zIPs icon indicating copy to clipboard operation
zIPs copied to clipboard

Published 20 hours ago verified publisher icon zkSNACKs

Ecash for change output value matching

Open stiell opened this issue 5 years ago • 3 comments

Is your feature request related to a problem? Please describe.

Change outputs are currently nearly always unique and each output can therefore be associated with its corresponding input(s). However, looking at some CoinJoin transactions, there are many change outputs that are close to each other in value, and very often close to 0.1 BTC. If the values could be slightly adjusted to match other outputs, these outputs could become part of an anonymity set, or even contribute to the main anonymity set.

Describe the solution you'd like

I'd like to propose the idea of having the coordinator issue long-lived ecash tokens of a relatively small denomination, which users may cash in to increase their effective input, and which are paid out if an output is decreased to match other outputs. The ecash tokens obtained in one round may be used anonymously in a later round.

The client needs to trust the coordinator with the validity of these tokens, so they should only be used for small amounts and the client should only accept holding up to a certain amount of tokens at any time (e.g. up to 100k sat worth).

Ecash tokens should all be of the same denomination, e.g. 10k sat, for maximum anonymity. However, fractions of the token denomination may be handled by using provably fair stochastic rounding.

These tokens might be used in other ways: What about, instead of only adjusting output values to match, each output value is randomised a little, exchanging tokens to compensate? Outputs are no longer exactly equal, yet anonymity is preserved.

Describe alternatives you've considered

An alternative might be to allow for small output adjustments without exchanging ecash tokens, but the tolerated range of such adjustments would probably be smaller.

Adjustments via LN? I think it would get more complicated in several respects.

CT would of course fix this whole issue, but I don't think this is coming to Bitcoin anytime soon.

edit: I guess this issue rather belongs in ZeroLink.

stiell avatar Jun 23 '19 14:06 stiell

I'll move it to the Meta project. Unfortunately I don't think we can even consider it, due to regulatory issues with custodial things :/

nopara73 avatar Jun 24 '19 11:06 nopara73

But definitely a worthy conversation to be had.

nopara73 avatar Jun 24 '19 11:06 nopara73

With a protocol like scrit we can have digital bearer certificates that do not rely on a single trusted third party, but instead a federation of servers, where m-1 cannot increase the certificate supply, and a signature is needed to transfer the certificates.

It would be an interesting idea for the lawyers to find out if such a federated model is still encompassed by the custodianship issue...

MaxHillebrand avatar Nov 26 '19 14:11 MaxHillebrand