|
Title: MtGox database leak: why you should always mix your coins. Post by: Rampion on March 10, 2014, 09:27:18 AM After the Gox dabatase leak the names and home addresses of pretty much everybody involved in BTC are now public, at least among the criminal community.
Those singing the song that goes "I don't mix my coins because I have nothing to hide" are either: a) totally brainwashed/incredibly naive b) just stupid. Even if you mined the vast majority of your coins and used an exchange just to cash out a minor part of your holdings, your total BTC balance can be discovered by trivial blockchain analysis, following the links with just one deposit/withdrawal address. Morale of the story: Everybody should ALWAYS mix their coins and use Tor for BTC related activities. Information is power. Never give it away. EDIT FOR CLARIFICATION: Bitcoin is pseudoanonymous: as soon as someone links one of your addresses to you (because you made a payment to him, or because a database of a service such as Gox is leaked) then he can learn your total BTC balance - or at least the total BTC balance of the wallet to which that address belongs - with trivial blockchain analysis. By mixing your coins you make that task much more difficult, and thus you eliminate yourself from the list of easy targets in a situation as per the Gox database leak. Said with other words: by not mixing your coins you are revealing your whole balance to the recipient of every transaction you make... And that is an important privacy breach. Title: Re: MtGox database leak: why you should always mix your coins. Post by: domob on March 10, 2014, 11:35:38 AM Got any good suggestions for trustless and low-fee mixers? I think all the P2P mixer projects are not yet fully ready, as far as I know.
Title: Re: MtGox database leak: why you should always mix your coins. Post by: Rampion on March 10, 2014, 12:35:51 PM Got any good suggestions for trustless and low-fee mixers? I think all the P2P mixer projects are not yet fully ready, as far as I know. While it is not the best solution in terms of obfuscation, coinjoin is a pretty good system that IMO everybody should use. It's not perfect, but IMO it gives enough protection against the casual "let's see how much money this guy has" situation. A prepared and determined opponent will probably end up finding up your total balance, but it will take him more resources and time, which normally is something the casual criminal wants to avoid when looking for targets. Summing up: By using coinjoin you avoid being the low hanging fruit, which is usually enough protection against a potential dangerous situation similar to what happened with the leak of the Gox database. The criminals won't be able to easily check your current BTC balance, so you will probably be discarded as a target. Tumblers like bitcoinfog provide better obfuscation, but the (huge) trade-off is that you should trust an unknown third party. I'd never risk more than 1% of my holdings to such services, but I think the service they provide is necessary and should be used, albeit with care and with just a very minor portion of ones funds at a time. Title: Re: MtGox database leak: why you should always mix your coins. Post by: domob on March 10, 2014, 12:55:34 PM Got any good suggestions for trustless and low-fee mixers? I think all the P2P mixer projects are not yet fully ready, as far as I know. While it is not the best solution in terms of obfuscation, coinjoin is a pretty good system that IMO everybody should use. It's not perfect, but IMO it gives enough protection against the casual "let's see how much money this guy has" situation. A prepared and determined opponent will probably end up finding up your total balance, but it will take him more resources and time, which normally is something the casual criminal wants to avoid when looking for targets. Summing up: By using coinjoin you avoid being the low hanging fruit, which is usually enough protection against a potential dangerous situation similar to what happened with the leak of the Gox database. The criminals won't be able to easily check your current BTC balance, so you will probably be discarded as a target. Tumblers like bitcoinfog provide better obfuscation, but the (huge) trade-off is that you should trust an unknown third party. I'd never risk more than 1% of my holdings to such services, but I think the service they provide is necessary and should be used, albeit with care and with just a very minor portion of ones funds at a time. Yes, I think CoinJoin should be a very good start. But do any really decentralised and fully working implementations of CoinJoin exist already? I don't think so and would be interested to know if they are. Title: Re: MtGox database leak: why you should always mix your coins. Post by: dserrano5 on March 10, 2014, 01:21:53 PM Yes, I think CoinJoin should be a very good start. But do any really decentralised and fully working implementations of CoinJoin exist already? I don't think so and would be interested to know if they are. I'm not aware of any either but don't let that deter you from using one of the already existing solutions even if they aren't perfect. Title: Re: MtGox database leak: why you should always mix your coins. Post by: WhatTheGox on March 10, 2014, 01:23:23 PM mix coins because why? Title: Re: MtGox database leak: why you should always mix your coins. Post by: devthedev on March 10, 2014, 01:28:32 PM Nah, never used Gox, lol.
