Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Archiving historic nullifiers with mutator sets #111

Open
narodnik opened this issue Oct 17, 2023 · 1 comment
Open

Archiving historic nullifiers with mutator sets #111

narodnik opened this issue Oct 17, 2023 · 1 comment

Comments

@narodnik
Copy link

narodnik commented Oct 17, 2023
edited
Loading

With #100, then Monero now has an infinitely growing nullifier set.

However it's possible to put a bound on this using merkle trees. Basically all coins belong to a large batch, call this index k. When spending the coin, we create an unlinkable nullifier and also reveal the batch index k.

All nullifiers for previous windows except the current active one are put in a merkle tree (a merkle mountain range to be precise). When spending, we have to show our nullifier isn't in the batch. An efficient way of doing this is using bloom filters instead of just storing the ordered nullifiers in the tree.

Then anyone else with coins in that batch, will update their set of nullifiers (the bloom filter) with the newly added nullifier. Users without coins in that batch don't need to keep track of those nullifiers.

This decreases privacy since the batch k that a nullifier belongs to is public, but the batch can be sufficiently large enough that it still provides practical strong anonymity while ensuring the nullifier set isn't unbounded. For example a batch could be for 2 years worth of coins.

Mutator Sets and their Application to Scalable Privacy by Alan Szepieniec .et al
@narodnik narodnik changed the title Archiving historic nullifiers Archiving historic nullifiers with mutator sets Oct 17, 2023
@kayabaNerve
Copy link

To start, Monero already has an infinitely growing set of nullifiers/linking tags/key images.

I am against ever segregating Monero's privacy set, along with making old outputs unspendable (not proposed here, yet another potential 'solution')

One possibility may be the following:

  1. We define a sparse merkle tree (or bloom filter, if that actually would work here which I'd have to check) to store the last year's linking tags
  2. We define a list of all the SMT roots
  3. Users prove their linking tag isn't present in any of the SMTs

This reduces node's storage of the set of linking tags (which is part of the state and not prunable) to the last year's worth. This does require wallets to create several proofs (which could be folded with an IVC like Nova to effectively be one proof) and have access to a node with the full set still in state to get the necessary proving data.

I don't believe this is a worthwhile trade-off, as I'm not personally too concerned about this state growth aspect, yet it's good to start accumulating ideas and noting options.

@expiredhotdog expiredhotdog mentioned this issue Jan 2, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@narodnik @kayabaNerve