nathan-at-least / zcash-mspa-book Goto Github PK

An MSPA requirement for NPPs is to:

protect both sender and recipient network location from all parties, including each other or any other party

There are privacy properties beyond protecting the recipient's network location that users may care about, such as:

1. Given an address, can an attacker find out who the address does or does not belong to?
2. Given two addresses, can an attacker find out if the addresses belong to the same wallet?

An address must encode enough information for the sender+NPPs to deliver a message to the recipient's WRP.

If a sender alone can determine which WRP their message goes to, and wallets typically use different WRPs, privacy properties (1) and (2) can be broken by, for (1), watching a wallet's network connection to see which WRP it connects to and checking if that's the same WRP as the address uses or for (2), checking if both addresses use the same WRP.

Mixed Tag Detection (MTD) solves that problem by putting the WRP (detection server)'s anonymized public key in the address and having the WRP trial-decrypt a ciphertext for every transaction that gets sent, even the ones destined for other WRPs. This requires WRPs to process data proportional to the total number of finalized transactions. That presents a scalability problem in that it upper-bounds the network's total transaction rate to what the weakest WRP can handle, e.g. it becomes a problem if we try to support a much higher tx rate with a small blockchain using rollups.

A mixnet like Loopix doesn't solve this problem: a message sender must know which provider (detection server / WRP) the recipient uses in order to route their message to get there through the mixnet. So although Loopix provides good sender anonymity and third-party sender-receiver unlinkability, it's not so good at protecting a recipient's anonymity when their address is known.

In Loopix, a recipient can receive a message anonymously using a "single-use anonymous reply block", which lets a sender route their message to their provider without revealing to the sender who their provider is (the routing information is pre-encrypted in the reply block). This requires an interactive protocol, since the recipient has to give the sender a new reply block for each message it wants to receive.

This ticket is about how these privacy properties might be provided in MSPA. Ideally, this would be done in a way that does not involve WRPs processing data proportional to the network's total tx rate.