Bitcoin Forum

As several of you have already found out, I'm currently running a cryptographically anonymous bitcoin mixer at https://blindbitcoin.com (https://blindbitcoin.com). I was planning on keeping this whole thing under wraps for a bit longer, but since people have already discovered it, I may as well make this announcement.

The site is still a "beta" service, so please be patient while I get all the kinks worked out.
None of the existing functionality is going to go away, nor am I going to break compatibility with the way the site currently runs. Most of what I'm going to be doing over the next few weeks is bug-fixing, and cleaning up the code. I'll release my source via the link on my site tomorrow (6/7/2011) morning around 9AM EST.

Right now the site charges a 0.02BTC commission. This is how much it costs my system to transfer bitcoins internally paying a transaction fee of 0.01BTC per KB. Once I've got all the bugs worked out, I plan to charge a 0.75% commission on new transfers. Transfers already made and tokens already issued will not be subject to this new charge.

A few people have emailed me about my use of the OpenCoin protocol. I don't actually use the OpenCoin protocol as it is written. I found their paper to be very interesting and I used a few modifications that they suggested to Chaum's original protocol.

Who am I?: My name is Duncan Townsend. I am a student at the Massachusetts Institute of Technology. I started writing my website because I found David Chaum's blind signing protocol absolutely fascinating and I saw its application to bitcoin. I don't consider myself particularly well-qualified to implement crypto, so I haven't actually implemented any cryptography in the course of writing my site. All the cryptography (with the exceptions of what I mention here: https://blindbitcoin.com/security.html (https://blindbitcoin.com/security.html)) was taken from someone else's published cryptography library.

I'd like to hear from the community what they would like to see in the way of explanation or features. I'll be checking this thread all day, so post anything you've got here.

Following this thread.

Nice clean looking site btw.

Loving the site.  Great job, it looks great and I'm sure there are some users with a need for this service.

Nice. Do you intend to make it Android friendly too? BTW I hate the captcha - I find the 1+1 challenges much easier.

I'm sure people will find this service useful.  8)

@mother_of_another: Thanks! I put a lot of work into that. Do you have any comments on usability/aesthetics?

@Oldtimer: Yes I do plan to make the site mobile friendly. I was unaware that it did not work on Android phones, but that is now on my TODO list. Thank you! Sorry about the captcha, I'm seriously considering replacing it with a different part of my API, but right now my number 1 priority is getting my code into a state that I can release tomorrow morning.

I hope this time the tumbler implementation gets the approval of the people that understand the stuff, from what i've read previous attempts had severe flaws that made them not all that helpful with anonnymizing coins

@TiagoTiago: Do you have a link to a discussion on how to best anonymize bitcoins? I've been sending all the bitcoins in my service to a single address (address, not account) from where they are eventually sent out when they are needed. I assumed that this was the "correct" way to do it because the address is the finest granularity one could observe. Thanks!

Mark this, I believe it will be useful.

However, right now the source code is not available, so I can't trust you.

@gongcheng: Thank you for your healthy skepticism. You can examine the client-side code in your browser and verify its correctness. The full source will be available by tomorrow (6/7/11) at 9AM EST.

I have posted my source code here: https://blindbitcoin.com/blind-bitcoin.tar.gz (https://blindbitcoin.com/blind-bitcoin.tar.gz) the detached signature is here: https://blindbitcoin.com/blind-bitcoin.tar.gz.asc (https://blindbitcoin.com/blind-bitcoin.tar.gz.asc)

Enjoy!

+1 to duncant and his service. I had a problem getting at a blinded token, and he worked with me and restored my btc. Looking forward to his progress.

Fantastic! I've been wondering how long till something like this comes about.
Most of it was over my head though. ???
Could the user wait a long time to redeem the coins? Or do you normally do it right away? If I say, kept the token somewhere safe I could redeem it sometime in the future or would it expire eventually?

