Skip to content

Commit

Permalink
Reference StakeShuffle in place of CSPP++
Browse files Browse the repository at this point in the history
Update verbiage on CSPP/StakeShuffle with more recent developments.
Adds terms CoinShuffle++ and StakeShuffle to glossary.
Adds video tutorial for privacy mixing on "How To" page.
Addresses decred#1151 and decred#1152.
  • Loading branch information
dezryth committed Feb 12, 2021
1 parent b343467 commit 4ec350a
Show file tree
Hide file tree
Showing 4 changed files with 40 additions and 29 deletions.
10 changes: 9 additions & 1 deletion docs/glossary.md
Original file line number Diff line number Diff line change
Expand Up @@ -87,10 +87,14 @@ Not using dedicated change addresses, or re-using existing ones, would enable a
passive observer to infer a significant amount of information about your
transaction sizes and where you are sending transactions to.

#### CoinShuffle++

The protocol Decred's [StakeShuffle](#stakeshuffle) privacy implementation utilizes. The CoinShuffle++ (CSPP) protocol is described in ["P2P Mixing and Unlinkable Bitcoin Transactions"](https://decred.org/research/ruffing2016.pdf) by Ruffing, Moreno-Sanchez and Kate. It uses [**DiceMix Light**](https://github.com/ElementsProject/dicemix/blob/master/doc/protocol.md), a faster iteration by Ruffing on the DiceMix process proposed in the CoinShuffle++ paper. This process allows for the creation of untraceable transactions, but the amounts are still publicly visible. To make the outputs indistinguishable, each mix must have a fixed denomination.

#### Coin Type

A unique number assigned to a cryptocurrency, which is used by [HD
Wallets](#hd-wallet) during the process of generating public/private keypairs.
Wallets](#hierarchical-deterministic-hd-wallet) during the process of generating public/private keypairs.
Cryptocurrencies with assigned coin types are listed in
[SLIP-0044](https://github.com/satoshilabs/slips/blob/master/slip-0044.md).
The coin type of Decred is 42.
Expand Down Expand Up @@ -458,6 +462,10 @@ complete](https://en.wikipedia.org/wiki/Turing_completeness).

A change to consensus rules that is backwards compatible. Nodes running older versions without the new rules can still validate transactions and blocks. However, nodes running older versions can only partially validate transactions and blocks created by nodes using the new rules. This is because old nodes believe they are fully validating transactions, however, they are not able to undstand transactions created using the new rules. For instance, if a new transaction type is added via soft fork, only nodes using the new rules will be able to understand the new transaction type.

#### StakeShuffle

Decred's implementation of the [CoinShuffle++](#coinshuffle) protocol used to obfuscate ownership of DCR coins via Decred CoinJoin transactions created with a mixnet. When using StakeShuffle, the outputs are fully anonymized. None of the peers or the server can link outputs and inputs. The "StakeShuffle" term is often used interchangably with "CoinShuffle++" in regards to Decred's privacy implementation.

#### Stake transaction tree

[Transactions](https://www.reddit.com/r/decred/comments/66j4l4/decred_proof_of_stake_explained/dgjsyxd) relating to ticket buying and ticket voting rewards.
Expand Down
24 changes: 16 additions & 8 deletions docs/privacy/cspp/how-to-cspp.md
Original file line number Diff line number Diff line change
@@ -1,21 +1,29 @@
# How to use CoinShuffle++
# <img class="dcr-icon" src="/img/dcr-icons/LockEye.svg" /> How to use StakeShuffle

---

To use CSPP, several new options must be set in `dcrwallet`.
## Using StakeShuffle with Decrediton

Regardless of the intended setup, users must create two new accounts, `mixed` and `unmixed`, and point their wallets to Decred's CSPP servers:
Privacy mixing is available within the Decrediton wallet software.

Follow along with the video tutorial [here](https://www.youtube.com/watch?v=QC65PBNwAK4) to get started.

## Using StakeShuffle via Command Line

To use StakeShuffle, several new options must be set in `dcrwallet`.