Title: Re: MtGox database leak: why you should always mix your coins. Post by: justusranvier on March 10, 2014, 01:29:05 PM mix coins because why? Title: Re: MtGox database leak: why you should always mix your coins. Post by: gollum on March 10, 2014, 02:09:21 PM Morale of the story: Everybody should ALWAYS mix their coins and use Tor for BTC related activities. Information is power. Never give it away. Never recommend noobs to use Tor, it's a honeypot where they are worse off than not using Tor at all.Noobs should use a trustworthy VPN instead. The optimal solution is VPN + Tor. Title: Re: MtGox database leak: why you should always mix your coins. Post by: Gabi on March 10, 2014, 02:30:00 PM Now, if the zerocoin concept would be implemented in bitcoin, it would be cool.
Title: Re: MtGox database leak: why you should always mix your coins. Post by: crazy_rabbit on March 10, 2014, 02:48:53 PM After the Gox dabatase leak the names and home addresses of pretty much everybody involved in BTC are now public, at least among the criminal community. Those singing the song that goes "I don't mix my coins because I have nothing to hide" are either: a) totally brainwashed/incredibly naive b) just stupid. Even if you mined the vast majority of your coins and used an exchange just to cash out a minor part of your holdings, your total BTC balance can be discovered by trivial blockchain analysis, following the links with just one deposit/withdrawal address. Morale of the story: Everybody should ALWAYS mix their coins and use Tor for BTC related activities. Information is power. Never give it away. Morale of the story so far would read more like: User Mixed their BTC on the previous largest mixer out there- Silk Road. User got goxed. Or use TOR with Mt.Gox and as they explicitly forbid this, ban your account and never respond again to your support messages: Get Goxed again. It's a good idea in theory, but in reality we don't have good enough privacy tools for BTC yet. Title: Re: MtGox database leak: why you should always mix your coins. Post by: LiteCoinGuy on March 10, 2014, 03:11:56 PM Now, if the zerocoin concept would be implemented in bitcoin, it would be cool. that will never happen in my view, zerocoin will be on its own. https://bitcointalk.org/index.php?topic=362468.msg3878992#msg3878992 Title: Re: MtGox database leak: why you should always mix your coins. Post by: phillipsjk on March 10, 2014, 04:09:44 PM Never recommend noobs to use Tor, it's a honeypot where they are worse off than not using Tor at all. Noobs should use a trustworthy VPN instead. The optimal solution is VPN + Tor. Not if you stay in-network. Unfortunately, my services (bitcoin node) are not tor-enabled yet. Namecoin has the potential to facilitate this with human-readable addresses as well. Title: Re: MtGox database leak: why you should always mix your coins. Post by: Rampion on March 11, 2014, 08:00:31 AM Morale of the story: Everybody should ALWAYS mix their coins and use Tor for BTC related activities. Information is power. Never give it away. Never recommend noobs to use Tor, it's a honeypot where they are worse off than not using Tor at all.I disagree, with a caveat: do not use Tor to access stuff linked with your real name, and always use end to end encryption to avoid eavesdropping. Title: Re: MtGox database leak: why you should always mix your coins. Post by: AnonyMint on March 11, 2014, 08:09:49 AM Listen up please to learn some new technical information...