+1 to duncant.  Nice planned implementation. I think I'm the one who found it over the weekend and tweeted it. Sorry to blow your cover, secret squirrel, but things are starting to move fast now. I also posted it to mikegogulski on the Bitcoin Laundry thread where it is being discussed here,  http://forum.bitcoin.org/index.php?topic=6891.0

@tehcodez: sorry you had a problem. As of this morning, I believe that I've fixed the problem that people were running into. Also, I implemented the session-recovery feature, so everything should be very robust. I'm glad I could be of service.

@bitlotto: Yes, right now the way the system is configured, you can wait up to 53 days to redeem the coins. You can also redeem them right away. I'm going to increase the amount of time that you can hold onto your tokens once I fix the last of the bugs. You should protect your tokens just like your bitcoin wallet. Anyone who gets that token can redeem it, and tokens can only be redeemed once.

@matonis: No hard feelings, everything is mostly ready to go. I'd have liked to get a little more of the explanation finished, but I'll just push out those changes as I finish them. Thanks for the kind words and the publicity!

I just read how Bitcoin Laundry's payout works. This seems like a very useful system. I'm going to look into the possibility of paying out for tokens over a period of time in random payments instead of all at once.

Once everything is stable, I'll make an announcement for anyone who's interested.

There was some discussion on the topic in that thread about Bitcoin safety for illegal trading and stuff for example, i think i was called somthing along the lines of "how safe is Bitcoin for illegal busyness" or somthing, not sure exactly; lemme know if you can't find it on the forum and i'll see if i find it in my inbox (been following that discussion)

+1

I can confirm that it is working, tried it with a 3-number sum of coins.

Nice site. Nice service.

You should consider allowing people to conduct transaction with the mixer of only a single size, e.g. 5BTC.  Otherwise an attacker could try some statistical analysis to identify coins in with coins out.  With a single transfer size, there will be no way to associate input size with output size.

Next, you really should check out the legalities of this.  If you offered such a service with paper money, your most obvious clients would be organised crime and you'd probably be classified as a money launderer.  I had been thinking of setting up a bitcoin mixer, but got turned off once I thought of this issue.

I didn't try it out, but the service looks promising. Nice work.

Great work Duncan.

Few questions;

- how do we know that the s/ware running on the web server is the same s/ware represented by the posted source code? (seems like this throws up an interesting technical problem of an "untrusted" server being verified to be running trusted source, maybe it has been solved elswhere?)

- can you list any relevant technical stats that are not revealing but may serve to build trust in the integrity of the servers operation? .... throughput, total tokens blinded, issued, redeemed, faults, etc


I disagree with this statement. Due to the public record of transactions of bitcoin, the most basic of transaction privacy can only be achieved by blinding services or "laundering" (perjorative, vague term anyway) ... the "most obvious client" is everyone who desires privacy for their individual transactions. Who amongst us would actually say "I prefer less privacy" when it concerns their own private transactions?

Simply put, privacy is not just for criminals, because the medium of exchange, bitcoin, is a fully open public transaction record, everybody needs blinding in this scenario.

@fergalish: I'll do you one better. By Sunday, I'll have rolled out a new pay-out system that should resist statistical analysis of the block chain. I'm doing some testing on it right now, to make sure that it's actually as difficult to analyze as I want it to be. You'll be able to pay in as much as you want, but how I pay out will be the anonymizing part.

@noone: There's no way I can make you trust that the code I'm running on the server is what I'm distributing. However, this is not a requirement for the system to be trustworthy and secure. You only have to trust that the client code functions as advertised. It is easy (well maybe not easy, but possible) to review the client code in your browser before running it. The worst that I could do to a client running functionally correct code is run off with their money.

I'll post technical stats once I finish the new pay-out system. Actually, once I finish the pay-out system and make sure there aren't any bugs, I'll declare the technical part of the service finished. Then I'll start work on making a mobile-friendly version of the site.

I agree with noone on the privacy point, but just to have my bases covered, I'm saving up (poor, starving student, and all that) for a legal consultation. If it turns out that this sort of thing is a huge liability, I'll find somebody who wants to deal with it and hand over all my source and non-source assets to them so that the site doesn't go away.


This is an awesome quote. Do you mind if I use it in the future?

Don't mind, attributable to no one.

Duncant, you say on your site that "The payout schedule for this service is not secure against analysis of the bitcoin chain." 

