waxwing on Nostr: Ah OK, I see. Forgive me because I haven't reviewed in detail what you're doing but: ...
Ah OK, I see.
Forgive me because I haven't reviewed in detail what you're doing but:
I vaguely remember seeing someone propose ring sigs before .. somewhere ..., and in particular, I remember musing about linkability in this context: surely, you do actually need it? You need that each person that owns one utxo (simplest model) gets to choose *one* output. Without linkability they aren't restricted like that right? So imagine alice bob and charlie all publish their ring sig key "with" their utxo, then in the second round alice can just publish 3 (cj_addr, ring_sig) pairs to the BB and since all the ring sig validates nobody is any the wiser?
Linkability will just mean each (ring sig) key only gets one usage.
(Using ed25519 keys or whatever instead of secp is ofc not actually a problem here, but that extra layer could get removed ofc; just mentioning it).
I think coinshuffle and coinshuffle++ had some of the most interesting thinking along these lines (purely p2p coinjoin with privacy of each party from each party, and using a BB only for communication, and very importantly, having blame protocols to eject miscreant peers). It's somewhat related to mixnets and dc-nets iirc but I'd have to look it up. Beautiful protocol in its base form. Tim Ruffing was one of the main authors.
Forgive me because I haven't reviewed in detail what you're doing but:
I vaguely remember seeing someone propose ring sigs before .. somewhere ..., and in particular, I remember musing about linkability in this context: surely, you do actually need it? You need that each person that owns one utxo (simplest model) gets to choose *one* output. Without linkability they aren't restricted like that right? So imagine alice bob and charlie all publish their ring sig key "with" their utxo, then in the second round alice can just publish 3 (cj_addr, ring_sig) pairs to the BB and since all the ring sig validates nobody is any the wiser?
Linkability will just mean each (ring sig) key only gets one usage.
(Using ed25519 keys or whatever instead of secp is ofc not actually a problem here, but that extra layer could get removed ofc; just mentioning it).
I think coinshuffle and coinshuffle++ had some of the most interesting thinking along these lines (purely p2p coinjoin with privacy of each party from each party, and using a BB only for communication, and very importantly, having blame protocols to eject miscreant peers). It's somewhat related to mixnets and dc-nets iirc but I'd have to look it up. Beautiful protocol in its base form. Tim Ruffing was one of the main authors.