Regardless of the intended setup, users must create two new accounts, `mixed` and `unmixed`, and point their wallets to Decred's StakeShuffle servers:

Mainnet

- Download the CSPP server [TLS certificate](https://cspp.decred.org/cspp.decred.org.pem)
- Download the StakeShuffle server [TLS certificate](https://cspp.decred.org/cspp.decred.org.pem)
- Reference the certificate file using `--csppserver.ca=cspp.decred.org.pem`
- Point `dcrwallet`to the CSPP mainnet server by setting `--csppserver=cspp.decred.org:5760`
- Point `dcrwallet`to the StakeShuffle mainnet server by setting `--csppserver=cspp.decred.org:5760`

Testnet

- Testnet does **not** use the TLS certificate
- Point `dcrwallet` to the CSPP testnet server by setting `--csppserver=cspp.decred.org:15760`
- Point `dcrwallet` to the StakeShuffle testnet server by setting `--csppserver=cspp.decred.org:15760`

---

Expand Down Expand Up @@ -100,12 +108,12 @@ Non-stakers are able to use this mechanism to mix received funds by using the un

## Tor Hidden Service

The CSPP server is accessible as a Tor hidden service, which provides two-way anonymity. The server doesn't know the IP of the client and the client also doesn't know the IP of the server. The latest onion address can be found at [CSPP server site](https://cspp.decred.org/) and can be configured by using the `--csppserver` flag.
The StakeShuffle server is accessible as a Tor hidden service, which provides two-way anonymity. The server doesn't know the IP of the client and the client also doesn't know the IP of the server. The latest onion address can be found at [StakeShuffle server site](https://cspp.decred.org/) and can be configured by using the `--csppserver` flag.

In case `dcrwallet` connects to `dcrd` directly, the `--nodcrdproxy=1` option may be specified in addition to the above.

---

## Further Information

For more technical information about CoinShuffle++, visit Decred’s [cspp](https://github.com/decred/cspp) Github repository. You can also read about CoinShuffle++ on [Decred’s blog](https://blog.decred.org/2019/08/28/Iterating-Privacy/).
For more technical information about CoinShuffle++, visit Decred’s [cspp](https://github.com/decred/cspp) Github repository. You can also read about CoinShuffle++/StakeShuffle on [Decred’s blog](https://blog.decred.org/2019/08/28/Iterating-Privacy/).
31 changes: 13 additions & 18 deletions docs/privacy/cspp/overview.md
Original file line number Diff line number Diff line change
@@ -1,16 +1,14 @@
# <img class="dcr-icon" src="/img/dcr-icons/LockEye.svg" /> CoinShuffle++
# <img class="dcr-icon" src="/img/dcr-icons/LockEye.svg" /> StakeShuffle

---

## What is CoinShuffle++ and how does it work?
## What is StakeShuffle and how does it work?

**CoinShuffle++ (CSPP)** is a mixing protocol used to create Decred **CoinJoin** transactions.
Decred's **StakeShuffle** is a **non-custodial** process used to create Decred **CoinJoin** transactions that obfuscate ownership of DCR coins, where the output addresses are anonymized via a mixnet. When using StakeShuffle, the outputs are fully anonymized. None of the peers or the server can link outputs and inputs.

CSPP is a **non-custodial** process to obfuscate ownership of DCR coins, where the output addresses are anonymized via a mixnet. When using CSPP, the outputs are fully anonymized, none of the peers or the server can link outputs and inputs.
The implementation is based on the **CoinShuffle++ (CSPP)** protocol from ["P2P Mixing and Unlinkable Bitcoin Transactions"](https://decred.org/research/ruffing2016.pdf) by Ruffing, Moreno-Sanchez and Kate. It uses [**DiceMix Light**](https://github.com/ElementsProject/dicemix/blob/master/doc/protocol.md), a faster iteration by Ruffing on the DiceMix process proposed in the CoinShuffle++ paper. This process allows for the creation of untraceable transactions, but the amounts are still publicly visible. To make the outputs indistinguishable, each mix must have a fixed denomination.

Decred's implementation is based on the CoinShuffle++ protocol from ["P2P Mixing and Unlinkable Bitcoin Transactions"](https://decred.org/research/ruffing2016.pdf) by Ruffing, Moreno-Sanchez and Kate. It uses [**DiceMix Light**](https://github.com/ElementsProject/dicemix/blob/master/doc/protocol.md), a faster iteration by Ruffing on the DiceMix process proposed in the CoinShuffle++ paper. This process allows for the creation of untraceable transactions, but the amounts are still publicly visible. To make the outputs indistinguishable, each mix must have a fixed denomination.

CoinShuffle++ does a fine job of anonymizing the output addresses, but if the change is not handled with care, it can link mixed and unmixed UTXOs. In many cases, change outputs can be linked to their inputs by doing a partial sum analysis. To deal with this threat, change from mixes flows to a separate wallet account, where it is then mixed into smaller denominations until the change is less than the smallest mixer denomination.
StakeShuffle does a fine job of anonymizing the output addresses, but if the change is not handled with care, it can link mixed and unmixed UTXOs. In many cases, change outputs can be linked to their inputs by doing a partial sum analysis. To deal with this threat, change from mixes flows to a separate wallet account, where it is then mixed into smaller denominations until the change is less than the smallest mixer denomination.

