|
Title: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: gmaxwell on January 28, 2013, 11:30:14 PM Ever since I was a wee lad I've had a dream .... a dream of being incorrectly assessed as impossibly rich by brain-dead automated analysis. Now with your help I can be!
Here is how it works: A lot of people mistakenly assume that when a transaction spends from multiple addresses all those addresses are owned by the same party. This is commonly the case, but it doesn't have to be so: people can cooperate to author a transaction in a secure and trustless manner. We can make it a lot easier for people making this mistake to discover their folly by making there be a single address that seems linked to everything. So I'm generously offering to link my forum signature address with the universe. Here is where you come in: I need someone to provide the universe. Here is how it works: You write a transaction that spends some of your coins, and one of my 1GMaxweLLbo8mdXvnnC19Wt2wigiYUKgEB coins: d127a741660be02c01855c679ff8de7755bb6c2b2ceaa4848e02b14f4f0aae59:1 value 1 BTC You send your coins back to a (new) address of yours and you my 1BTC back to me at 1GMaxweLLbo8mdXvnnC19Wt2wigiYUKgEB. You sign this transaction— but it's not valid until both of us sign it. You send it to me (via PM, anonymous gpg encrypted email, or a post in this thread) and if I like your proposed transaction I'll sign it and announce it. If you think your proposal is especially attractive— e.g. you're going to link me to a 100,000 BTC coin, maybe you don't send all of that 1 BTC back to me, and maybe I'll still accept your offer (but someone else may offer a linkage just as good for less, so bid wisely!). The most attractive offers will be involve very high value coins, or from well known public addresses and will either give me all my coin back, or even more. After I accept whatever offer I accept, I'll post a new coin of mine for people to attempt to spend.. and we'll keep it up until people who think simplistic 'taint' analysis works get a clue. To actually do this in bitcoin-qt/bitcoind open up the console (in the GUI, help->debug->console) and run listunspent you'll get output that looks like this: Code: listunspent These are your unspent coins. You can look up the txids to see which addresses they were paid to. Now create a transaction spending the coin you picked and mine: (I'll use the above coin, but you should replace the txid, vout, and amount with something from your listunspent) Code: createrawtransaction '[{"txid":"5e43cca439b784b8dd96035bde4573f16c0d884e1c4ba70a9fc58738af444e73","vout":2}, {"txid":"d127a741660be02c01855c679ff8de7755bb6c2b2ceaa4848e02b14f4f0aae59",You'd replace 1AywL2iC7ywJCTtXb8G49WeWgEL9qCBh61 with an address of yours. And the 0.01456 with the amount of that coin— or less if you intend on giving away some of that money as fees or giving it to me to support this fun project. :P (if you're going to give or try taking from me adjust the amount of 1GMaxweLLbo8mdXvnnC19Wt2wigiYUKgEB).. In any case the value of my input is 1 BTC, the sum of outputs must be equal to or less than the inputs— any unaccounted for coin is fees. You leave the second txid/vout alone (or replace it with one from later in this thread)— thats my coin that you'll be spending. If you want to be advanced about it you can spend several of your coins, or even get a couple friends to each chip in a coin. This will result in a long hex string, like: Code: 0100000002734e44af3887c59f0aa74b1c4e880d6cf17345de5b0396ddb884b739a4cc435e0200000000ffffffffb58749a8dfc5502647062e6d0105f65b8c7c58252f0853b7260bd01ffa377b1d0000000000ffffffff0280371600000000001976a9146d7dc6d75d78ce7fa9de7cac2c7f0248fec47c0c88ac00e1f505000000001976a91465a034285ca12eebfbd533cb013f1394ee11d4f888ac00000000 You can feed it to decode rawtransaction to see if you like it: Code: decoderawtransaction 0100000002734e44af3887c59f0aa74b1c4e880d6cf17345de5b0396ddb884b739a4cc435e0200000000ffffffffb58749a8dfc5502647062e6d0105f65b8c7c58252f0853b7260bd01ffa377b1d0000000000ffffffff0280371600000000001976a9146d7dc6d75d78ce7fa9de7cac2c7f0248fec47c0c88ac00e1f505000000001976a91465a034285ca12eebfbd533cb013f1394ee11d4f888ac00000000 Be sure to carefully add up the values of all the inputs (including the 1 BTC from me) and all the outputs and make sure you're not giving away more in fee than you want to. If it looks good to you (it's paying you and me the right amounts) you do a signrawtransaction on it: Code: signrawtransaction 0100000002734e44af3887c59f0aa74b1c4e880d6cf17345de5b0396ddb884b739a4cc435e0200000000ffffffffb58749a8dfc5502647062e6d0105f65b8c7c58252f0853b7260bd01ffa377b1d0000000000ffffffff0280371600000000001976a9146d7dc6d75d78ce7fa9de7cac2c7f0248fec47c0c88ac00e1f505000000001976a91465a034285ca12eebfbd533cb013f1394ee11d4f888ac00000000 If your wallet is locked you may need to run Code: walletpassphrase yourpassphrasegoeshere 300 And send me the result that comes out of signrawtransaction. If I like your proposal, I'll sign it, announce it, and when it's confirmed I'll post a new txid for other people to spend with me. A coin can only be spent once— so as people use up these coins, I'm creating new ones and updating this message. See down thread where I also list a bunch more available for spending. Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: casascius on January 28, 2013, 11:33:30 PM I find this as interesting as you do.
I hope it leads to people discovering how they can do a "fungibility project". You know, a project that increases the fungibility of all bitcoins. One that auto-swaps coins with strangers in IRC using this very same flow you've got going here. Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: gmaxwell on January 28, 2013, 11:40:17 PM One that auto-swaps coins with strangers in IRC using this very same flow you've got going here. I've actually done this manually a few times with a few different people— well, IRC messages are too short for most transactions. :( but encrypted pastebins work. I thought it would be fun to get more people involved.Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: Luke-Jr on January 28, 2013, 11:41:02 PM One that auto-swaps coins with strangers in IRC using this very same flow you've got going here. I've actually done this manually a few times with a few different people— well, IRC messages are too short for most transactions. :( but encrypted pastebins work. I thought it would be fun to get more people involved.Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: gmaxwell on January 28, 2013, 11:45:29 PM Why bother encrypting it? The only reason is privacy— making a joint transaction hides ownership but if the pastebin is made public that sort of undoes the effect. For a fun project like this it may not matter to you— e.g. my 1GMaxwell address is very public. But if you don't want people to know that you own 100,000 BTC then you wouldn't want to post the txn under your name. If you send it to me anonymously then even I won't know.Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: meowmeowbrowncow on January 28, 2013, 11:51:43 PM gmaxwell and his tx pyramid schemes... ;) Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: wachtwoord on January 29, 2013, 12:01:01 AM Thanks for the howto :)
I have a few questions: * What exactly is the meaning of the Vout (Value out?) integer? In the input part of the transaction you specify the vout of your input based on the output of 'listunspend' so I guessed it was a local (wallet specific) identifier however we also specify the vout of your input (as 0) and if this was the case there would be no way to know that. Finally, for the decoded transaction we see that the output after the transaction is signed, broadcasted and added to a block, is also called vout to make it a little more confusing :) * Each output in the vout of the decoded raw transaction has an array of addresses (in the example the arrays of both outputs have length 1). Does specifying multiple addresses in this array create a multi sig output? If not, what would it mean? * Finally, I have never been able to find a quick and easy explanation/howto/whatever of all (or at least the most important) OP Codes. If this exists somewhere I'd love a link. Thanks, this is very interesting. Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: gmaxwell on January 29, 2013, 12:09:02 AM * What exactly is the meaning of the Vout (Value out?) integer? A transaction can have multiple outputs— e.g. when you send some coin to someone and send the rest back in change, or when you pay multiple parties at once. Vout is just an index— in createrawtransaction it indicates which of potentially multiple outputs are being spent. In the decode you see the indexes of the newly created outputs.Quote * Each output in the vout of the decoded raw transaction has an array of addresses (in the example the arrays of both outputs have length 1). Does specifying multiple addresses in this array create a multi sig output? If not, what would it mean? Yes, if threre are multiple addresses there its a multisig output.Quote * Finally, I have never been able to find a quick and easy explanation/howto/whatever of all (or at least the most important) OP Codes. If this exists somewhere I'd love a link. If you mean script OPcodes: https://en.bitcoin.it/wiki/Script (https://en.bitcoin.it/wiki/Script) if you mean the console commands— run help or help <command>.Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: Sukrim on January 29, 2013, 12:09:44 AM How to become MtGox: Send e.g. 1 Bitcent to a completely new address, then send half of that + some other change from one of your other addresses to one of your regular ones (or another new oine) and let the other half bitcent be imported to MtGox via the import private key feature. This would make it seem as if MtGox (who probably swipe that half Bitcent asap, most likely together with some other coins) now also owns all of your other addresses...