Got any good suggestions for trustless and low-fee mixers? I think all the P2P mixer projects are not yet fully ready, as far as I know. ... Tumblers like bitcoinfog provide better obfuscation, but the (huge) trade-off is that you should trust an unknown third party. I'd never risk more than 1% of my holdings to such services, but I think the service they provide is necessary and should be used, albeit with care and with just a very minor portion of ones funds at a time. Problem is there is no way to know if a centralized service (VPN, exchange, mixer, tumbler, laundry) is hacked, under NSA gag order, dishonest, buggy, etc.. Also using the centralized (VPN, mixer, tumbler, laundry) identifies you as someone that deserves extra monitoring by the authorities. A decentralized solution is always best, as it should look like regular transactions. Yes, I think CoinJoin should be a very good start. But do any really decentralised and fully working implementations of CoinJoin exist already? I don't think so and would be interested to know if they are. I'm not aware of any either but don't let that deter you from using one of the already existing solutions even if they aren't perfect. A decentralized CoinJoin will have difficulty forming transactions (including unequal or equal transaction amounts) that look like this if anyone can join: https://blockchain.info/tx/e4abb15310348edc606e597effc81697bfce4b6de7598347f17c2befd4febf3b?show_adv=true A sharedcoin transaction will look something like this: https://blockchain.info/tx/e4abb15310348edc606e597effc81697bfce4b6de7598347f17c2befd4febf3b (picked at random). As you can see multiple inputs and outputs make the determining the actual sender and receiver more difficult. The server does not need to keep any logs and transactions are only kept in memory for a short time. However If the server was compromised or under subpoena it could be force... Because the way it must work is the users sign the transaction first with their requested outputs, then in the second round they sign their payments as inputs to the transaction. If the payment inputs are less than the total, then the transaction is invalid. There is no way to determine who cheated and rate limit them. Thus the saboteur can stomp on every attempt to create a CoinJoin transaction and destroy the decentralized system. DarkCoin says they can solve this by charging a fee, but you will see I originally proposed that idea in the CoinJoin thread and the requirement is all the participants must be permanently identified and then must use divide-and-conquer to whittle down to who was the saboteur. But identification defeats the mixing! Thus I have not yet seen a workable decentralized CoinJoin that can scale. And I don't expect one. I posted this to the CoinJoin thread (https://bitcointalk.org/index.php?topic=279249.msg5637143#msg5637143) to get their technical peer-review of my statement. Now, if the zerocoin concept would be implemented in bitcoin, it would be cool. Just forget zerocoin even in an altcoin it won't work. Because it requires a trusted person to hold the private key that can unlock everything including taking all the zerocoins. This can't be fixed (contrary to ruminations otherwise), it is a fundamental mathematical property of the way zero knowledge proofs work when combined with an accumulator. Also zerocoin has to be dedicated to preset transactions amounts (e.g. 1 BTC) else the anonymity set can be trivially collapsed by comparing input and output transaction amounts. Never recommend noobs to use Tor, it's a honeypot where they are worse off than not using Tor at all. Noobs should use a trustworthy VPN instead. The optimal solution is VPN + Tor. Not if you stay in-network. Unfortunately, my services (bitcoin node) are not tor-enabled yet. Namecoin has the potential to facilitate this with human-readable addresses as well. Not true. Tor is always subject to timing analysis by an entity such as the NSA (which is recording ans storing nearly all global encrypted traffic in Utah) which can see the encrypted packets running between Tor nodes. Popular VPNs are also very likely all honeypots and unpopular ones give only a small anonymity set. Currently the only known way to be reliably anonymous is use a connection to the internet that can't be traced to you, e.g. netcafe without cameras any where and don't drive your car as that has secret tracking built-in according to CEO of Ford, a throw-away mobile device and simm that doesn't have your id registered and used for no other activity, etc. Title: Re: MtGox database leak: why you should always mix your coins. Post by: Rampion on March 11, 2014, 09:31:38 AM Anonymint: we are not discussing being safe against a global adversary such as the NSA, we all know that mixers + Tor is probably not enough to defeat them because of honeypots, timing attacks, deep packet inspection, etc...
