defuse
commented
1 year ago Options that come to mind are:
- Enforce that WRPs serve many wallets. Then, assuming uncompromised WRPs, the owner of an address is hiding in an anonymity set whose size is the number of users of their WRP. Note that it's still possible for an attacker to find out which group of users an address belongs to if there is more than one WRP. Other kinds of leakage exist as well, such as if wallets always use one WRP, you can be sure that any two addresses that use different WRPs belong to different wallets, or if wallets choose a WRP geographically close to them, knowing the WRP reveals the user's geographic location.
- If NPPs are something like a mixnet, include a huge number of single-use reply blocks in the address. This makes addresses huge and could lead to re-use of reply blocks. Maybe some kind of fancy cryptography could help here.
- A multi-tiered system with different privacy properties for each tier. In a lot of cases, the sender already knows or can find out who the recipient is, e.g. when funding an exchange, buying something from an online store, paying for something in person, etc. For those use cases, we don't need these privacy properties. But for others, say activists wanting to accept donations anonymously, we do. We could let users choose their privacy<->performance trade-off.
- Entrust the address<->WRP mapping information to NPPs, perhaps using an MPC protocol to be resilient in case NPPs are compromised.
nathan-at-least
An MSPA requirement for NPPs is to:
There are privacy properties beyond protecting the recipient's network location that users may care about, such as:
An address must encode enough information for the sender+NPPs to deliver a message to the recipient's WRP.
If a sender alone can determine which WRP their message goes to, and wallets typically use different WRPs, privacy properties (1) and (2) can be broken by, for (1), watching a wallet's network connection to see which WRP it connects to and checking if that's the same WRP as the address uses or for (2), checking if both addresses use the same WRP.
Mixed Tag Detection (MTD) solves that problem by putting the WRP (detection server)'s anonymized public key in the address and having the WRP trial-decrypt a ciphertext for every transaction that gets sent, even the ones destined for other WRPs. This requires WRPs to process data proportional to the total number of finalized transactions. That presents a scalability problem in that it upper-bounds the network's total transaction rate to what the weakest WRP can handle, e.g. it becomes a problem if we try to support a much higher tx rate with a small blockchain using rollups.
A mixnet like Loopix doesn't solve this problem: a message sender must know which provider (detection server / WRP) the recipient uses in order to route their message to get there through the mixnet. So although Loopix provides good sender anonymity and third-party sender-receiver unlinkability, it's not so good at protecting a recipient's anonymity when their address is known.
In Loopix, a recipient can receive a message anonymously using a "single-use anonymous reply block", which lets a sender route their message to their provider without revealing to the sender who their provider is (the routing information is pre-encrypted in the reply block). This requires an interactive protocol, since the recipient has to give the sender a new reply block for each message it wants to receive.
This ticket is about how these privacy properties might be provided in MSPA. Ideally, this would be done in a way that does not involve WRPs processing data proportional to the network's total tx rate.