This should work anywhere that lets you import private keys and subsequently transfers coins off these keys. Anyways, I guess by doing stuff as you proposed, you just make it a bit harder again, but not impossible to still cluster addresses. Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: Loaded on January 29, 2013, 02:01:52 AM I'll bite.
0100000003c8e2c94e9683ca5ca81d5b971aa518b4cae10c3eff0dbc2128ecdc1e2f2bf67500000 0006c493046022100b1c9911292829374b5e2f82f60060738026714a91de56a38e5d208032348ac 53022100b214c658dd9951dbe9b9f62a2d7ec31370587fc0d09a27788b16d41acd2a7099012102f 115baf06dd46062573d2b929e243bbc798db8c1fb6b04a324fe05063786d02affffffffd3161114 e547413ac20be8f22a4bd3cfe8d7a04ae3bae9a744799414b77fcefd010000006c4930460221008 94c0a5fb790c7de900c6ee74c82fbf946f2409a015f0969e9ce7aaac1a00ae902210099f7d383ef 8dc56346fe2259f9ab94fdef90d568960ad6e0ac70a43f0d980ff3012102f115baf06dd46062573 d2b929e243bbc798db8c1fb6b04a324fe05063786d02affffffffb58749a8dfc5502647062e6d01 05f65b8c7c58252f0853b7260bd01ffa377b1d0000000000ffffffff02286a7254a30300001976a 914aa530a61909a9c2959b52415a211926a53ab37e088ac68b9e304000000001976a91465a03428 5ca12eebfbd533cb013f1394ee11d4f888ac00000000 Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: gmaxwell on January 29, 2013, 02:04:50 AM 2409f355c8910721fbbb5c54a01b8f9c692cfb292c3b4f7baf5b8151e44fef21 (http://blockchain.info/tx/2409f355c8910721fbbb5c54a01b8f9c692cfb292c3b4f7baf5b8151e44fef21) is the first accepted offer, this one received over GPG-email. Accepting it was a no-brainer: It made a clever and quite generous 10 BTC multi-signature donation the developers. I've updated the message to indicate bbeacff94c2d20df8eb4e5556b38977863b4548c79105b10da943cd2eecddd80:0 (also 1 BTC) as the new output of mine to spend.
Loaded: Slightly too slow, 1d7b37fa is now spent. Compute and sign your very impressive transaction again with bbeacff. :) Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: Loaded on January 29, 2013, 02:12:56 AM 2409f355c8910721fbbb5c54a01b8f9c692cfb292c3b4f7baf5b8151e44fef21 (http://blockchain.info/tx/2409f355c8910721fbbb5c54a01b8f9c692cfb292c3b4f7baf5b8151e44fef21) is the first accepted offer, this one received over GPG-email. Accepting it was a no-brainer: It made a clever and quite generous 10 BTC multi-signature donation the developers. I've updated the message to indicate bbeacff94c2d20df8eb4e5556b38977863b4548c79105b10da943cd2eecddd80:0 (also 1 BTC) as the new output of mine to spend. Loaded: Slightly too slow, 1d7b37fa is now spent. Compute and sign your very impressive transaction again with bbeacff. :) Code: 0100000003c8e2c94e9683ca5ca81d5b971aa518b4cae10c3eff0dbc2128ecdc1e2f2bf675000000006c4930460221008d034bf2905e452fcb5ecd7b7893f9d76411655eeda82d04c07a6893811267ee0221009367bc19b2b4db1260faa3945948aec4dcd1d27ca1b3d652ec536bc3aa6f5f54012102f115baf06dd46062573d2b929e243bbc798db8c1fb6b04a324fe05063786d02affffffffd3161114e547413ac20be8f22a4bd3cfe8d7a04ae3bae9a744799414b77fcefd010000006b48304502204bd9b946262b949c7ff69d9f0c2fee4f8fd1f8c9a8c7f2e5c3443ed3deb9feaa0221009be613c94ce7356934c17eaa10811cfe693cbbf0e33ef6af74c1ef8eadbda2d0012102f115baf06dd46062573d2b929e243bbc798db8c1fb6b04a324fe05063786d02affffffff80ddcdeed23c94da105b10798c54b4637897386b55e5b48edf202d4cf9cfeabb0000000000ffffffff02286a7254a30300001976a914aa530a61909a9c2959b52415a211926a53ab37e088ac68b9e304000000001976a91465a034285ca12eebfbd533cb013f1394ee11d4f888ac00000000 Anyone else who wants to be associated with 40k BTC is welcome create a tx using the output of the above to 1B5kWfMmX1rKSwwHhwiiMxjfRRv5o7ZE4p Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: gmaxwell on January 29, 2013, 02:25:03 AM Code: 0100000003c8e2c94e9 I've handled pricy assets before, but perhaps thats the most I've ever had move on a single keypress. Very cool. I'll have more outputs up in a minute. Okay, new coins (sorry for the delay, to get a txn that paid the same address several times I had to write it entirely by hand): txout: d127a741660be02c01855c679ff8de7755bb6c2b2ceaa4848e02b14f4f0aae59 vout: 2 1BTC txout: d127a741660be02c01855c679ff8de7755bb6c2b2ceaa4848e02b14f4f0aae59 vout: 3 1BTC txout: d127a741660be02c01855c679ff8de7755bb6c2b2ceaa4848e02b14f4f0aae59 vout: 7 1BTC txout: d127a741660be02c01855c679ff8de7755bb6c2b2ceaa4848e02b14f4f0aae59 vout: 9 1BTC Pick one which is unspent (either look at d127a741 on a block explorer or on Bitcoin-qt 0.8 (development version) run gettxout d127a741660be02c01855c679ff8de7755bb6c2b2ceaa4848e02b14f4f0aae59 n Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: FreeMoney on January 29, 2013, 02:37:41 AM I <3 bitcoin
Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: casascius on January 29, 2013, 02:39:18 AM One that auto-swaps coins with strangers in IRC using this very same flow you've got going here. I've actually done this manually a few times with a few different people— well, IRC messages are too short for most transactions. :( but encrypted pastebins work. I thought it would be fun to get more people involved.I am thinking of this as a program that runs all day and night and promiscuously finds random swapping partners, repeatedly swapping coins as soon as they meet a minimum threshold for confirmations. I suppose if such an application wants a dependency on a pastebin site that doesn't mind being polluted with transient traffic and doesn't require a captcha, it would work. Such traffic could be broken into multiple IRC messages to avoid need for pastebin. It could also do direct client to client communications. Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: gmaxwell on January 29, 2013, 03:00:48 AM Such traffic could be broken into multiple IRC messages to avoid need for pastebin. It could also do direct client to client communications. Ideally it should be some meeting point over TOR so that there is no incentive to try to record IPs. Though I'd prefer instead of opportunistically swapping that it rather had lots of people indicate an intent to swap, and then when you want to make a transaction, you'd jointly create a swap and pay transaction. This avoids bloating the blockchain with a bunch of pure swapping and would further improve privacy as you wouldn't know _which_ outputs were swapping and which were payments. Payments to common anonymous donation addresses could even be merged.Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: Red Emerald on January 29, 2013, 03:27:47 AM Such traffic could be broken into multiple IRC messages to avoid need for pastebin. It could also do direct client to client communications. Ideally it should be some meeting point over TOR so that there is no incentive to try to record IPs. Though I'd prefer instead of opportunistically swapping that it rather had lots of people indicate an intent to swap, and then when you want to make a transaction, you'd jointly create a swap and pay transaction. This avoids bloating the blockchain with a bunch of pure swapping and would further improve privacy as you wouldn't know _which_ outputs were swapping and which were payments. Payments to common anonymous donation addresses could even be merged.Is there a legitimate usage for a bot like this besides confusing taint analysis? I'm not sure if you guys really care at this point or even at all, but running software designed essentially to launder coins sounds like it could potentially get someone in trouble. Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: gmaxwell on January 29, 2013, 03:34:24 AM This is an interesting idea. Welll the application is that websites like blockchain.info post analysis for everyone to see— screwing up the privacy of Bitcoin in practice. I don't have much need for anonymity, but not having everyone from your nosy neighbors to random thieves knowing all your financial activity is both a matter of human dignity and basic safety. The basic design of Bitcoin should be reasonably private if used right, but people frequently reuse addresses and do other things that gum it up.Is there a legitimate usage for a bot like this besides confusing taint analysis? I'm not sure if you guys really care at this point or even at all, but running software designed essentially to launder coins sounds like it could potentially get someone in trouble. Making joint payments can reclaim some of that privacy (but I'm far from convinced that it would thwart serious forensic analysis) and also reduce the total number of transactions being made. Besides, there are already many mixers: But the issue with them is that they're centralized services. When you deposit your coins there is a risk the operator will steal them (or get them stolen). They charge fees... and the operator may be spying and recording all the linkages anyways. With those kinds of properties they're services which are less useful for casual privacy— and only really attractive to the kind of nefarious activity which I don't endorse. Joint transactions can also be used to have people securely pool funds to pay for common work. E.g. "I'll post pics with a shoe on my head if y'all raise 10 BTC" and other neat things especially when you factor in the other scriptsig types. Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: hackjealousy on January 29, 2013, 03:35:14 AM I am thinking of this as a program that runs all day and night and promiscuously finds random swapping partners, repeatedly swapping coins as soon as they meet a minimum threshold for confirmations. I suppose if such an application wants a dependency on a pastebin site that doesn't mind being polluted with transient traffic and doesn't require a captcha, it would work. Such traffic could be broken into multiple IRC messages to avoid need for pastebin. It could also do direct client to client communications. This is essentially: http://blog.ezyang.com/2012/07/secure-multiparty-bitcoin-anonymization/ Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: gmaxwell on January 29, 2013, 03:37:56 AM This is essentially: http://blog.ezyang.com/2012/07/secure-multiparty-bitcoin-anonymization/ Yes, it's not new— In fact, I made the first one of these transactions in 2011. But it's also not widely known.... not widely used enough that people attempting taint analysis get big obvious failures that make them question their premises.Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: jl2012 on January 29, 2013, 04:46:27 AM 2409f355c8910721fbbb5c54a01b8f9c692cfb292c3b4f7baf5b8151e44fef21 (http://blockchain.info/tx/2409f355c8910721fbbb5c54a01b8f9c692cfb292c3b4f7baf5b8151e44fef21) is the first accepted offer, this one received over GPG-email. Accepting it was a no-brainer: It made a clever and quite generous 10 BTC multi-signature donation the developers. I've updated the message to indicate bbeacff94c2d20df8eb4e5556b38977863b4548c79105b10da943cd2eecddd80:0 (also 1 BTC) as the new output of mine to spend. Loaded: Slightly too slow, 1d7b37fa is now spent. Compute and sign your very impressive transaction again with bbeacff. :) Code: 0100000003c8e2c94e9683ca5ca81d5b971aa518b4cae10c3eff0dbc2128ecdc1e2f2bf675000000006c4930460221008d034bf2905e452fcb5ecd7b7893f9d76411655eeda82d04c07a6893811267ee0221009367bc19b2b4db1260faa3945948aec4dcd1d27ca1b3d652ec536bc3aa6f5f54012102f115baf06dd46062573d2b929e243bbc798db8c1fb6b04a324fe05063786d02affffffffd3161114e547413ac20be8f22a4bd3cfe8d7a04ae3bae9a744799414b77fcefd010000006b48304502204bd9b946262b949c7ff69d9f0c2fee4f8fd1f8c9a8c7f2e5c3443ed3deb9feaa0221009be613c94ce7356934c17eaa10811cfe693cbbf0e33ef6af74c1ef8eadbda2d0012102f115baf06dd46062573d2b929e243bbc798db8c1fb6b04a324fe05063786d02affffffff80ddcdeed23c94da105b10798c54b4637897386b55e5b48edf202d4cf9cfeabb0000000000ffffffff02286a7254a30300001976a914aa530a61909a9c2959b52415a211926a53ab37e088ac68b9e304000000001976a91465a034285ca12eebfbd533cb013f1394ee11d4f888ac00000000 Anyone else who wants to be associated with 40k BTC is welcome create a tx using the output of the above to 1B5kWfMmX1rKSwwHhwiiMxjfRRv5o7ZE4p Just a gentle reminder to everyone: playing with raw tx could be very dangerous. You may end up in paying a huge amount of fee (eg. https://bitcointalk.org/index.php?topic=135665.0 ). Triple check before and after you sign anything. Quadruple or quintuple check if you are playing with 40k BTC Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >40kBTC linked!) Post by: gmaxwell on January 29, 2013, 05:18:34 AM Three anonymous-to-me parties collaborated to produce the transaction spending vout:6 (https://blockchain.info/tx-index/47391322/23702b948ffa678b52edac9131814de91d8fef9c59f3194764530dc02b828799) on my last list of outputs (I got directed to a pastebin and asked to sign the content).
Another mystery transaction vout:4 (https://blockchain.info/tx-index/47418801/75efe4c224d8972a817628610199478526200fdc706f2e3ff6c5e42679440823) was passed through multiple anonymous parties chinese-whisper style to me. ... and a new record: 50kBTC (https://blockchain.info/tx-index/47421492/14947302eab0608fb2650a05f13f6f30b27a0a314c41250000f77ed904475dbb) which spends vout:0. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >50kBTC linked!) Post by: Ente on January 29, 2013, 09:57:46 AM I love it!