Is that a reference to the problem that occurs when you have to few customers and/or to many different sizes of coin, or is it something else?

The problem is that there are too many unique transaction sizes. I've had a fix to this problem in the pipeline for the last few weeks (see my last post), but what with the MtGox hack and my day job's machines all deciding to crash, I haven't gotten the chance to work on it solidly.

As you may have noticed, I've taken the site down for the weekend to get this and a few other bugs fixed. Everything will be back (and better) on Monday. The warning message that you quote will be gone because I'll have fixed that flaw.

Also, for anybody who's interested. I've consulted off-the-record with a few lawyers about the legality of this sort of thing. They're all of the opinion that this certainly does not constitute money laundering because bitcoin isn't "really money" in the eyes of the law. It could, possibly, be consider smuggling, but that is unlikely considering that no physical goods are exchanged.

I don't see how it could be. It is a purely mathematical process performed on some electronic data. Are we going to outlaw any electronic maths next? Is that the realm of insanity the totalitarians are taking us into? Money needs to be free or it no longer functions as money, and all society suffers for it.

I'd suggest consulting on the record with a lawyer who has significant professional standing to lose.

Almost any "front" can be used to launder money, even an actual laundromat.

I am not a lawyer, but if I used my laundromat to launder money I would not expect to get off by saying "but laundry is not real money" nor "but all I was doing was smuggling real money into the laundromat and out again, not actually putting it in the washing machine!"

-MarkM-

Oh, absolutely. I'm still looking for a lawyer who is comfortable with both IT law and financial law to give me an on the record consultation.

To go back to your actual laundromat analogy: consider if a criminal buy a bunch of dirty clothes at Goodwill with his dirty money and then washes them at a laundromat. He sells them to someone who is unaware of the origin of the clothes because they are now clean and whiter (assume the criminal used bleach :P). The laundromat would not be "on the hook" for money laundering because they never handled "actual money". I believe this is analogous to bitcoin anonymizers.

I agree this is really dumb from a liability perspective and you are asking for trouble IMO.  If you are at The Institute and don't want to spend money on a lawyer, I would strongly suggest you consider talking to Ron Rivest.  He is not a lawyer, but I think he will be able to give you very very helpful advice.  First he is very familiar with anonymous e-cash, as he's studied and published on it.  He's also started two crypto-based micropayment companies (peppercoin and another) so he is likely quite familiar with the relevant laws.  Third, and most importantly, he has first-hand experience in dealing with situations where ugrads get themselves into a world of shit (see charliecard incident).

Now, to be a huge asshole and maybe motivate you more, I'll say frankly I'm not impressed with this.  I bet I could take a uniform random ugrad in CSAIL, hand them a basic description of blind sigs, and they would produce what you did.  Here is what would impress me: do this without any liability by not requiring trust even for you to not run with the money (i.e., let people do this entirely p2p without trusting anyone).  Seriously, think about it before you read the next paragraph, and if you realize how to do it great.  If not I probably wouldn't either when I was a ugrad, so here's how to do it.  Unlike blind sigs, even with this description there is quite alot of work to go from idea to reality.

---

What you are basically providing is a protocol where N people can submit bitcoins to an address under your control, and then you will spend them back to N different addresses without knowing the mapping.  First observe people don't need you at all for this, because bitcoin supports multi-in, multi-out TX.  So N people can do this without you.

Attempt 1:  N people who want to mix coins get together and build a TX.  We get together in a circle and, starting from a blank piece of paper, pass it around the circle, each step adding our input and our output to a random location.  After it has been passed around once, it gets passed around again.  This time, assuming my input and output is still there, I sign the tx and pass it on.  If everyone signs it, it is broadcast and we're done.

Problem: This is entirely secure from outsiders, but leaks information to other participants.  E.g. if you are first in the circle and I'm second, I know your input/output mapping.  Similarly if you're last and I'm second-to-last.

