Open defuse opened 1 year ago
Options that come to mind are:
Excellent concerns.
I believe when I wrote the current draft, I had a very hand-wavy notion that there is something like Tor hidden services for WRPs and a given WRP could create a different such "strongly private network address" for every wallet address. Huge hand-wavy assumption.
Let me step back and try to define the privacy properties by modifying your suggestion above to include "the attacker can not observe the WRP" on both properties:
- Given an address, can an attacker find out who the address does or does not belong to?
- Given two addresses, can an attacker find out if the addresses belong to the same wallet?
Does any such thing exist (even in theory)?
Let's see, even if such a silver bullet existed, we'd also have to make sure a malicious WDAP could not violate those properties, so they'd need to be unable to identify which WRPs or wallets were accessing the WDAP.
Moved this to the correct repo…
An MSPA requirement for NPPs is to:
There are privacy properties beyond protecting the recipient's network location that users may care about, such as:
An address must encode enough information for the sender+NPPs to deliver a message to the recipient's WRP.
If a sender alone can determine which WRP their message goes to, and wallets typically use different WRPs, privacy properties (1) and (2) can be broken by, for (1), watching a wallet's network connection to see which WRP it connects to and checking if that's the same WRP as the address uses or for (2), checking if both addresses use the same WRP.
Mixed Tag Detection (MTD) solves that problem by putting the WRP (detection server)'s anonymized public key in the address and having the WRP trial-decrypt a ciphertext for every transaction that gets sent, even the ones destined for other WRPs. This requires WRPs to process data proportional to the total number of finalized transactions. That presents a scalability problem in that it upper-bounds the network's total transaction rate to what the weakest WRP can handle, e.g. it becomes a problem if we try to support a much higher tx rate with a small blockchain using rollups.
A mixnet like Loopix doesn't solve this problem: a message sender must know which provider (detection server / WRP) the recipient uses in order to route their message to get there through the mixnet. So although Loopix provides good sender anonymity and third-party sender-receiver unlinkability, it's not so good at protecting a recipient's anonymity when their address is known.
In Loopix, a recipient can receive a message anonymously using a "single-use anonymous reply block", which lets a sender route their message to their provider without revealing to the sender who their provider is (the routing information is pre-encrypted in the reply block). This requires an interactive protocol, since the recipient has to give the sender a new reply block for each message it wants to receive.
This ticket is about how these privacy properties might be provided in MSPA. Ideally, this would be done in a way that does not involve WRPs processing data proportional to the network's total tx rate.