Ente Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: giszmo on January 29, 2013, 12:15:47 PM Such traffic could be broken into multiple IRC messages to avoid need for pastebin. It could also do direct client to client communications. Ideally it should be some meeting point over TOR so that there is no incentive to try to record IPs. Though I'd prefer instead of opportunistically swapping that it rather had lots of people indicate an intent to swap, and then when you want to make a transaction, you'd jointly create a swap and pay transaction. This avoids bloating the blockchain with a bunch of pure swapping and would further improve privacy as you wouldn't know _which_ outputs were swapping and which were payments. Payments to common anonymous donation addresses could even be merged.Is there a legitimate usage for a bot like this besides confusing taint analysis? I'm not sure if you guys really care at this point or even at all, but running software designed essentially to launder coins sounds like it could potentially get someone in trouble. Call it money laundering and you repel people. Call it fungibility and people tend to support this basic nature bitcoin needs to be cash. If my bitcoins get deducted x% of their value when paying a governmental entity due to containing x% coins from their daily updated black list of transactions, I will think twice if bitcoin failed as a whole. Prevent that from happening means talking about the dangers of taint analysis. I guess it will be kind of trivial to have some transaction merging being done with every payment once the network gets busier and I also think this should be done (opt out) by the client. (BitcoinSpinner style A->B+A transactions definitely are a pain. After having done business with 10 or so people through my Android I get very much aware of it.) Basically we could have 1 transaction per block but involving more entities to forge a transaction will make it more prone to people never signing it. Also the 1 transaction per block would lead to having the true transaction data being public but outside of the blockchain. Similarly some "agency" could heavily advertise to merge transactions with its transactions just to be able to gather intelligence for later taint analysis. Therefore the best strategy for now would be to seek signing partners only in very small groups of maybe not more than 2. Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: gmaxwell on January 29, 2013, 04:24:58 PM Basically we could have 1 transaction per block but involving more entities to forge a transaction will make it more prone to people never signing it. Also the 1 transaction per block would lead to having the true transaction data being public but outside of the blockchain. Similarly some "agency" could heavily advertise to merge transactions with its transactions just to be able to gather intelligence for later taint analysis. Therefore the best strategy for now would be to seek signing partners only in very small groups of maybe not more than 2. It's quite possible to have a cryptographic protocol which can safely and completely anonymously combine between parties.Warning: Very complicated cryptographic protocol below. (fortunately this stuff just gets put in software and a user clicks the button) To participate in this system you must first have a fidelity bond: You construct a specially formed (https://bitcointalk.org/index.php?topic=134827.0) transaction that gives away some coins as fees in a way that proves you didn't receive them. A key committed to as part of doing this is your fidelity bond key. People interested in forming an anonymous joint transaction join some broadcast communication channel (e.g. IRC over tor). Every message they send is signed with their fidelity bond key. They each put up coins they'd like to include and come to an agreement about the transaction. They each form a message about what output address they'd like to send the funds to, and blind (http://en.wikipedia.org/wiki/Blinding_%28cryptography%29) it, and send it to the group. They each advertise a key for blind signing. The group then performs a group blind signature for each of the blinded messages. The users unblind their messages, and advertise keys for a reencryption mix (http://www.rsa.com/rsalabs/staff/bios/ajuels/publications/universal/Universal.pdf). A first user generates some padding messages and their real unblinded token, permutes and encrypts them all, and advertises the result (In reality, he may need to do this many times, for a zero knowledge proof that he isn't screwing it up). Then a next user takes the result, adds their own blinded message, permutes the set, and reencrypts it all, and so on. After cycling through all users several times, they decrypt, and the result is a randomly ordered set of output address messages which have all been signed by the whole group, but they cannot tell which users authored which. A transaction is created conforming to the agreed inputs and outputs, and all users sign. If any any point a user refuses to sign in order to jam the process their misbehavior can be proven to anyone who cares to know by showing them the signed messages from a failed round. After seeing a proof they blacklist the misbehaving fidelity bond key, and so DOS attacking this can be made expensive. I've omitted a lot of complex details (secure group random number agreement for consensus, constructing the ZKPs to show that someone isn't jamming the mix, etc) and waved my hands at things (like group blind signatures)... but its clear to me that it's certainly possible to construct such a thing. The engineering would be quite hard, as this kind of very lock-stepy everything proven algorithm is quite fragile compared to even Bitcoin. So, I don't expected it any time soon— but I'm happy to know that it's possible if it ever actually is needed. In reality, I expect few are going to try to gum up this sort of thing, so in practice people could get away with much simpler protocols. Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: dooglus on January 29, 2013, 07:43:16 PM Okay, new coins (sorry for the delay, to get a txn that paid the same address several times I had to write it entirely by hand): The following tiny patch allows me to send to the same address multiple times from the reference client: Code: diff --git a/src/qt/walletmodel.cpp b/src/qt/walletmodel.cpp Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: mb300sd on January 30, 2013, 04:15:02 AM Okay, new coins (sorry for the delay, to get a txn that paid the same address several times I had to write it entirely by hand): Do you mind sharing what tool you used to do that? bitcoind doesn't allow the duplicate in createrawtransaction Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: gmaxwell on January 30, 2013, 09:22:51 PM Okay, new coins (sorry for the delay, to get a txn that paid the same address several times I had to write it entirely by hand): Do you mind sharing what tool you used to do that? bitcoind doesn't allow the duplicate in createrawtransactionI literally wrote the transaction hex by hand— the format of a transaction is all byte aligned, and it's not actually too hard to just type one in. (Obviously I didn't sign or convert the addresses to hex160 by hand, but I just copied them from createrawtransaction output and used the regular signrawtransaction command). This comic is relevant (http://xkcd.com/378/). While I'm here— c3962bbe60d5a22a67e6814b28342e3affdc07357cae2e9abab3f2bc01f251eb is a 1000 BTC transaction someone sent to me. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: dooglus on January 30, 2013, 09:56:12 PM Do you mind sharing what tool you used to do that? bitcoind doesn't allow the duplicate in createrawtransaction Deleting these 2 lines from the source allows createrawtransaction to make transactions with duplicate output addresses: Code: diff --git a/src/rpcrawtransaction.cpp b/src/rpcrawtransaction.cpp Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: gmaxwell on February 01, 2013, 04:25:13 PM Another email received transaction a511bea3b5dc09609c4853d817cde909fdcdc06cc9558500f155ca821d0d511b, spends vout:8
Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: WiW on February 02, 2013, 05:51:53 AM Can someone please explain all this to the layman?
Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: dooglus on February 02, 2013, 06:45:59 AM Can someone please explain all this to the layman? I can try. How's this? Quote To send bitcoins you make a transaction. Every transaction takes coins from one or more addresses (the transaction's inputs) and sends them to one or more addresses (its outputs). When analysing the blockchain to try to work out which addresses belong to which users, people tend to assume that all the input addresses belong to the same wallet, because that is usually the case. What gmaxwell is doing in this thread is using advanced 'raw transaction' bitcoin commands to collaborate with people to create transactions in which he owns the address of one of the inputs and the other person owns the address of the other input. In this way he confuses people doing naive blockchain analysis. In the first such transaction, he contributed 1 BTC from his well-known address and forum user 'loaded' contributed 40,000 BTC. This makes it look at first glance as if gmaxwell has control of 40,001 BTC. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: dserrano5 on February 02, 2013, 10:40:29 AM What I don't understand is the following:
You sign this transaction— but it's not valid until both of us sign it. You send it to me […] and if I like your proposed transaction I'll sign it and announce it. If you think your proposal is especially attractive […]. The most attractive offers will be involve […] After I accept whatever offer I accept, […] If the point is confusing those analyzing the blockchain, then why do we have to make attractive offers? I was definitely going to try until I read that. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: dooglus on February 02, 2013, 05:27:08 PM If the point is confusing those analyzing the blockchain, then why do we have to make attractive offers? I was definitely going to try until I read that. I guess he didn't want to promise to sign transactions from everyone. What if too many people responded? He's going to chose the 'best' ones in some way. Each of his 1 BTC outputs can only be spent once after all. It appears the demand has been less than overwhelming, so I expect he's just signed all the transactions he has received. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: WiW on February 02, 2013, 07:00:30 PM Perhaps it would be better I try to explain in laymanish what I did understand and someone correct me.
