-
Notifications
You must be signed in to change notification settings - Fork 75
Description
Improved Recovery (Efficiency and Privacy)
The way recovery is currently performed is a privacy disaster: the wallet leaks the entire spending history in an attempt to recover unspent user funds. This issue describes the current recovery method, followed by a revised approach which reduces the number of leaked unissued notes by a logarithmic factor and limits the number of leaked issued notes to an arbitrary
Current Recovery Modal
Let BlindMessage (meaning there is no other issued note whose nonce index
[0] |--------------------------------------------------------------------------------- [T] >
On the first iteration our current approach sets a batch size BlindMessages in
[0] |xxxxxxxxxx [b-1] --------------------------------------------------------------- [T] >
On the second iteration, we check the next batch of BlindMessagess in
[0] |xxxxxxxxxxxxxxxxxxxx [2b-1] --------------------------------------------------- [T] >
This process continues until the
[0] |xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [T] > *************** [i*b-1]
After which it follows that if
Obviously, this procedure is terrible for privacy because we're linking together our entire wallet activity history and -on top of that- we're revealing nonces for which BlindMessages were unissued (the segment part marked with *).
Other than being non-privacy friendly, this approach is also relatively in-efficient: it takes
Improved Approach
We subdivide our improved approach into two "phases" to make it more digestable:
- we enstablish a property for spent and issued notes.
- we introduce a binary search method to find
$T$ with logarithmically fewer queries.
1. Spent-Issued Invariant
Let
In english, this means: "The unspent ecash notes are always situated in a region of the nonce space that is never larger than a fixed, pre-decided, size."
Visualization:
[0] |=============================== [d] ============= [K] -------------------------------------- [T] >
Where = marks nonces used for spent notes and - marks nonces used for issued notes.
This property alone doesn't help us: we still need to scan
But we at least know that, when we find
2. Nonce space binary search
This is where things get interesting. Turns out we can use binary search to efficiently determine
Here's how it works. At iteration
i = 0
[l = 0]|-----------------------------------x [m] ---------------------------------- [r = 2^32-1] >
The wallet only queries the Mint with the BlindedMessage for the nonce with index
If
i = 1
[l]|--------------- x [m] --------------- [r] ---------------------------------------- [2^32-1] >
i = 2
|=================== [l] ----- x[m] ----- [r] ---------------------------------------- [2^32-1] >
i = n
...
Formally, we have:
At the end of this process, we are ideally left with
We can repeat this a second time to find
Once both
Note
In this last step, we also save network calls because we don't need to determine the spent status of the notes
we recovered.
Result
Privacy
We improve on privacy, by only revealing
Efficiency
We improve on efficiency for the same reason: we make fewer network requests.
Consequences
This results don't come for free. Maintaining the invariant described above would require:
- Storing an additional counter for
$K$ - Storing the index of the secret derivation inside the
Proofobject. - When sending, we give up our ability to coin-select most efficiently. Instead we sum the value of ecash notes in order of derivation until we get to at least the target amount. ALTERNATIVELY, we could allow arbitrary coin-selection with the condition that -if
$d$ is exceeded by a quantity$e$ - we reissue the oldest$e$ unspent notes and update$K$ . - When receiving, we would need to make sure that the gap between
$T$ and$K$ doesn't get larger than$d$ . Therefore, we would have to re-issue some of the notes from index$K$ onwards, under bigger denominations. If this can't be done the wallet would be at capacity and the operation should be aborted.
Metadata
Metadata
Assignees
Labels
Type
Projects
Status