Here's how the layered encryption portion of the CashShuffle protocol rounds work like this.
Assuming 5 players: Alice, Bob, Carol, Dingus, Emily
TODO
Last active
May 10, 2019 20:59
-
-
Save alwaysAn0n/cf68f39af799ce770eca952a6bc0be17 to your computer and use it in GitHub Desktop.
CashShuffle protocol, ELI freshman in college
The CashShuffle protocol describes a way that people can work together in building a bitcoin transaction that makes it difficult for others to spy on their past transaction histories using the knowledge that they own a particular bitcoin address. It uses an intentionally unintelligent server to match compatible players and facilitate communication between them.
These transactions are built during CashShuffle protocol rounds. Here's how it works.
- Each player tells the server roughly how big the coin is that they wish to shuffle
- When enough players have showed up, the server tells all of them to get started.
- Each player announces to the group the coin they wish to shuffle as well as a public key that can be used by the other players to verify that messages sent by them truly are from them and haven't been tampered with (the verification key).
- After all coins and verification keys have been announced, the players send out another message announcing the bitcoin address they want their change sent to as well as a second private key that other players can use to encrypt secret messages which only they can read by them (encryption key).
- Each player uses the other players encryption keys to encrypt the bitcoin address they want their shuffled coin sent to. They are each encrypted then randomized so that only the last player in the round can read them and when they do, it's impossible to know which player's shuffled coin is going into which address. See the explanation at the bottom for more details on how this is done.
- Once the final player receives the full and randomized list of addresses, she announces the list for all the players to see.
- Each player checks and makes sure their address has been included in the list and that no two addresses are the same.
- Then each player arranges all the components that will be used to build the shuffle transaction in a particular way as instructed by the cashshuffle spec. Since the method is known by all the players, it should result in each player independently creating an ordered list of components that is exactly the same.
- Each player runs the list through a cryptographic hashing function and announces the results to all the players.
- If any player announces a different result from the rest then they all abandon the round and blame the player who got it wrong. This means that either that player is doing something wrong or somebody is being malicious.
- If all the players announced the same hash then it means everyone has the same correct data and they all know how to build the shuffle transaction.
- Next, the first player constructs the actual shuffle transaction that will eventually be signed and broadcast to the network. She signs it herself then broadcasts her input's signature to all the other players. Those other plays do exactly the same thing.
- Once the final player has received all the other player's signatures and has verified that the signature properly signs the shuffle transaction, the final player applies all the signatures and announces the fully signed transaction to the network.
How does the layered encryption work?
The coinshuffle paper tells us that each participant (i) uses the keys from other partipants (j > i). Upon receiving i-1 cyphertexts, each participant strips one layer of encryption, adds his own ciphertext, shuffles the set, and passes it onto the next person.
Let's break this down with an example using Alice, Bob, Carol, Dave, and Edward.
-
Alice encrypts her output with all keys from Bob through Edward, and gives it to Bob.
-
Bob (partially) decrypts Alice's output address. He also encrypts his own output address with keys Carol - Edward. He sends the still encrypted Alice and Bob keys (in a random order) to Carol.
-
Carol receives both Alice and Bob's encrypted outputs. She (partially) decrypts Alice's output address. She also (partially) decrypts Bob's output address. She also encrypts her own own output address with keys Dave-Edward. She sends all 3 in a random order to Dave.
-
The process continues in a similar fashion: Dave receives Alice, Bob, and Carol's encrypted outputs. Each each of these, he partially decrypts. He then encrypts his output with the remaining player's key (Edward's key), shuffles them, and sends to Edward.
-
Finally, the last player (Edward) receives 4 keys that he can fully decrypt, although he doesn't know which belongs to Alice, Bob, Carol, or Dave. He adds his own, shuffles the order one more time, and publishes 5 keys belonging to Alice, Bob, Carol, Dave, and Edward. No one knows the true order.
Here's my edit. There could very well be some new mistakes/typos I've made, and there are a few places where you could argue the tone should be made slightly less formal. Overall, though, I think it flows much better. Please let me know what you think!
The CashShuffle protocol describes a way that users can trustlessly cooperate to build a bitcoin transaction that mixes up, or "shuffles" their coins, making it harder to use blockchain analysis to determine a user's transaction history. A server is needed only to match participants and facilitate communication between them. A wallet that implements the CashShuffle protocol shuffles your coins automatically, but here's how it works under the hood:
-
Prospective shufflers tell the server roughly how big the coin is that they want to shuffle
-
When enough participants for a given coin size are available, the server notifies them that the shuffling process can begin.
-
Each shuffler announces which coin they want to shuffle along with a public “verification” key so that everyone can be sure that one another's messages are genuine.
