Here's how the layered encryption portion of the CashShuffle protocol rounds work like this.
Assuming 5 players: Alice, Bob, Carol, Dingus, Emily
TODO
Here's how the layered encryption portion of the CashShuffle protocol rounds work like this.
Assuming 5 players: Alice, Bob, Carol, Dingus, Emily
TODO
The CashShuffle protocol describes a way that people can work together in building a bitcoin transaction that makes it difficult for others to spy on their past transaction histories using the knowledge that they own a particular bitcoin address. It uses an intentionally unintelligent server to match compatible players and facilitate communication between them.
These transactions are built during CashShuffle protocol rounds. Here's how it works.
How does the layered encryption work?
The coinshuffle paper tells us that each participant (i) uses the keys from other partipants (j > i). Upon receiving i-1 cyphertexts, each participant strips one layer of encryption, adds his own ciphertext, shuffles the set, and passes it onto the next person.
Let's break this down with an example using Alice, Bob, Carol, Dave, and Edward.
Alice encrypts her output with all keys from Bob through Edward, and gives it to Bob.
Bob (partially) decrypts Alice's output address. He also encrypts his own output address with keys Carol - Edward. He sends the still encrypted Alice and Bob keys (in a random order) to Carol.
Carol receives both Alice and Bob's encrypted outputs. She (partially) decrypts Alice's output address. She also (partially) decrypts Bob's output address. She also encrypts her own own output address with keys Dave-Edward. She sends all 3 in a random order to Dave.
The process continues in a similar fashion: Dave receives Alice, Bob, and Carol's encrypted outputs. Each each of these, he partially decrypts. He then encrypts his output with the remaining player's key (Edward's key), shuffles them, and sends to Edward.
Finally, the last player (Edward) receives 4 keys that he can fully decrypt, although he doesn't know which belongs to Alice, Bob, Carol, or Dave. He adds his own, shuffles the order one more time, and publishes 5 keys belonging to Alice, Bob, Carol, Dave, and Edward. No one knows the true order.
Here's my edit. There could very well be some new mistakes/typos I've made, and there are a few places where you could argue the tone should be made slightly less formal. Overall, though, I think it flows much better. Please let me know what you think!
The CashShuffle protocol describes a way that users can trustlessly cooperate to build a bitcoin transaction that mixes up, or "shuffles" their coins, making it harder to use blockchain analysis to determine a user's transaction history. A server is needed only to match participants and facilitate communication between them. A wallet that implements the CashShuffle protocol shuffles your coins automatically, but here's how it works under the hood:
Prospective shufflers tell the server roughly how big the coin is that they want to shuffle
When enough participants for a given coin size are available, the server notifies them that the shuffling process can begin.
Each shuffler announces which coin they want to shuffle along with a public “verification” key so that everyone can be sure that one another's messages are genuine.
Since the shuffle amount will only be equal to one participant's coin, all shufflers specify a "change address" where they want the difference between their coin size and the shuffle amount to be sent. They also announce a second public key that other participants can use to encrypt messages which can then only be decrypted by the shuffler who generated that public key.
Given 5 participants, Alice, Bob, Carol, Dave, and Erin, the process continues as follows:
The first participant, Alice, encrypts the bitcoin address where she wants her shuffled coins sent using each of the other shufflers’ encryption keys successively, first Erin's, then Dave's, then Carol's, and finally Bob's. This results in a multi-layered encryption of her receiving address. That result is then sent to the user who can decrypt the top layer, Bob.
That next user, Bob, decrypts the message he received, which leaves Alice's receiving address still encrypted by Carol's, Daves, and Erin's keys. Bob then encrypts his own receiving address using those remaining participants’ encryption keys in the same order as Alice: first Erin's, then Daves, and then Carol's, and sends both results in random order to the next shuffler whose encryption is at the topmost layer, Carol.
That previous step is repeated for each remaining participant. Each time, a layer of encryption is removed from the messages the shuffler receives, a new message is added to the group of messages encrypted by all of the remaining shufflers' keys, and those messages are all forwarded in random order to the user who can decrypt the next layer, until the final participant, Erin, receives what will have become every other participant’s address, in random order, encrypted with only Erin's key.
