[v0.16.x] Backport #3661 #3702
Merged
[v0.16.x] Backport #3661 #3702
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Use GetRealOut... instead of Capped Signed-off-by: pasta <[email protected]> * Add "ps_salt" value to walletdb This value is used to deterministically pick a random number of rounds to mix, between N and N + GetRandomRounds. A salt is needed in addition to the inputs hash to ensure that an attacker learns nothing from looking at the blockchain. Signed-off-by: pasta <[email protected]> * Implement Random Round Mixing This implements "Random Round Mixing." Previously, attempted attacks on PrivateSend assumed that all inputs had been mixed for the same number of rounds. Noramlly assuming 2,4,8 or 16. While none of these attacks have been successful, they still teach what we can do to make our system more robust, and one of those ways is to implement "Random Round Mixing". Under the previous system, inputs were mixed up until N rounds (configured by user). At this point, the input was considered mixed, and could be private-sent. Under this new system, an input will be mixed to N rounds like prior. However, at this point, Sha256d(input, salt) will be calculated (note: this likely could be a more efficient hash function than double sha256, but that can be done in another PR / version if needed). If (hash % 2 == 0), then the input will be mixed again. This results in an exponential decay where if you mix a set of inputs, half of those inputs will be mixed for N rounds, 1/4 will be mixed N+1, 1/8 will be mixed N+2, etc. This current implementation caps it at N+2. This results in mixing an average of N+0.875 rounds. If you removed the cap, you would mix on average N+1 rounds. Signed-off-by: pasta <[email protected]> * Make PS salt a private member of CWallet, tweak the way it's initialized * Introduce `CWallet::IsFullyMixed` and use it everywhere instead of comparing rounds directly to ensure consistency between coin selection logic, balance calculations and gui * Tweak `GetRealOutpointPrivateSendRounds` to respect random rounds * Tweak IsFullyMixed to make decision on a per-outpoint basis instead of a per-tx one * make a comment doxygen Signed-off-by: pasta <[email protected]> * Rename GetPrivateSendSalt InitPrivateSendSalt, since it is not a getter Signed-off-by: pasta <[email protected]> * move the comment below GetRounds call Signed-off-by: pasta <[email protected]> * don't use GetCappedOutpointPrivateSendRounds when printing to RPC Signed-off-by: pasta <[email protected]> * Simplify hashing in IsFullyMixed Uses just 1 sha256 instead of 3 (1 in SerializeHash + 2 in Hash) * undo comment change Signed-off-by: pasta <[email protected]> Co-authored-by: UdjinM6 <[email protected]>
UdjinM6
reviewed
Sep 12, 2020
Signed-off-by: pasta <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Had many conflicts, this version doesn't use the new CPrivateSendClientOptions class, since that hasn't been backported to v16 (and imo shouldn't be without quite a few conflicts)