Originally I figured he just meant that if you have X bitcoin and he has X bitcoin, together you can mix the bitcoin and redistribute them in such a way that multiple inputs and an obfuscated list of multiple outputs removes the ability to trace the output address to the original input address... Say we both have a single bitcoin. We put it in a shared wallet (which we both sign) with a list of respective output wallets. After both bitcoins have been collected, we both sign the transaction to distribute each bitcoin to each wallet. Someone looking from the outside wouldn't know which wallet is whose (in this case they'd have a 50-50 chance of guessing). Of course, when there are more than two involved, I understand there is some way to ensure that each participating member doesn't know which output wallet is whose - but I don't understand how. Another thing I don't understand is that if all participating members have to sign the outgoing transaction, wouldn't that be a system prone to abuse? I'd put my bitcoin in the pool, but if there are 1,000 other participants I can just forget my bitcoin and never agree to sign a txn that would free those bitcoins and everyone loses. So where in all this did I misunderstand? Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: Steve on February 03, 2013, 06:07:30 AM Is there a legitimate usage for a bot like this besides confusing taint analysis? I'm not sure if you guys really care at this point or even at all, but running software designed essentially to launder coins sounds like it could potentially get someone in trouble. This capability is essential for Bitcoin. I can think of very few companies that would like the thought of anyone, especially their competitors, being able to obtain intelligence regarding their financial transactions via blockchain analysis. While it might be useful for criminals trying to hide illegal activity, it's table stakes for any corporation wanting to use Bitcoin in a substantial way. Not only does this capability need to be available, its use needs to be easy and widespread.Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: gmaxwell on February 03, 2013, 04:11:14 PM If the point is confusing those analyzing the blockchain, then why do we have to make attractive offers? I was definitely going to try until I read that. If multiple people sign for the same output I can only accept one. After the first couple collisions I ended up listing a bunch of outputs to make collisions less likely.Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: Red Emerald on February 03, 2013, 05:13:09 PM Is there a legitimate usage for a bot like this besides confusing taint analysis? I'm not sure if you guys really care at this point or even at all, but running software designed essentially to launder coins sounds like it could potentially get someone in trouble. This capability is essential for Bitcoin. I can think of very few companies that would like the thought of anyone, especially their competitors, being able to obtain intelligence regarding their financial transactions via blockchain analysis. While it might be useful for criminals trying to hide illegal activity, it's table stakes for any corporation wanting to use Bitcoin in a substantial way. Not only does this capability need to be available, its use needs to be easy and widespread.Title: Re: I taint rich! (Fun with raw transactions and disrupting 'taint' analysis) Post by: n8rwJeTt8TrrLKPa55eU on February 04, 2013, 03:52:43 AM Is there a legitimate usage for a bot like this besides confusing taint analysis? I'm not sure if you guys really care at this point or even at all, but running software designed essentially to launder coins sounds like it could potentially get someone in trouble. This capability is essential for Bitcoin. I can think of very few companies that would like the thought of anyone, especially their competitors, being able to obtain intelligence regarding their financial transactions via blockchain analysis. While it might be useful for criminals trying to hide illegal activity, it's table stakes for any corporation wanting to use Bitcoin in a substantial way. Not only does this capability need to be available, its use needs to be easy and widespread.Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: pc on February 04, 2013, 06:22:15 PM If multiple people sign for the same output I can only accept one. After the first couple collisions I ended up listing a bunch of outputs to make collisions less likely. Couldn't we use some of the more interesting signature types (ANYONECANPAY or something like that)? People could sign a transaction with their one input they're putting in, their output to themselves that they care about, 1 BTC to you, and you then just add your 1 BTC input from any transaction you want. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: dooglus on February 04, 2013, 07:41:25 PM Couldn't we use some of the more interesting signature types (ANYONECANPAY or something like that)? People could sign a transaction with their one input they're putting in, their output to themselves that they care about, 1 BTC to you, and you then just add your 1 BTC input from any transaction you want. If we use "SINGLE|ANYONECANPAY" then we can each make a transaction with 1 input and 1 output which just sends our BTC to ourselves, and gmaxwell can combine them all into a single transaction. I think. "SINGLE" meaning "I don't care who else gets paid, so long as I get my BTC", and "ANYONECANPAY" meaning "I don't care who else pays, so long as I pay my BTC". Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: pc on February 04, 2013, 08:43:21 PM If we use "SINGLE|ANYONECANPAY" then we can each make a transaction with 1 input and 1 output which just sends our BTC to ourselves, and gmaxwell can combine them all into a single transaction. I think. I think so too, although "taint analysis" tools should be able to exclude those transactions really simply as not being indicative of all the inputs having the same owner. Though if the point is to demonstrate how simplistic the tools are at this stage, that might be good to try anyway just to force them to adapt. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: gmaxwell on July 14, 2013, 04:59:43 AM This could also be used to reduce the damage from deanonymization attacks, like this appears to be: https://bitcointalk.org/index.php?topic=254615.40
Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: Inedible on July 15, 2013, 09:28:06 AM Another thing I don't understand is that if all participating members have to sign the outgoing transaction, wouldn't that be a system prone to abuse? I'd put my bitcoin in the pool, but if there are 1,000 other participants I can just forget my bitcoin and never agree to sign a txn that would free those bitcoins and everyone loses. Did you ever find out about this, WiW? Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: gmaxwell on July 15, 2013, 09:40:03 AM Another thing I don't understand is that if all participating members have to sign the outgoing transaction, wouldn't that be a system prone to abuse? I'd put my bitcoin in the pool, but if there are 1,000 other participants I can just forget my bitcoin and never agree to sign a txn that would free those bitcoins and everyone loses. Did you ever find out about this, WiW?Putting your bitcoin in the pool doesn't actually take it out of your control until the transaction is signed by everyone and announced, it's atomic— so if it gets jammed the bitcoin is still yours and you can simply spend it again— either in another attempted mix round or someplace else entirely. (and spending a coin out from under the process is one of the ways someone might be jamming it, but thats even more reliably detectable than not signing) Most recently I wrote this (https://bitcointalk.org/index.php?topic=216982.msg2686459#msg2686459) on the subject. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: ShadowOfHarbringer on July 15, 2013, 11:16:15 AM Ever since I was a wee lad I've had a dream .... a dream of being incorrectly assessed as impossibly rich by brain-dead automated analysis. Now with your help I can be! Here is how it works: A lot of people mistakenly assume that when a transaction spends from multiple addresses all those addresses are owned by the same party. This is commonly the case, but it doesn't have to be so: people can cooperate to author a transaction in a secure and trustless manner. We can make it a lot easier for people making this mistake to discover their folly by making there be a single address that seems linked to everything. So basically you created another ZeroCoin, but working using obfuscation technique and easier to perform (without requiring a lot of code) ? Is this brilliant or what ? Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: gmaxwell on July 15, 2013, 08:50:30 PM So basically you created another ZeroCoin, but working using obfuscation technique and easier to perform (without requiring a lot of code) ? Yes, this transaction style can achieve some similar outcomes but it doesn't require computationally expensive / difficult to trust novel cryptography, and it doesn't require changing the Bitcoin network nor does it require an altchain. Not does it require a trusted initiator. And it should have much better scalability for small mixing groups. On the flip side, making it into something useful to many people still requires a lot of development, and potentially a little bit of novel cryptography (e.g. even zerocoin itself) to prevent denial of service... but that stuff would be external to Bitcoin— just software the users need to worry about, not everyone. And it would handle large anonymity sets poorly, the practical limit is probably on the order of a hundred or so parties in a transaction... though funds could go through multiple levels of common sending. I personally think joint transactions a much more realistic technology for improving Bitcoin privacy and preserving Bitcoin fungiblity than Zerocoin is, at this time. Though zerocoin certainly is more crypto-mathematically exciting. Though I suspect that people's lack of interest in techniques like this (note the date on the original post) suggests that people don't really consider the privacy/fungiblity problems as bad as the hype around ZC suggests they do. Maybe if I'd given the thread a snazzy name like "INVISIBLE HAND" people would be more excited. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: giszmo on July 15, 2013, 09:13:57 PM Huh??? How does a system that is based on meeting with others to forge a mix have anything to do with ZeroCoin? ZeroCoin allows you to add a coin to the mix at any time and pull it out later without the two events being connected by knowable links.
Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: luv2drnkbr on July 16, 2013, 12:18:11 AM Toasting in epic bread. Seriously, I love this idea and this community. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: marcus_of_augustus on July 16, 2013, 12:59:28 AM Good stuff. One of these anonymity/privacy/fungibility projects is going to be so successful that it will become the default because anything else is just too stupid to contemplate ... like a sharp knife is the default ahead of a blunt one, and all the evil hair-splitting and moral obfuscation of what money needs to be to work properly will be bad memories in the dustbin of history.
Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: gmaxwell on July 16, 2013, 02:03:33 AM Huh??? How does a system that is based on meeting with others to forge a mix have anything to do with ZeroCoin? ZeroCoin allows you to add a coin to the mix at any time and pull it out later without the two events being connected by knowable links. None of this requires that the 'meeting' of the participants be synchronous. You could happily announce your intention to form a mixing transaction into a long lived broadcast communication channel (gah, even a blockchain, though thats about the worst communication channel for this). You connect separately to provide your outputs, and later to sign the resulting transactions. Of course, you must anonymize your communications channels— but the same is true for ZC, if a network observer sees you making the redeem they know who redeemed.The primary limitation is that when the number of participants becomes high in a single joint transaction the failure (and retry) rate would become unacceptably high. But you don't need enormous mixing operations since you can cascade them. (How retries compare to systems that require serialization of mints and spends is an interesting question). Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: gmaxwell on August 22, 2013, 04:34:20 AM I've just made a detailed post (https://bitcointalk.org/index.php?topic=279249.0) about the privacy promoting uses of this technique.
Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: Dabs on September 14, 2013, 12:02:56 PM I haven't kept up with the coinjoin thread, but ... assuming people could trust either one individual or one entity or even 2-of-3 multisignature addresses, can a bunch of people just send coins to that one person, and he sends it to himself (consolidating all the unspent inputs into 1 output), then send them all back out to the same bunch of people (at different addresses), and this is effectively mixed?
Let me rephrase that in steps: 1. many people send coins to, for example you, 1GMaxweLLbo8mdXvnnC19Wt2wigiYUKgEB, wait 6 confirmations. 2. you then use some form of raw transaction or coin-control to get all the unspent inputs, then spend them all back to 1GMaxweLLbo8mdXvnnC19Wt2wigiYUKgEB, wait another 6 confirmations. 3. then you send the coins back to their original owners. Of course, this method is flawed in that they (the people) have to trust you. But a service could do this and charge 1% or something, like blockchain or bitcoin fog used to (they really did mixing by not connecting users to each other.) Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: gmaxwell on September 14, 2013, 06:55:15 PM This requires handing your funds over to some third party. Who then themselves learns the correspondence, which they could secretly log due to coercive pressure or just for profit. The activity might subject them to various oddball regulations about handling other people's money, and if they're the sort of organization which is hidden from the law— they'll also be hidden from the consequences of vanishing with your money, it makes for a good long con. The cost of gaining confidence would constitute a barrier to enter the market, keeping fees high.
The end result is that you have an "anonymization" service that mostly only fools and criminals would be very inclined to use and thus it wouldn't increase user's privacy a lot. The point of this thread was to show that transactions could be made with defied and disrupted 'taint analysis' without putting your coins at risk in the hands of a third party, and to have a little fun in the process. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: Dabs on September 15, 2013, 12:42:11 AM The cost of gaining confidence would constitute a barrier to enter the market, keeping fees high. that is sort of re-assuring. Maybe I could do this and charge 1.9%.Like Satoshidice. Except you always win with 100% chance. And it would still be fun. Heheheh. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: Ente on September 17, 2013, 09:08:55 PM I haven't kept up with the coinjoin thread, but ... assuming people could trust either one individual or one entity or even 2-of-3 multisignature addresses, can a bunch of people just send coins to that one person, and he sends it to himself (consolidating all the unspent inputs into 1 output), then send them all back out to the same bunch of people (at different addresses), and this is effectively mixed? Let me rephrase that in steps: 1. many people send coins to, for example you, 1GMaxweLLbo8mdXvnnC19Wt2wigiYUKgEB, wait 6 confirmations. 2. you then use some form of raw transaction or coin-control to get all the unspent inputs, then spend them all back to 1GMaxweLLbo8mdXvnnC19Wt2wigiYUKgEB, wait another 6 confirmations. 3. then you send the coins back to their original owners. Of course, this method is flawed in that they (the people) have to trust you. But a service could do this and charge 1% or something, like blockchain or bitcoin fog used to (they really did mixing by not connecting users to each other.) Maybe I'm misunderstanding here, or am missing something: Why the extra step to "send all inputs to one adress" and then split them up again? As far as I remember, coinjoin does exactly the same thing you suggest, except it creates one huge transaction, where everybody throws inputs at it, defines new, "anonymous" outputs, and signs the whole tx when they are happy with the result. It's either all or nothing, the coins can't be taken in between. Also there is no central point whatsoever. Except, for convenience, a central point to organize all the people and inputs, outputs and the like. I see a market for such a central point. TOR and anonymity would be fine too, an .onion address would in fact be helpful. I'd throw a small fee at it too. Ente Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: Dabs on September 18, 2013, 12:05:41 AM Maybe I'm misunderstanding here, or am missing something: Why the extra step to "send all inputs to one adress" and then split them up again? As far as I remember, coinjoin does exactly the same thing you suggest, except it creates one huge transaction, where everybody throws inputs at it, defines new, "anonymous" outputs, and signs the whole tx when they are happy with the result. It's either all or nothing, the coins can't be taken in between. Also there is no central point whatsoever. Except, for convenience, a central point to organize all the people and inputs, outputs and the like. I see a market for such a central point. TOR and anonymity would be fine too, an .onion address would in fact be helpful. I'd throw a small fee at it too. Ente Step 2 in my method is supposed to combine all the unspent inputs into one giant input. That mixes all the coins together. Coins in the same address from different inputs are not necessarily mixed yet. Bitcoin works with inputs, regardless of addresses. One address can have several unspent inputs, and this is going to be the case when many people send to one address. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: QuestionAuthority on September 18, 2013, 01:21:25 AM This is interesting. Let's say I had 10k stolen btc that I wanted to launder. I could send them to you and when they return to me they would be linked to your well known address as well as all of the other addresses in the mixing group. Wouldn't that just give investigators more work instead of eliminating the trail entirely? Possibly make the mixing group accessories to the crime? With thousands of participants would it be very difficult to parse the transactions or impossible? Couldn't you still analyze the transactions and track down individual Bitcoin users that need questioning?
Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: madmadmax on September 18, 2013, 01:39:28 AM This is interesting. Let's say I had 10k stolen btc that I wanted to launder. I could send them to you and when they return to me they would be linked to your well known address as well as all of the other addresses in the mixing group. Wouldn't that just give investigators more work instead of eliminating the trail entirely? Possibly make the mixing group accessories to the crime? With thousands of participants would it be very difficult to parse the transactions or impossible? Couldn't you still analyze the transactions and track down individual Bitcoin users that need questioning? If a bank issues liabilities (e.g. paper notes) and you get yours stolen it doesn't mean that the bank has to render your stolen notes worthless for it would make all the paper notes ever printed to fall in value. Same thing with BTC, if you lost it then it's your fault for being a n00b, it's not his fault for tainting rich. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: QuestionAuthority on September 18, 2013, 01:58:47 AM This is interesting. Let's say I had 10k stolen btc that I wanted to launder. I could send them to you and when they return to me they would be linked to your well known address as well as all of the other addresses in the mixing group. Wouldn't that just give investigators more work instead of eliminating the trail entirely? Possibly make the mixing group accessories to the crime? With thousands of participants would it be very difficult to parse the transactions or impossible? Couldn't you still analyze the transactions and track down individual Bitcoin users that need questioning? If a bank issues liabilities (e.g. paper notes) and you get yours stolen it doesn't mean that the bank has to render your stolen notes worthless for it would make all the paper notes ever printed to fall in value. Same thing with BTC, if you lost it then it's your fault for being a n00b, it's not his fault for tainting rich. It must be happy hour? Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: Dabs on September 18, 2013, 02:01:18 AM This is interesting. Let's say I had 10k stolen btc that I wanted to launder. I could send them to you and when they return to me they would be linked to your well known address as well as all of the other addresses in the mixing group. Wouldn't that just give investigators more work instead of eliminating the trail entirely? Possibly make the mixing group accessories to the crime? With thousands of participants would it be very difficult to parse the transactions or impossible? Couldn't you still analyze the transactions and track down individual Bitcoin users that need questioning? Good luck with that! I mean, tracking down people. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: rdponticelli on September 18, 2013, 02:02:17 AM Step 2 in my method is supposed to combine all the unspent inputs into one giant input. That mixes all the coins together. Coins in the same address from different inputs are not necessarily mixed yet. It seems to me that "your method" puts all the liability on you. You won't make enough from your fees to pay to your lawyers. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: QuestionAuthority on September 18, 2013, 02:11:50 AM This is interesting. Let's say I had 10k stolen btc that I wanted to launder. I could send them to you and when they return to me they would be linked to your well known address as well as all of the other addresses in the mixing group. Wouldn't that just give investigators more work instead of eliminating the trail entirely? Possibly make the mixing group accessories to the crime? With thousands of participants would it be very difficult to parse the transactions or impossible? Couldn't you still analyze the transactions and track down individual Bitcoin users that need questioning? Good luck with that! I mean, tracking down people. I don't think I'd be personally doing it. Maybe my example was flawed. If someone paid a million dollars in Bitcoin to assassinate a high government official and the government was highly motivated to find the person would this eliminate the possibility? Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: Dabs on September 18, 2013, 02:14:43 AM Step 2 in my method is supposed to combine all the unspent inputs into one giant input. That mixes all the coins together. Coins in the same address from different inputs are not necessarily mixed yet. It seems to me that "your method" puts all the liability on you. You won't make enough from your fees to pay to your lawyers. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: rdponticelli on September 18, 2013, 02:27:32 AM What lawyers? You'll need lawyers. And good ones. ;) Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: TheButterZone on September 18, 2013, 02:36:35 AM What lawyers? You'll need lawyers. And good ones. ;) Don't forget the guns and money. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: Dabs on September 18, 2013, 06:45:36 AM What do I need the lawyers for?
Oh, I got the guns though. You guys just need to supply the coins. Maybe I'll just make a 99% lotto game. Whatever you buy, you win back. Less the "house edge". Draws are available daily, weekly and monthly. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: marcotheminer on September 18, 2013, 07:12:07 AM I dont get any of this!
Could some one fill me in? Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: Ente on September 18, 2013, 10:32:22 AM Couldn't you still analyze the transactions and track down individual Bitcoin users that need questioning? Yes, there are two stages of laundering coins. First stage, which is obvious and talked about everywhere, is how to transform dirty coins to fresh coins. There are several technical possibilities, which all break down to get the bitcoins from one, dirty adress to a clean one. The problem is that it's easy to follow when you have 527.3381 coins going in, and 527.3381 coins shpwing up half an hour later at a totally unrelated adress. So you split it up into several adresses, possibly over a few days. So you end up with 500 and 27.3381 coins, or with 371.51 and 155.8281 coins, or some combination more clever than that. Doing that right, your individual adresses drown in the noise of the blockchain. Voila, you effectively have anonymous coins. Or, at least, plausibly deniable coins. Second stage? If, at any time, you combine some of those coins into a tx, your cover is blown. And since all data is public, it doesn't really matter when you do that. An attacker would follow the 527.3381 coins until something funny happens. I guess he will immediately notice when some coinjoin or laundering or tainting happens. Then he scans every tx, and creates sets of tx where the outputs sum up to the original amount. With todays hardware, databases and network analysis programs it probably doesn't matter if he ends up with 100 or a million sets of tx. Even if you "cash out" clean coins in weeks it should be possible to find it as one set among many many others. So, you accidently combine two of those tx? Bam, he will see it as a red flare lighting up, being one of a few candidates. And I see no problem to closely follow those five "red flares" manually, just as you would track unwashed coins to begin with. I have a problem here, with my coins. I try to always use new adresses. So I end up with more and more adresses and smaller and smaller amounts, "dust". Every transaction results in one new adress. Even worse, everything I do with one lump of bitcoins, and later with the change, is adding to the datatrail of this particular lump. If I start to eventually combine dust, the datatrail combines to much more than before. Do I like "laundering"? Yes. Is it any good, in theory? No. Might even give a false sense of security. Solution? Do "laundering" with every single transaction. How? Probably not with Bitcoin altogether. I don't think there is a possibility for such a fork. One of the very few valid reasons for an alt-coin, now I think about it. Ok, I learned something new while writing this post. Sometimes talking helps, even if you're just mumbling by yourself. Ente Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: Dabs on September 18, 2013, 12:56:50 PM Well, don't do that kind of mixing then. When you send coins from one place to another, you combine and spend them in such a way as the total amounts do not tally. That's not that hard to do, and if a lot of people do it even with unique looking amounts, they still get lost in all of that giant dataset called the blockchain.
