was whose. Note that the recent Tumblebit design has this same core mechanism to achieve a similar unlinkability result in a much more sophisticated context.

2/ Coinshuffle uses a process analogous to onion routing: output addresses are passed around under multiple levels of encryption such that when the final decryption occurs and the full output list is shown, no party sees the origin of each output address (apart from their own of course).

I can't quite see how ring signatures can achieve this goal? With a ring signature you can hide which of some set of participants authorises a particular piece of data, but someone still has to propose that data.