Closed. This question needs to be more . This question needs to be more focused . It is not currently accepting answers. Want to improve this question? Update the question so it focuses on one problem only by editing this post. Closed 4 years ago. Improve this question

Coinshuffle is a communication protocol that allows for a number of peers to privately collaborate in making a Bitcoin coinjoin transaction in such a way that they all provide their addresses for the transaction, but still it is not possible for the other peers to know who provided each one. Its first implementation came out 2 years ago, and used the same sort of idea as in TOR. You can read about it here: https://bitcointalk.org/index.php?topic=567625.0

Two months ago, the same authors of that paper made a substantial improvements to the whole protocol of anonymously communicating the destination addresses to the group. This time instead of onion routing, they are using something similar to the dining cryptographer's protocol. You can read about it here: https://bitcointalk.org/index.php?topic=1497271

From what I understand, each pair of the n peers establish one-time symmetric keys, so each peer knows n-1 such keys. When there is a communication round, each one sends their messages out XORed with all their keys. Once everything is XORed together, the keys will appear each twice and will therefore cancel. Well, it is not as simple as that since the result would be just the XORing of all messages, but using some polynomial tricks the messages can be recovered in the end simultaneously by all the peers, and no one knows who provided each message!

So I was wondering if something similar couldn't be implemented to make it so that every Monero transaction was broadcast to (and relayed through) the network in this manner. That is, it would just appear simultaneously at all n connected nodes in a certain clique in the network. The findings in these papers seem to indicate that we could have that level of privacy in Monero's networking software, and perhaps do away with the need for TOR or I2P.

Now in going over those papers, I have found at least one inconvenience to adapting it, but perhaps people here can find a way around:

If some peers cheat and use garbage instead of the keys, or don't participate at all in the round etc, then currently the way to weed them out is this: everyone reveals their secret one-time keys and messages, and the round is replayed in the clear to find out what peers to exclude in the next round. This is okay when making a coinjoin transaction since the addresses provided would only have any value if the transaction was signed, and in the next round everybody would use new fresh addresses. If the message itself already had meaningful content, like a signed transaction, then such procedure is unacceptable. But I am hopeful that a better solution might exist.

Please let me know if you think that this idea has any merit, and if you have any suggestion on how to improve this procedure to protect the message. With some luck maybe we can get one more level of privacy directly into Monero's software!

EDIT/TL;DR: Specifically, there are two questions here:

1) Do you think that the messaging protocol from Coinshuffle++ could be implemented in Monero's transaction broadcasting protocol? What would have to be adapted?

2) Assuming we want to use a similar procedure to eliminate dishonest peers, can you think of a way to adapt the one from Coinshuffle++ but without revealing the messages (i.e. transactions, in Monero's world)?