-
Since the shuffle amount will only be equal to one participant's coin, all shufflers specify a "change address" where they want the difference between their coin size and the shuffle amount to be sent. They also announce a second public key that other participants can use to encrypt messages which can then only be decrypted by the shuffler who generated that public key.
Given 5 participants, Alice, Bob, Carol, Dave, and Erin, the process continues as follows:
-
The first participant, Alice, encrypts the bitcoin address where she wants her shuffled coins sent using each of the other shufflers’ encryption keys successively, first Erin's, then Dave's, then Carol's, and finally Bob's. This results in a multi-layered encryption of her receiving address. That result is then sent to the user who can decrypt the top layer, Bob.
-
That next user, Bob, decrypts the message he received, which leaves Alice's receiving address still encrypted by Carol's, Daves, and Erin's keys. Bob then encrypts his own receiving address using those remaining participants’ encryption keys in the same order as Alice: first Erin's, then Daves, and then Carol's, and sends both results in random order to the next shuffler whose encryption is at the topmost layer, Carol.
-
That previous step is repeated for each remaining participant. Each time, a layer of encryption is removed from the messages the shuffler receives, a new message is added to the group of messages encrypted by all of the remaining shufflers' keys, and those messages are all forwarded in random order to the user who can decrypt the next layer, until the final participant, Erin, receives what will have become every other participant’s address, in random order, encrypted with only Erin's key.
-
Erin, the last shuffler, decrypts all the addresses, adds hers to the list, randomizes their order one more time, and announces the list of addresses for all other shufflers to see. Because the order of each message was randomized on each transfer, it’s impossible for any one participant to know which addresses belong to which other shufflers.
-
Each shuffler makes sure that their address has been included in the list and that no two addresses are the same.
-
All participants independently construct the shuffle transaction given the information that's been made available to them, run it through a cryptographic hash function, and announce the result.
-
If anyone's announcement is different from the rest, all participants abandon the round and blame the shuffler whose result was different, excluding them from future rounds. If all the participants announce the same hash, then everyone is prepared to build and sign the same shuffle transaction.
-
All participants broadcast their respective signatures for that shuffle transaction, and the transaction is broadcast to the mining network.
Here's another revision:
The CashShuffle protocol describes a way that users can trustlessly cooperate to build a bitcoin transaction that mixes up, or "shuffles" their coins, making it harder to use blockchain analysis to determine a user's transaction history. A server is used only to match participants and facilitate communication between them. A CashShuffle enabled wallet will take care of the shuffling process for you, but here's how it works under the hood:
-
Prospective shufflers tell the server roughly how big the coin is that they want to shuffle
-
When enough participants for a given coin size are available, the server notifies them that the shuffling process can begin.
-
Each shuffler announces which coin they want to shuffle along with a public “verification” key so that everyone can be sure that one another's messages are genuine.
-
Since the exact shuffle amount will be equal to the lowest value coin among the participants, some participants will need change. All shufflers send out another message announcing the bitcoin address where they want their change sent, as well as a second public key, also called the "encryption key", that other participants can use to encrypt messages which can then only be decrypted by the shuffler who generated that public key.
Given 5 participants, Alice, Bob, Carol, Dave, and Erin, the process continues as follows:
-
The first participant, Alice, encrypts the bitcoin address where she wants her shuffled coins sent using each of the other shufflers’ encryption keys, one after another: first Erin's, then Dave's, then Carol's, and finally Bob's. This results in a multi-layered encryption of her receiving address. That result is then sent to the user who can decrypt the top layer, Bob.
-
That next user, Bob, decrypts the message he received, which leaves Alice's receiving address still encrypted by Carol's, Daves, and Erin's keys. Bob then encrypts his own receiving address using those remaining participants’ encryption keys in the same order as Alice: first Erin's, then Daves, and then Carol's, and sends both results in random order to the next shuffler whose encryption is at the topmost layer, Carol.
-
That previous step is repeated for each remaining participant. Each time, a layer of encryption is removed from the messages the shuffler receives, a new message is added to the group of messages encrypted by all of the remaining shufflers' keys, and those messages are all forwarded in random order to the user who can decrypt the next layer, until the final participant, Erin, receives what will have become every other participant’s address, in random order, encrypted with only Erin's key.
-
Erin, the last shuffler, decrypts all the addresses, adds hers to the list, randomizes their order one more time, and announces the list of addresses for all other shufflers to see. Because the order of each message was randomized on each transfer, it’s impossible for any one participant to know which addresses belong to which other shufflers.
-
Each shuffler makes sure that their address has been included in the list and that no two addresses are the same.
-
All participants assemble the components that will be used to generate the shuffle transaction according to the CashShuffle specification, pass them through a cryptographic hash function, and announce the result.
-
If anyone's announcement is different from the rest, all participants abandon the round and blame the shuffler whose result was different, excluding them from future rounds. If all the participants announce the same hash, then everyone is prepared to build and sign the same shuffle transaction.