We are discussing using basic security procedures in order not to be "the low hanging fruit" and thus being reasonably safe against the casual hacker/criminal doing trivial blockchain and network analysis to easily link identities to BTC balances. For that purpose running your wallet through Tor and using a decentralized and trustless mixer such as coinjoin should be enough. Title: Re: MtGox database leak: why you should always mix your coins. Post by: AnonyMint on March 11, 2014, 09:39:41 AM Anonymint: we are not discussing being safe against a global adversary such as the NSA, we all know that mixers + Tor is probably not enough to defeat them because of honeypots, timing attacks, deep packet inspection, etc... We are discussing using basic security procedures in order not to be "the low hanging fruit" and thus being reasonably safe against the casual hacker/criminal doing trivial blockchain and network analysis to easily link identities to BTC balances. For that purpose running your wallet through Tor and using a decentralized and trustless mixer such as coinjoin should be enough. The government and the criminals are sometimes one in the same. But (uninformed) trust is all that is holding up the $150 trillion in fractional reserves (https://bitcointalk.org/index.php?topic=455141.msg5637503#msg5637503), so you won't find too many people that subscribe to my view (yet). They will learn by 2020. And you did not address my technical point about CoinJoin, which has nothing to do with the NSA. In short, we are pretty well f8cked approaching the 2016ish global conflagrapocalpyse. Adam Back (the creator of Hashcash which Bitcoin is based on) explains the anonymity problem (https://bitcointalk.org/index.php?topic=509674.0) (jump to 24:25 mins into the video). Title: Re: MtGox database leak: why you should always mix your coins. Post by: AnonyMint on March 11, 2014, 03:54:50 PM And here is our friendly Bitcoin
AnonMint, Every post you've made here has been error and confusion. Keep your ad hominem attacks out of it please. I asked kindly for technical comments. The very first post in the thread points out that decentralized versions take more work because of the anti-DOS proofing. And my post to which you are replying is in fact explaining the DOS (denial-of-service) is insoluble if you can't identify the participants in order to rate-limit them. [A couple posts down](https://bitcointalk.org/index.php?topic=279249.msg2984051#msg2984051) I give some examples of how it can be done. And again in that post you admit there is a DOS problem. You didn't solve it. And you can't solve it in a decentralized setting unless you have non-ephemeral identification of the participants. Which is precisely the point of my prior post to which you are replying You're presuming a broken model that I don't believe anyone here has ever suggested. Incorrect. What I wrote is functionally equivalent to what you described. The point is the transaction can be jammed in the final round. Since you didn't see the equivalence let me explain it. I thought you were smart enough to deduce such things. I chose to let the signatures of inputs go in the second and final round and point to a transaction because I envisioned using ring signatures. And the transaction won't be valid (blockchain will reject it) if the inputs are less than the outputs, so my version is just as safe as yours. And the DOS problem is equivalent. Come on you are a math guy, you can surely see that without me needing to explain it you. And if you think about it a while you will realize, by inverting the operations and using a ring signature, mine has advantages suchas that not all have to sign in the first round before proceeding to the second round (they get excluded from second round too). Yet the DOS issue remains in the final. You'd always being the protocol by specifying the inputs in which you intend to sign. Signature authority over inputs is the principle scarcity that allows you to may the system dos-attack resistant. After the inputs are signed, outputs can be specified in a cheat proof way, and then the only avenue for disruption is refusing to sign which can be addressed by blacklisting your inputs (and other rate limiting tokens) and restarting. Well now you see your error. You can reread my post again, and admit I was correct. From your upthread post: If a party fails to sign, everyone else is convinced that its because they are jamming the process (intentionally or maliciously) and then can all