It's actually easy to mix a small amount of coins on your own if you have patience. Just use any of those shared wallets and/or exchanges. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: BitVegas on September 18, 2013, 03:27:39 PM How to launder
Part 1: Sell for cash on localbitcoins Part 2: Buy with cash on localbitcoins (not from the same guy obviously) :) Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: dserrano5 on September 18, 2013, 03:31:39 PM How to launder Part 1: Sell for cash on localbitcoins Part 2: Buy with cash on localbitcoins There's a chance that your buyer knows about the address. Of course it will be too late to abort the transaction but he could point to your username in localbitcoins as an owner of the stolen funds. So: Step 0: Create account on localbitcoins using tor. Perform a couple of dummy transactions to earn a minimal rep. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: QuestionAuthority on September 18, 2013, 04:12:08 PM Couldn't you still analyze the transactions and track down individual Bitcoin users that need questioning? Yes, there are two stages of laundering coins. First stage, which is obvious and talked about everywhere, is how to transform dirty coins to fresh coins. There are several technical possibilities, which all break down to get the bitcoins from one, dirty adress to a clean one. The problem is that it's easy to follow when you have 527.3381 coins going in, and 527.3381 coins shpwing up half an hour later at a totally unrelated adress. So you split it up into several adresses, possibly over a few days. So you end up with 500 and 27.3381 coins, or with 371.51 and 155.8281 coins, or some combination more clever than that. Doing that right, your individual adresses drown in the noise of the blockchain. Voila, you effectively have anonymous coins. Or, at least, plausibly deniable coins. Second stage? If, at any time, you combine some of those coins into a tx, your cover is blown. And since all data is public, it doesn't really matter when you do that. An attacker would follow the 527.3381 coins until something funny happens. I guess he will immediately notice when some coinjoin or laundering or tainting happens. Then he scans every tx, and creates sets of tx where the outputs sum up to the original amount. With todays hardware, databases and network analysis programs it probably doesn't matter if he ends up with 100 or a million sets of tx. Even if you "cash out" clean coins in weeks it should be possible to find it as one set among many many others. So, you accidently combine two of those tx? Bam, he will see it as a red flare lighting up, being one of a few candidates. And I see no problem to closely follow those five "red flares" manually, just as you would track unwashed coins to begin with. I have a problem here, with my coins. I try to always use new adresses. So I end up with more and more adresses and smaller and smaller amounts, "dust". Every transaction results in one new adress. Even worse, everything I do with one lump of bitcoins, and later with the change, is adding to the datatrail of this particular lump. If I start to eventually combine dust, the datatrail combines to much more than before. Do I like "laundering"? Yes. Is it any good, in theory? No. Might even give a false sense of security. Solution? Do "laundering" with every single transaction. How? Probably not with Bitcoin altogether. I don't think there is a possibility for such a fork. One of the very few valid reasons for an alt-coin, now I think about it. Ok, I learned something new while writing this post. Sometimes talking helps, even if you're just mumbling by yourself. Ente Thank you for the in depth explanation. That's the way I understood it as well. I read an article once where Jeff Garzik was explaining the value of open accounting where honest corporations would want their accounting to be auditable to the world and the possibility of implementing KYC scoring to cleaned coins. Also the way I understand it, government transaction analysis can be quite good. Parsing the transaction flow makes the value of mixing services more valueless the more collisions there are between addresses helping government pinpoint an individual user. So this little Zerocoin type experiment really does nothing to change that. I think fungibility is a real threat to Bitcoin adoption and was hoping this would be a solution to that problem. I've always believed the users of SR were fooling themselves. The anonymity doesn't come from Bitcoin it comes from the mail drop system. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: User705 on October 18, 2013, 05:09:47 AM What lawyers? You'll need lawyers. And good ones. ;) Don't forget the guns and money. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: wachtwoord on October 18, 2013, 05:16:21 AM What lawyers? You'll need lawyers. And good ones. ;) Don't forget the guns and money. I'm hiding in Honduras I'm a desperate man Send lawyers, guns and money the shit has hit the fan Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: Morbid on November 15, 2013, 09:44:10 PM can wallet app be created to operate that mechanism optionally?
Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: WiW on November 16, 2013, 12:05:13 AM Almost a year later here I am, no longer a noob.
This would make the new CoInvalidation schemes quite hard to maintain, wouldn't it now... If dirty coins are merged with new coins and then redistributed, all the coins should be dirty, hence making "dirty" coins just "regular" coins. :) Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: niniyo on November 16, 2013, 12:33:37 AM Who would willingly participate in a CoinJoin transaction if they already have clean coins? Naturally the inputs to these CoinJoins are going to be *very* red. Participating would be a bad idea unless you've got some extremely dirty coins. These coin mixers will be full of the filthiest of filthy coins.
I don't see much of an advantage to mixing around red coins - you still get back red coins. So you might go from having 100% DPR coins, to having new coins that are 30% DPR, 30% inputs.io hack, 30% CryptoLocker, and 10% clean from whichever fool decided to donate their clean coins to the sea of red. This scheme only seems to obscure the history by mixing transactions, but it doesn't reduce the red tarnish for the average participant. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: giszmo on November 16, 2013, 12:50:44 AM Who would willingly participate in a CoinJoin transaction if they already have clean coins? Naturally the inputs to these CoinJoins are going to be *very* red. Participating would be a bad idea unless you've got some extremely dirty coins. These coin mixers will be full of the filthiest of filthy coins. I don't see much of an advantage to mixing around red coins - you still get back red coins. So you might go from having 100% DPR coins, to having new coins that are 30% DPR, 30% inputs.io hack, 30% CryptoLocker, and 10% clean from whichever fool decided to donate their clean coins to the sea of red. This scheme only seems to obscure the history by mixing transactions, but it doesn't reduce the red tarnish for the average participant. It's the same arguments over and over again. If DPR-Coins are worth less than others, how can a merchant possibly accept coins? We need fungibility and it should be enforced by default. Because people freak out about getting "dirty" coins, mixing has to be a default feature of the wallet that fulfills another purpose and thus only "accidentally" mixes. Reducing dust would help the miners once pruning is in place. Merging my dust outputs would reveal shared ownership, so this should be done in a transaction that involves other's dust or not so dust outputs. Once Clients mix by default, there will not be anything wrong with owning "the wrong coins". It's sad it was not in the default client since ever. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: Pangia on November 16, 2013, 01:32:01 AM How to launder Part 1: Sell for cash on localbitcoins Part 2: Buy with cash on localbitcoins (not from the same guy obviously) :) How about using your BTC's to buy LTC's on BTC-E (we'll call it BTC-E #1 account). Then send various amounts of LTC's at different intervals to another BTC-E account (we'll call it BTC-E #2 account) and then once they arrive use those LTC's to purchase BTC's on BTC-E #2 account. You can of course send the LTC's to multiple BTC-E accounts and then use the LTC's in these various accounts to repurchase BTC's. How does that idea fly? Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: phillipsjk on December 04, 2013, 07:22:50 AM I anybody still doing this manually?
Or is everybody using automated tools now? One thing that gives me pause is that I don't want the machine doing coin arithmetic to have network access. Would be great if I don't have to download the whole block-chain as well. Title: Re: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!) Post by: BitUsher on December 28, 2018, 01:06:24 PM Here is an implementation of a variation of this fungibility technique created by Samourai for people to review.
https://twitter.com/SamouraiWallet/status/1078604277726224384 https://oxt.me/transaction/546458c3470428bddada07f70676acb3646d8c1bc2ab3ab74204f8059a6fc3a7 Alice pays Bob 0.0005 BTC 0.0005 (B) (A) 0.002 = 0.0015 (A) Bob contributes 0.0011 (A) 0.002 0.0016 (B) = (B) 0.0011 0.0015 (A) Alice pays miner's fee (A) 0.002 0.0016 (B) = (B) 0.0011 0.001496 (A) https://gist.github.com/LaurentMT/e758767ca4038ac40aaf |