-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Thank you for taking the time to detail us your findings. We are happy for you to share our response below on your Github and/or blog. We hope that this scrutiny, and our response to it, encourages users to gain more confidence with our new implementation of Whirlpool.
So far, we have had two users email us to highlight concerns that have been raised on social media such as BitcoinTalk and X. We have responded to these queries but are not aware if those users have publicized our responses. Those that have leveled criticism have not contacted us directly.
Overall, we have been pleased to see the reactions to our release. It is unfortunate that because we have forked and built upon a project that some of these developers have had animosity towards in the past, that they expect malicious intent from us. We have already demonstrated that we will make changes to our codebase based on user concern as can be seen by our efforts on reproducibility.
General criticism
Initial conclusions drawn by 1440000bytes on key tagging were based on looking at the wrong repository. This was not a "helpful review" of our codebase. 1440000bytes subsequently raised concerns about DoS issues. We acknowledge that DoS chances have increased on our implementation of Whirlpool compared to Samourai but we reject the assertion that Yuval Kogman made that it is a regression to Wasabi 1's trivial DoS vulnerability as the structure of the coinjoins are different. We believe we are able to mitigate DoS issues by the server storing signed messages from the client although this is a secondary concern to resolving linkability.
1440000bytes links to posts made by Yuval Kogman further down the thread which criticises our verification of RSA signatures. We believe Kogman's main concern is the key tagging and the way this could be used by the coordinator to undermine the privacy benefits of a coinjoin cycle. We are internally testing a remediation of this attack vector now where the client provides a message consisting of a base64 of a pool ID and a block hash during a recent time range. The server will validate and sign this and the client subsequently validate.
Whilst not mentioned in your article, we are also aware of criticism around our coordinator being able to attack other theoretical Whirlpool coordinators as well as that the client can apparently “steal your money’. Firstly, we are not interested in encouraging additional coordinators in the way Wasabi/Wabisabi does as it splits liquidity and any new coordinator could implement pool registration in their own way or use different pool denominations. Secondly, the client (e.g. Ashigaru Terminal user) has full control over their funds and the code can be verified that it presents the user an accurate summary of the Transaction Zero, including anti-Sybil and mining fees, prior to the user choosing to manually broadcast the transaction. We have no intention to deprecate the SCODE functionality. Whilst we are not making use of it now and don’t intend to use it for marketing, it offers opportunities for decentralization of coordination.
Blog post recommendations
Our primary recommendation is for the Ashigaru development team to implement per-round RSA key rotation while maintaining the protection against per-client differentiation. This would involve generating fresh RSA keypairs for each mixing round while ensuring all participants in the same round receive the same key.
We have not seen a way to achieve this and believe a single RSA key is still the best approach, albeit with enhancements we will add in our next release.
Additionally, we recommend implementing shorter key lifetimes as an interim measure, such as daily or weekly key rotation
This is something we could look at implementing in the “Ashigaru Hanzaki” manner, although we would need to consider any RSA key rotation carefully to avoid reintroducing the key tagging attack.
The development team should also consider implementing the full ZeroLink specification with proper anonymity set isolation between rounds and forward security properties that protect past mixing sessions even if current keys are compromised.
We are aware of this and this but these are outdated and the implementations have since deviated from the theory. Can you reference where in the ZeroLink specification this is stated?
Email recommendations
The only good solution for a truly trustless zerolink coordinator relies on a system allowing clients to have access to all messages received by the coordinator. It's the only solution allowing clients to fully check that the coordinator isn't cheating during its operations like, for example, during the selection of the freeriders. As long as some information available to the coordinator are hidden to clients, there will be opportunities for cheating.
We would caution against using definitive statements such as “only” in this context. There would be privacy trade-offs to such a system should client-server communication be, essentially, public. The current architecture allows users to only disclose to the coordinator when they are online and they can rely on their own remixes to judge whether the coordinator is acting honestly. Nevertheless, we intend to provide more data to inform users about available Whirlpool liquidity and rounds of mixes that have occurred.
It was the direction taken by Samourai Wallet with the project to decentralize Whirlpool and the exchange of messages over Soroban.
We are not sure how using Soroban would guarantee that all messages submitted by a client to the server could be seen by other clients and therefore audited. Further detail on this would be welcome should the expert you mention be willing to share.
Decentralization of Whirlpool is something we wish to further improve upon but we are not sure how Soroban assists in this yet. We are not aware of how successful the discovery of replacement coordinator servers were in the weeks following this announcement and there are still central databases and anti-Sybil fee wallets that are not easily shared and remain a central component to the Whirlpool architecture.
I hope that projects (like Ashigaru) that try to resuscitate whirlpool will continue on this path.
The Ashigaru Open Source Project is not trying to “resuscitate [Samourai’s] whirlpool”. Whilst we have forked Samourai’s codebase, we have made a number of changes, and open sourced our own version/implementation, hence the name “Ashigaru Whirlpool”.
To “continue on this path” of any sort of Samourai’s vision, there are many unknowns which were not publicly shared and of which the Ashigaru Open Source Project is not privy to. For example: how many further steps of decentralization were there to be, and the scope of each step.
It is our goal to continue to iterate on an already thoughtful and complex codebase from which we forked. We will continue to better our software in the best way we see fit, taking into consideration any and all responsible disclosures and feedback. (Please remind your audience that we hold no social media presence, and may be contacted via email following the instructions on our website). -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERF+AeZb3BYa3Fce4oTgGsfoqZ2sFAmh2HrgACgkQoTgGsfoq Z2vE+RAAin787XCnxk+LUyXLBWXgR8uB0b1PRbtLok5XJHLVZ5ZaP4W3L1PC0C5j uRCGlgX00Gzv23dYLeLEo4ZKmQSsa3gxJWrw5LTatu9/p3sCKy9PP/D4nKhiAlWW D0/E24q40YFSb1wr6aRZElWiy3KEpViLldbA9+N8oyYYw0MEMCNyPTmYrj0G62AX yHJqGYlk8Im6kuYfnOrEALazB+m12hkahXbjmpZ7CoBAYWOptaCR1iyOL+wvCMtw 7yqyk3VvBTB6Uosb5i9XcDEePxDvxWi0oZCtCm1VCGlng0PFGH1kVOVzKF8PrFkf XK/QZ2P2aByMaoBGGt/4lNm+1OTDN8kwYYoM0EndedW0BtE+KhDhOr1XEMp+fptl P+V37jv5OpgVUxUPLrMwilRgR0lPUa956rv15dmCXrJc5EV8iVOUrA/Y3EJPn6jN /AahLPhVtDUt/NUKeMoVRE59TPlWZrSkmjBGHFuyBrJSmAtNLUnGLUVj9Fz4n7ak k3xdI6bzWY30CkXx2QAV9tziEbhzSMUF0c/tyyGQ2YNUrd/s0GkhPeWedUiGBaKp U/n0u7+STKtxK9ilW4tk8ocJZ2viQVfn4mUQ0vldlwlvFy6oXYSWoWzXY46z9tEY /y8NkIZx2e2gtJ32T+RnZhG4yY4fg4OakvSOstVBQQj6eZLuM10= =hc7O -----END PGP SIGNATURE-----
The "expert" mentioned was LaurentMT on X.