On 07/23/2015 08:42 PM, Slurms MacKenzie via bitcoin-dev wrote:
>> From: "Eric Voskuil via bitcoin-dev"
>>
>> From our perspective, another important objective of query privacy is
>> allowing the caller make the trade-off between the relative levels of
>> privacy and performance - from absolute to non-existent. In some
>> cases privacy is neither required nor desired.
>>
>> Prefix filtering accomplishes the client-tuning objective. It also
>> does not suffer server collusion attacks nor is it dependent on
>> computational bounds. The primary trade-off becomes result set
>> (download) size against privacy.
>
> Keep in mind this is the similar premise as claimed to be offered by
> BIP37 bloom filters, but faulty assumptions and implementation
> failure in BitcoinJ have meant that bloom filters uniquely identify
> the wallet and offer no privacy for the user no matter what the
> settings are.

Yes, quite true. And without the ability to search using filters there
is no private restore from backup short of downloading the full chain,
rendering the idea rather pointless.

This is why privacy remains a significant issue. Privacy is an essential
aspect of fungibility. This is a central problem for Bitcoin. The
correlation of addresses within transactions is of course problematic.
Possibly zero knowledge proof will at some point come to the rescue. But
the correlation of addresses via search works against the benefits of
address non-reuse, and the correlation of addresses to IP addresses
works against the use of private addresses.

Solving the latter two problems can go a long way to reducing the impact
of the former. But currently the only solution is to run a full chain
wallet. This is not a viable solution for many scenarios, and getting
less so.

This is not a problem that can be ignored, nor is it unique to Electrum.
The Bloom filter approach was problematic, but that doesn't preclude the
existence of valid solutions.

> If you imagine a system where there is somehow complete
> separation and anonymization between all requests and subscriptions,
> the timing still leaks the association between the addresses to the
> listeners.

Well because of presumed relationship in time these are not actually
separated requests. Which is why even the (performance-unrealistic)
option of a distinct Tor route for each independent address request is
*still* problematic.

> The obvious solution to that is to use a very high latency
> mix network, but I somehow doubt that there's any desire for a wallet
> with SPV security that takes a week to return results.

Introducing truly-random timing variations into the mixnet solutions can
mitigate timing attacks, but yes, this just makes the already
intolerable performance problem much worse.

e