Corrrect solution:  Realize what you have is basically a protocol for N+1 participants, where one is a trusted third party to do the input/output mapping.  There exists a generic transformation, called Secure Multi-party Computation (http://en.wikipedia.org/wiki/Secure_multi-party_computation) that takes such a protocol and eliminates the trusted particpant to yield a cryptographically sound protocol performable by the N parties.  More precisely, for any function f, N people can compute f(x1,...,xN) without revealing their xi.  At the end each party only learns about others' input by what is revealed from f() itself.

So here the setting is xi = (input_i, output_i, secretkey_i, random_i) where input/output are desired addresses, secretkey is the ECDSA key for the input, and random_i is enough random bits to specify a random permutation perm_i on [N].  The output is the following TX, signed by all parties.  Let perm = perm1 o perm2 o perm3 o ... o permN.  Note that if even a single person chooses his permutation at random, then perm is a uniformly random permutation.

inputs: input1, input2, .. inputN.
outputs: output_perm(1), ..., output_perm(N)

Note at the end, all I learn is the inputs, outputs, and that in the overall perm my input was matched to my output.  In particular, the input:output mapping is a random permutation conditioned on knowing the value at one point.

Now that would impress me, and many others too.  In particular existing MPC protocols are likely not practical.  You will likely need to do some work studying the work on 2PC that has been done since the 80s to make it practical.  AFAIK not much has been done since the original defn in [Yao 82] to make general MPC practical.

It's also possible that there's a way to make the paper-passing protocol secure with many more rounds that involve adding garbage addresses and removing other peoples, only to have them add a new one back later.  It seems tricky to get privacy and get something like this to eventually converge, but I can't rule it out entirely so wouldn't dismiss it yet.

I assume that the point is that Chaum's scheme is for offline cash payments??  His system detects double payments after the fact.

Since bitcoin is inherently online, there is a lot of redundancy in the system.

This is an intersting idea. I'm assuming that to make the coins anonymous, a set denomination needs to be used, and the coin mixing process need to repeated multiple times, preferrably with different, new members, over the network.

I can't really help the OP with this problem, but I hope someone tackles and implements this. Doing a cursory glance there appears to be quite a lot of new work on MPC. e.g.
Secure multi-party computation over networks, Nishitani Y, Igarashi Y 2000

No bet. I am a "random ugrad in CSAIL" and I've been called a great many things worse than that.

Thanks for the suggestion to see Prof. Rivest.

I was not aware of Secure Multi-Party Communication. This is just a side project of mine, I'm more of an AI guy than a crypto guy. I think if someone were to implement the scheme you describe, it would have to be either as an extension to the bitcoin client or in the bitcoin client itself. If I have the opportunity (read: time), though, I'll definitely work on this. Thanks a bunch for the suggestion. It seems like the "right way" to do bitcoin anonymizing.

This would indeed need separate client software (once you do p2p instead of centralized, you need your own software.  what a shame! If only it were as easy to launch new p2p software as it were to start a website.  Hmm....), but I was not thinking including in bitcoin since this is something highly specialized.  Presumably this would be something like the TOR network for bitcoin: a separate p2p client for mixnets.

Secure MPC is quite interesting and in general you can think of it as the "big hammer" or perhaps more like the "nuclear bomb" of cryptography.  Every sophisticated crypto protocol we know of (anonymous e-cash, secure electronic voting, zerk-knowledge proof) is infact a special case of secure MPC.  The problem is because its so general it's not practical yet, so while we knew how to do these things using MPC, to do them in real life typically one needs to come up with a special case solution.  However, taking a protocol, doing the secure MPC transformation on it, and then simplifying from there can be good.   In particular a hot-potato scheme where a list is passed around and when it gets to you, you shuffle the outputs, replace your output with a new one, and pass it on could possibly be a starting point.   In particular this scheme protects the last K from the K+1'st-to-last.

Also I wouldn't consider being called a "random CSAIL ugrad" a bad thing, I was just trying to motivate you to make a better system that actually protects you  :P

Hey all. My site is currently down while I figure out a bug that somebody was able to exploit to insert erroneous pay-outs into my scheduler.

Rest assured that I have the bitcoins to honor legitimate pay-outs and that business will resume as soon as I find the bug.

Scratch that on the business resuming.