-
All participants broadcast their respective signatures for that shuffle transaction, and the transaction is broadcast to the mining network.
Here's an edit that removes the numbered steps and aims to make it work as a script:
The CashShuffle protocol describes a way users can trustlessly cooperate to build a bitcoin transaction that mixes up, or "shuffles" their coins, making it harder to use blockchain analysis to determine a user’s transaction history. A server is used only to match participants and facilitate communication between them. A CashShuffle enabled wallet will take care of the shuffling process for you, but here's how it works under the hood:
First, prospective shufflers tell the server roughly how big the coin is that they want to shuffle.
When enough participants for a given coin size are available, the server groups them into a pool and notifies them that the shuffling process can begin.
To start the process, each shuffler announces the coin that they want to shuffle and also a public key that the others can use to verify that their messages are genuine.
Since the shuffle amount will be equal to the lowest value coin among the participants, the rest of them will need change, and so next they announce the bitcoin address where they want their change sent.
They also announce a second public key, their "encryption key", which other participants will use to encrypt messages which can then only be decrypted by the shuffler who generated that public key.
Given 5 participants, Alice, Bob, Carol, Dave, and Erin, the process continues as follows:
The first participant, Alice, encrypts the bitcoin address where she wants her shuffled coins sent using each of the other participants encryption keys, one after the other: First Erin's, then Dave's, then Carol's, and finally Bob's. This results in a multi-layered encryption of her receiving addres which is sent to the user who can decrypt the top layer, Bob.
Bob decrypts the message he received, which leaves Alice's address encrypted by Carol's, Daves, and Erin's keys, and encrypts his own receiving address using those remaining participants’ encryption keys in the same order as Alice: first Erin's, then Dave’s, and then Carol's. Both results are then sent in a random order to the next shuffler whose encryption is at the topmost layer, Carol.
That process is repeated for each remaining participant. Each time, a layer of encryption is removed from the messages the shuffler receives, and a new message, encrypted by all of the remaining shufflers' keys, is added to the group of messages before they’re forwarded in random order to the user who can decrypt the next layer.
The last shuffler, Erin, will receive every other participant’s address, in random order, encrypted with only her key. She then decrypts all the addresses, adds hers to the list, randomizes their order one more time, and announces the list of addresses for all other shufflers to see.
Because the order of the encrypted addresses was randomized each time they were forwarded, it’s impossible for any one participant to know which addresses belong to which other shufflers.
After verifying that their addresses have been included in the list and that no two addresses are the same, all participants assemble the data that will be used to generate the shuffle transaction according the the CashShuffle specification, pass them through a cryptographic hash function, and announce the result.
If all the participants announce the same hash, then the shuffle transaction is constructed with the inputs that were announced publicly by the shufflers and outputs that are unlinkable to their owners because of the shuffling process.
Finally, all shufflers announce their respective signatures for that transaction, and it can be broadcast to the mining network.
New short script for animated video:
CashShuffle brings privacy to Bitcoin Cash!
Using CashShuffle, participants cooperatively build a Bitcoin transaction that mixes up, or "shuffles" their coins, making it harder to determine your transaction history using Blockchain Analysis. Not even the other participants in the shuffle know which of the shuffled coins is yours!
Wallets with CashShuffle built in will do everything for you automatically, but here’s how it works under the hood:
Let’s say that Alice, Bob, Carol, Dave, and Erin are shuffling their coins together.
The first shuffler, Alice, encrypts her secret bitcoin address using encryption keys provided by all of the other shufflers: First Erin's, then Dave's, then Carol's, and finally Bob's. This multi-layered encryption of her address is then sent as a message to the user who can decrypt the top layer, Bob.
Bob decrypts the message, which leaves Alice's secret address still encrypted by Carol's, Daves, and Erin's keys, and then encrypts his own secret address using those same keys: Erin's, then Dave’s, and then Carol's. He sends both encrypted addresses in random order along to Carol, who can now decrypt their top layers, but can't tell whose is whose.
That process is repeated for each remaining participant. Each time, a shuffler removes a layer of encryption from the messages they receive, and add a new message to the group, encrypted by only the remaining shufflers' keys.
The last shuffler, Erin, will receive every other participant’s address, encrypted with only her key. She then decrypts all the addresses, adds hers to the list, randomizes their order one more time, and announces the list of addresses for all other shufflers to see.
The shuffle transaction can now be constructed without anyone knowing which addresses belong to which other participants!
Increasing your privacy on Bitcoin Cash with CashShuffle is Safe, Easy, and costs less than a penny. Visit CashShuffle.org and start shuffling today!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I love how this reads. 100% It's easy to follow and captures the essence of how it works. Thanks. I think the community will appreciate this -- you should post it on reddit, etc.