Erin, the last shuffler, decrypts all the addresses, adds hers to the list, randomizes their order one more time, and announces the list of addresses for all other shufflers to see. Because the order of each message was randomized on each transfer, it’s impossible for any one participant to know which addresses belong to which other shufflers.
Each shuffler makes sure that their address has been included in the list and that no two addresses are the same.
All participants independently construct the shuffle transaction given the information that's been made available to them, run it through a cryptographic hash function, and announce the result.
If anyone's announcement is different from the rest, all participants abandon the round and blame the shuffler whose result was different, excluding them from future rounds. If all the participants announce the same hash, then everyone is prepared to build and sign the same shuffle transaction.
All participants broadcast their respective signatures for that shuffle transaction, and the transaction is broadcast to the mining network.
Here's another revision:
The CashShuffle protocol describes a way that users can trustlessly cooperate to build a bitcoin transaction that mixes up, or "shuffles" their coins, making it harder to use blockchain analysis to determine a user's transaction history. A server is used only to match participants and facilitate communication between them. A CashShuffle enabled wallet will take care of the shuffling process for you, but here's how it works under the hood:
Prospective shufflers tell the server roughly how big the coin is that they want to shuffle
When enough participants for a given coin size are available, the server notifies them that the shuffling process can begin.
Each shuffler announces which coin they want to shuffle along with a public “verification” key so that everyone can be sure that one another's messages are genuine.
Since the exact shuffle amount will be equal to the lowest value coin among the participants, some participants will need change. All shufflers send out another message announcing the bitcoin address where they want their change sent, as well as a second public key, also called the "encryption key", that other participants can use to encrypt messages which can then only be decrypted by the shuffler who generated that public key.
Given 5 participants, Alice, Bob, Carol, Dave, and Erin, the process continues as follows:
The first participant, Alice, encrypts the bitcoin address where she wants her shuffled coins sent using each of the other shufflers’ encryption keys, one after another: first Erin's, then Dave's, then Carol's, and finally Bob's. This results in a multi-layered encryption of her receiving address. That result is then sent to the user who can decrypt the top layer, Bob.
That next user, Bob, decrypts the message he received, which leaves Alice's receiving address still encrypted by Carol's, Daves, and Erin's keys. Bob then encrypts his own receiving address using those remaining participants’ encryption keys in the same order as Alice: first Erin's, then Daves, and then Carol's, and sends both results in random order to the next shuffler whose encryption is at the topmost layer, Carol.
That previous step is repeated for each remaining participant. Each time, a layer of encryption is removed from the messages the shuffler receives, a new message is added to the group of messages encrypted by all of the remaining shufflers' keys, and those messages are all forwarded in random order to the user who can decrypt the next layer, until the final participant, Erin, receives what will have become every other participant’s address, in random order, encrypted with only Erin's key.
Erin, the last shuffler, decrypts all the addresses, adds hers to the list, randomizes their order one more time, and announces the list of addresses for all other shufflers to see. Because the order of each message was randomized on each transfer, it’s impossible for any one participant to know which addresses belong to which other shufflers.
Each shuffler makes sure that their address has been included in the list and that no two addresses are the same.
All participants assemble the components that will be used to generate the shuffle transaction according to the CashShuffle specification, pass them through a cryptographic hash function, and announce the result.
If anyone's announcement is different from the rest, all participants abandon the round and blame the shuffler whose result was different, excluding them from future rounds. If all the participants announce the same hash, then everyone is prepared to build and sign the same shuffle transaction.
All participants broadcast their respective signatures for that shuffle transaction, and the transaction is broadcast to the mining network.
Here's an edit that removes the numbered steps and aims to make it work as a script:
The CashShuffle protocol describes a way users can trustlessly cooperate to build a bitcoin transaction that mixes up, or "shuffles" their coins, making it harder to use blockchain analysis to determine a user’s transaction history. A server is used only to match participants and facilitate communication between them. A CashShuffle enabled wallet will take care of the shuffling process for you, but here's how it works under the hood:
First, prospective shufflers tell the server roughly how big the coin is that they want to shuffle.
