Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Taker-side sybil attack #960

Open
chris-belcher opened this issue Aug 3, 2021 · 4 comments
Open

Taker-side sybil attack #960

chris-belcher opened this issue Aug 3, 2021 · 4 comments
Labels
protocol related to the communication between maker / taker question

Comments

@chris-belcher
Copy link
Contributor

Someone on the telegram chat asked this, which I think is interesting and useful to discuss:

Can joinmarket be sybil attacked from the taker side? Somebody willing to spend enough on cj and network fees, being the the coordinator for a certain share of all coinjoins (maybe 50%?) could link the uxtos of most makers since they are now permanently tied to their FB. Before FBs you could at least change nicknames from time to time. Is this a realistic attack? At the moment it shoudn't even be that expensive since since the fees are low and few cj are happening

Some points I thought of:

  • Fidelity bonds don't make a difference, because a maker's UTXOs would still be the same even if the maker's IRC nick changed, so our hypothetical taker sybil attacker could figure out what happened even if the IRC nick changed.
  • It would definitely be interesting to figure out the cost of this attack.
  • 50% of all coinjoins likely isn't enough, the hypothetical taker sybil attacker would have to do way more than that. Imagine if you see a coinjoin with 10 participants, attacking 50% of it means you know the linkage of 5 of those participants but the other 5 are still unknown to you. The maker-sybil-resistance-with-fidelity-bonds used the value of 95% as the value of a "successful sybil attack". Even that still means 1-in-20 unknown. The defenders of a sybil attack have to get lucky just once for some privacy to remain, the sybil attacker has to get lucky every time, that's one reason why the maker-fidelity-bond-sybil-resistance scheme is so powerful.
  • This attack would have to be ongoing in perpetuity. The attacker would have to monitor the UTXOs they know about and whenever a new coinjoin is done the attacker has to do a few coinjoins of their own.
  • This is similar but more expensive to the 156-issue from 2016, which we added resistance to by creating the podle scheme. See https://joinmarket.me/blog/blog/poodle/ There's also another blog post somewhere which I can't find now about how the podle scheme creates a race between attackers and defenders, with the attackers constantly having to create new UTXOs.
@AdamISZ
Copy link
Member

AdamISZ commented Aug 3, 2021

It's probably just coincidence, but just this morning I wrote this thread on mastodon, which considers the issue of an active, targeted attack, rather than the global one we discussed when introducing PoDLE.

https://x0f.org/web/statuses/106691802538114853

I didn't discuss the FB aspect; I believe it's analogous to the issue I do mention there, of the long running J5.. nym. It just makes it somewhat worse (I say 'somewhat' because people are leaving bots running for weeks++ anyway).

This attack would have to be ongoing in perpetuity.

There's also another blog post somewhere which I can't find now about how the podle scheme creates a race between attackers and defenders, with the attackers constantly having to create new UTXOs.

Yeah I didn't revive that one when the blog went down. I can probably find it again via the archive ("racing against snoopers in Joinmarket 0.2" I think it was called, or similar).

Fwiw I think the targeted active attack against a "known" identity/utxo/FB/JM nym is a lot more of concern than a global attack, just in general, but see that thread for more.

@AdamISZ
Copy link
Member

AdamISZ commented Aug 4, 2021

I should really drop this link here: https://gist.github.com/AdamISZ/52aa2e4e48240dfbadebb316507d0749 . It is a long way from a fully fleshed out or practical idea, but at some point in the future, something like that could be helpful.

@AdamISZ AdamISZ mentioned this issue Aug 6, 2021
Open
@MWICA
Copy link

MWICA commented Aug 7, 2021
edited
Loading 

* Fidelity bonds don't make a difference, because a maker's UTXOs would still be the same even if the maker's IRC nick changed, so our hypothetical taker sybil attacker could figure out what happened even if the IRC nick changed.

I mentioned a concern here #971 (comment)

To re-post it here.

But takers can see the UTXO from my understanding. My concern is though that a spy is able to link a post-mix UTXO with a pre-mix UTXO by seeing eventually (by being a taker at just at least one point later on) that both are associated with my FB identity. "I see this person's current UTXO that uses this FB, had this UTXO in the past before mix".

How is this not a concern?

They would not even have to be a sybil to correlate a post mix utxo with a premix because of the persistent FB identity

@MWICA
Copy link

MWICA commented Aug 7, 2021
edited
Loading

of the long running J5.. nym. It just makes it somewhat worse (I say 'somewhat' because people are leaving bots running for weeks++ anyway).

True. I do want to add that even without FB and static nyms, makers somewhat have an identity heuristic across nyms based on their balance, the amount for offer.

@AdamISZ AdamISZ added protocol related to the communication between maker / taker question labels Jun 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
protocol related to the communication between maker / taker question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@AdamISZ @chris-belcher @MWICA