I just realized there’s an even more obvious solution and I believe a better one. Mixnodes add their partial excess when going forward and they sign the total excess and adjust the offset when going backwards. Why is this better? Because we have a single kernel with the same guarantee as with M kernels (no undo attack if 1 is honest), but more importantly, it makes the tx indistinguishable from other N-N transactions with 1 kernel. An observer can’t know if it was a coinswap or not (I expect many different coinswap services around, not just the daily one). Even more so, it doesn’t leak any data as to how many mixnodes were involved which is especially important when the users themselves are a mixnode. On top of that, it allows a user to create N-N tx which contains self spends all from the same user and nobody can tell if it’s a self spend or coinswap.
8 Likes