Mixes occur episodically in **epochs**, with the mainnet epoch set to 20 minutes (1200 seconds).

Expand Down Expand Up @@ -56,30 +54,27 @@ After a failed protocol run, peers can reveal session secrets to expose and excl

## Benefits

The implementation of the CSPP mixnet did not require changing the consensus rules. It is an opt-in implementation that obfuscates ownership of DCR coins with out requiring any modifications to the consensus rules.
The implementation of the CSPP mixnet for StakeShuffle did not require changing the consensus rules. It is an opt-in implementation that obfuscates ownership of DCR coins without requiring any modifications to the consensus rules.

Other privacy implementations like zk-SNARKS and Ring Signatures provide substantial privacy, but impede the network from dropping historical transactions from their full nodes, a process also known as pruning. The CSPP mixnet does not have this effect on the blockchain and pruning remains possible. Pruning the blockchain reduces its size, which makes it easier to download and replicate.

At the same time, the CSPP mixnet presents a much simpler solution that is based on common cryptographic primitives and finite field arithmetic. It is simpler and more DoS resistant than [TumbleBit](https://decred.org/research/heilman2016.pdf), which was initially planned and developed,but dropped because of its vulnerability to Denial-of-Service attacks.

---

## Limitations

The current implementation has several limitations. Mainly the use of a centralized server, to which the CoinJoin leaks which inputs and change addresses belong to each peer, and the lack of support for Voting Service Providers and regular transactions.

The anonymity provided by CoinShuffle++ can be lost if wallet addresses are reused, or if change outputs are not handled correctly. It is imperative that addresses are never reused and that extended public keys of mixed and voting accounts are not revealed to other parties.
## Considerations

The initial code only supports the CLI wallet, dcrwallet, and solo stakers. To implement CSPP beyond the CLI there are some issues that must be dealt with:
The current implementation has limitations to consider. The use of a centralized server, to which the CoinJoin leaks which inputs and change addresses belong to each peer.

+ **dcrwallet:** Changes must be made to support unlocking individual accounts while other accounts keys are locked. CSPP requires hot keys to create on-demand transactions at the end of the timed process.
The anonymity provided by StakeShuffle can be lost if wallet addresses are reused, or if change outputs are not handled correctly. It is imperative that addresses are never reused and that extended public keys of mixed and voting accounts are not revealed to other parties.

+ **Decrediton:** UI/UX must be made so that users have a simple way to opt-in into privacy. The UI must ensure users do not send funds from other accounts besides their mixed account, prevent receiving funds into accounts besides the change account, and use the mixed account to buy tickets.

+ **VSP API:** A new VSP API for buying tickets is needed. To fully support privacy, the way how users buy tickets through VSP must be substantially changed. Proposed changes are already outlined [here](https://github.com/decred/dcrstakepool/issues/574), and it entails moving from an account-based system to a ticket-based system, where users pay VSP fees upfront, and VSP tickets are indistinguishable from solo tickets.
??? info "Development Update"
While the initial code lacked support for mixing while staking with use of Voting Service Providers and for mixing regular transactions, later development of [VSPD](https://github.com/decred/vspd), a new implementation for Voting Service Providers to receive delegated voting rights, has allowed for anyone to participate in StakeShuffle mixing whether they solo stake or not. You can read about the changes that were necessary [here.](https://github.com/decred/dcrstakepool/issues/574) Support for mixing regular transactions is available as well. Additionally, while initial code was limited to command line tools, mixing is now available via GUI by way of using the [Decrediton](../../wallets/decrediton/decrediton-setup.md) wallet software.

---

## Further Information

For more technical information about CoinShuffle++, visit Decred’s [cspp](https://github.com/decred/cspp) Github repository. You can also read about CoinShuffle++ on [Decred’s blog](https://blog.decred.org/2019/08/28/Iterating-Privacy/).

To get started, see [How To Use StakeShuffle.](../how-to-cspp)
4 changes: 2 additions & 2 deletions mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -116,9 +116,9 @@ nav:
- 'gominer Pool Mining': 'mining/proof-of-work/pool-mining/gominer.md'
- Privacy:
- 'General Privacy': 'privacy/general-privacy.md'
- CoinShuffle++:
- StakeShuffle:
- 'Overview': 'privacy/cspp/overview.md'
- 'How to use CSPP': 'privacy/cspp/how-to-cspp.md'
- 'How to use StakeShuffle': 'privacy/cspp/how-to-cspp.md'
- Lightning Network:
- 'Overview': 'lightning-network/overview.md'
- 'Backups': 'lightning-network/backups.md'
Expand Down

0 comments on commit 4ec350a

Please sign in to comment.