When enough participants for a given coin size are available, the server groups them into a pool and notifies them that the shuffling process can begin.
To start the process, each shuffler announces the coin that they want to shuffle and also a public key that the others can use to verify that their messages are genuine.
Since the shuffle amount will be equal to the lowest value coin among the participants, the rest of them will need change, and so next they announce the bitcoin address where they want their change sent.
They also announce a second public key, their "encryption key", which other participants will use to encrypt messages which can then only be decrypted by the shuffler who generated that public key.
Given 5 participants, Alice, Bob, Carol, Dave, and Erin, the process continues as follows:
The first participant, Alice, encrypts the bitcoin address where she wants her shuffled coins sent using each of the other participants encryption keys, one after the other: First Erin's, then Dave's, then Carol's, and finally Bob's. This results in a multi-layered encryption of her receiving addres which is sent to the user who can decrypt the top layer, Bob.
Bob decrypts the message he received, which leaves Alice's address encrypted by Carol's, Daves, and Erin's keys, and encrypts his own receiving address using those remaining participants’ encryption keys in the same order as Alice: first Erin's, then Dave’s, and then Carol's. Both results are then sent in a random order to the next shuffler whose encryption is at the topmost layer, Carol.
That process is repeated for each remaining participant. Each time, a layer of encryption is removed from the messages the shuffler receives, and a new message, encrypted by all of the remaining shufflers' keys, is added to the group of messages before they’re forwarded in random order to the user who can decrypt the next layer.
The last shuffler, Erin, will receive every other participant’s address, in random order, encrypted with only her key. She then decrypts all the addresses, adds hers to the list, randomizes their order one more time, and announces the list of addresses for all other shufflers to see.
Because the order of the encrypted addresses was randomized each time they were forwarded, it’s impossible for any one participant to know which addresses belong to which other shufflers.
After verifying that their addresses have been included in the list and that no two addresses are the same, all participants assemble the data that will be used to generate the shuffle transaction according the the CashShuffle specification, pass them through a cryptographic hash function, and announce the result.
If all the participants announce the same hash, then the shuffle transaction is constructed with the inputs that were announced publicly by the shufflers and outputs that are unlinkable to their owners because of the shuffling process.
Finally, all shufflers announce their respective signatures for that transaction, and it can be broadcast to the mining network.
New short script for animated video:
CashShuffle brings privacy to Bitcoin Cash!
Using CashShuffle, participants cooperatively build a Bitcoin transaction that mixes up, or "shuffles" their coins, making it harder to determine your transaction history using Blockchain Analysis. Not even the other participants in the shuffle know which of the shuffled coins is yours!
Wallets with CashShuffle built in will do everything for you automatically, but here’s how it works under the hood:
Let’s say that Alice, Bob, Carol, Dave, and Erin are shuffling their coins together.
The first shuffler, Alice, encrypts her secret bitcoin address using encryption keys provided by all of the other shufflers: First Erin's, then Dave's, then Carol's, and finally Bob's. This multi-layered encryption of her address is then sent as a message to the user who can decrypt the top layer, Bob.
Bob decrypts the message, which leaves Alice's secret address still encrypted by Carol's, Daves, and Erin's keys, and then encrypts his own secret address using those same keys: Erin's, then Dave’s, and then Carol's. He sends both encrypted addresses in random order along to Carol, who can now decrypt their top layers, but can't tell whose is whose.
That process is repeated for each remaining participant. Each time, a shuffler removes a layer of encryption from the messages they receive, and add a new message to the group, encrypted by only the remaining shufflers' keys.
The last shuffler, Erin, will receive every other participant’s address, encrypted with only her key. She then decrypts all the addresses, adds hers to the list, randomizes their order one more time, and announces the list of addresses for all other shufflers to see.
The shuffle transaction can now be constructed without anyone knowing which addresses belong to which other participants!
Increasing your privacy on Bitcoin Cash with CashShuffle is Safe, Easy, and costs less than a penny. Visit CashShuffle.org and start shuffling today!
I love how this reads. 100% It's easy to follow and captures the essence of how it works. Thanks. I think the community will appreciate this -- you should post it on reddit, etc.