Super Testnet's avatar
Super Testnet 1 year ago
> You need that each person that owns one utxo (simplest model) gets to choose *one* output. Without linkability they aren't restricted like that right? I have an alternative way to stop someone from submitting more than one cj_addr. See my "kickout protocol," specifically the section "Kicking trolls out of Round 2."
GitHub
GitHub - supertestnet/coinjoin-workshop: A workshop on constructing coinjoin transactions without a coordinator
A workshop on constructing coinjoin transactions without a coordinator - supertestnet/coinjoin-workshop
↑ Parent

Replies (2)

waxwing's avatar
waxwing 1 year ago
Yep, you are describing there a "blame" protocol pretty similar to what happens in coinshuffle. Basically an "open the commitment" thing. The most crucial element is as described both in coinshuffle and in your protocol.: say 10 participants, the blame kicks out the bad behaviour and the remaining 9 continue, etc. I think a linkable ring sig makes a lot of sense though, as it cleans up one form of delay of the process. To note: there is another nuance in ring sig design that's relevant (I discussed it in
waxwing's blog
Ring signatures
Outline: * Basic goal of 1-of-\(N\) ring signatures * Recap: the \(\Sigma\)-protocol * OR of \(\Sigma\)-protocols, CDS 1994 * Abe-Ohkubo-Suzuk...
 ; it's the idea of "exculpability". Some versions of ring sig have a property that, if you reveal the private key, you still do not reveal whether it was *your* private key that signed; in your description, you would need the type that do not have that (so "culpability"). The LWW LSAG, Back-LSAG and MLSAG types are indeed "culpable" so you're probably OK just with that, but: if you have linkability, I don't *think* you even need culpability.
1 replies ↓