I have decided that the liability of running a site like this is just too great and the monetary benefit is too small.

I will continue to honor unredeemed tokens and existing scheduled pay-outs, but I will not be accepting new transactions.

I anyone wants to carry on this site, I can help you get everything up and running.

--Duncan

Duncan,

Thanks for putting this together. Hopefully someone will take it and run with it. People deserve privacy in their personal affairs.

Trader Steve

Site says closed for good?

Yeah, I think so. The potential liability of somebody finding an exploit and stealing from my customers, plus the potential legal liability is too much to shoulder for the amount of money that I could potentially make on that sort of thing.

It makes me very sad to have to close the site, especially after I've put in n-hundred hours of work on it, but I think this is the best option.

I'll reiterate: if anyone wants to take over operating the site, I will give any and all assistance I can. I really don't want to see this site die, even if I can't run it anymore.

Duncan, with your generic message on, I can't tell much about the technology.  What language and database did you use?  What compensation are you looking at in exchange for transfer of the service?

The site is written in Python, using Twisted. The RSA parts of the site are written in C (via pycrypto) for speed and python calls out to it via the CPython C-extension api.

The database is MySQL, but you could easily port it to Postgres since the Twisted API for MySQL and Postgres is the same.

The client-side code is all javascript (obviously) and I use jQuery as well as jsbn (javascript bignum) and some other libraries that are GPL/BSD licensed.

If you're interested in running the site, shoot me a PM and we can work out compensation, etc.

Subscribing... Am interested in hashcoin's ideas too...

Once I get back to a real computer I'll be able to type more (on my phone right now) but how does the protocol overcome the fact that the input amount for person x will match the output for person x. Am assuming that you could potentially have a set of fixed transaction rings that you join each one with a set btc amount? Then I suppose it would just be a matter for the software to split the btc amount down amongst each ring?

OP - sorry you had to close your site, bitcoin needs more people like you making solutions and services
.
Will

I don't want to dissuade others, so I'm posting here that I'm not interested.  I think it's a great idea, but I don't have much experience with those technologies.   :(   Good luck!

This is correct ofcourse -- everyone needs to put in the same amount.  Presumably there would be a number of  "mix clubs" runing at a time, each for different amounts.  Rather than discuss here I'll make a thread in dev section.

Since MPC relies on at least one server being honest anyway, could this proposal be simplified by having each participant send their bitcoins to a pool controlled by unanimous consent of the mix operators, prior to the computation?  They could use the keys they sent with to sign the pieces of (output_i, random_i) sent to each of the servers to prove they are valid.  They could receive a locked transaction signed by all the servers which will return their coins in the event that unanimous consent is not reached by the servers to distribute the coins.  Thus, the only way for participants to lose their coins is for all of the mix operators to collude.

Also because we're relying on at least one server being honest, do we really need a random_i from each of the mix participants?  Could we get away with just having one from each of the servers?

I have no idea how the MPC is done from here, though.  But here's an interesting paper http://eprint.iacr.org/2008/068 (http://eprint.iacr.org/2008/068) describing a recent successful implementation of MPC with three servers and over 1000 participants in an real world auction.

I question if this kind of machinery is necessary for a mix, though.  Couldn't the same result be achieved by the mix operators doing the above pooling, and selecting a server to issue untraceable, unlinkable digital cash in exchange for the bitcoins?  The participants could then break their digital cash up into standardized sizes that maximize the size of the anonymity set, and then redeem the pieces to separate bitcoin addresses.  Of course the server would have to run as a Tor hidden service in order to obfuscate participants' IP addresses.

Hello, I noticed blindbitcoin.com is down. Has this been discontinued?

DNS appears to be inaccurate (resolves to IP address 1.2.3.4.)

As the TS has written in post #35, he is no longer running the service.

However, you may wanna check out our service: https://bitcointalk.org/index.php?topic=50037.0
We already superseed blindbitcoin in functionality, run through TOR, and have a couple of other advantages.
The Fog is not based on blindbitcoins however, and thus we don't share any of its bugs that may have led to discontinuation of its service.

(sorry for the shameless plugging, but it seemed like you were searching for a good working anon-service)