ban (ignore in the future) whatever costly identity they used to enter the mix, or — if there is no other mechanism— that particular txin which they used. And exactly how do you propose to identify that adversary in a decentralized setting? ;) My point is you can't, at least not without breaking anonymity, and anonymity was the entire point of mixing. Title: Re: MtGox database leak: why you should always mix your coins. Post by: Beef Supreme on March 11, 2014, 04:23:06 PM After the Gox dabatase leak the names and home addresses of pretty much everybody involved in BTC are now public, at least among the criminal community. Those singing the song that goes "I don't mix my coins because I have nothing to hide" are either: a) totally brainwashed/incredibly naive b) just stupid. Even if you mined the vast majority of your coins and used an exchange just to cash out a minor part of your holdings, your total BTC balance can be discovered by trivial blockchain analysis, following the links with just one deposit/withdrawal address. Morale of the story: Everybody should ALWAYS mix their coins and use Tor for BTC related activities. Information is power. Never give it away. LOL, yeah but, didn't those same users just lose their ass and are now broke? Title: Re: MtGox database leak: why you should always mix your coins. Post by: AnonyMint on March 11, 2014, 04:38:17 PM LOL, yeah but, didn't those same users just lose their ass and are now broke? The OP is also about people who cashed out before the Mt.Gox problems, yet their data may still have been leaked after the cash out event. Title: Re: MtGox database leak: why you should always mix your coins. Post by: Rampion on March 11, 2014, 04:39:51 PM After the Gox dabatase leak the names and home addresses of pretty much everybody involved in BTC are now public, at least among the criminal community. Those singing the song that goes "I don't mix my coins because I have nothing to hide" are either: a) totally brainwashed/incredibly naive b) just stupid. Even if you mined the vast majority of your coins and used an exchange just to cash out a minor part of your holdings, your total BTC balance can be discovered by trivial blockchain analysis, following the links with just one deposit/withdrawal address. Morale of the story: Everybody should ALWAYS mix their coins and use Tor for BTC related activities. Information is power. Never give it away. LOL, yeah but, didn't those same users just lose their ass and are now broke? Not at all. Only a minority of Gox customers had still positive balances, the majority had already left Gox for good in the past, I'd say that an "orderly stampede" started to happen after the many red flags that were blatantly obvious since at least April, 2013 - just check the leaked info, the accounts with positive balances are just a fraction of the total Gox userbase. Title: Re: MtGox database leak: why you should always mix your coins. Post by: AnonyMint on March 11, 2014, 04:41:20 PM ... Also using the centralized (VPN, mixer, tumbler, laundry) identifies you as someone that deserves extra monitoring by the authorities. ... NSA views encryption as evidence of suspicion and will target those who use it: https://bitcointalk.org/index.php?topic=511198.0 Title: Re: MtGox database leak: why you should always mix your coins. Post by: whtchocla7e on March 11, 2014, 04:45:33 PM I don't see how mixing coins is supposed to protect my identity.
What is the argument? Title: Re: MtGox database leak: why you should always mix your coins. Post by: promojo on March 11, 2014, 04:45:56 PM True... As of recent a lot of people have been saying watch out for criminal activity/community/etc. Who has been approached/affected/threatened?
promoJo Title: Re: MtGox database leak: why you should always mix your coins. Post by: foggyb on March 11, 2014, 04:53:30 PM ... Also using the centralized (VPN, mixer, tumbler, laundry) identifies you as someone that deserves extra monitoring by the authorities. ... NSA views encryption as evidence of suspicion and will target those who use it: https://bitcointalk.org/index.php?topic=511198.0 A certain three letter agency should turn their all-seeing digital spotlight on themselves with that same air of moral heroism. Title: Re: MtGox database leak: why you should always mix your coins. Post by: Rampion on March 11, 2014, 05:04:31 PM ... Also using the centralized (VPN, mixer, tumbler, laundry) identifies you as someone that deserves extra monitoring by the authorities. ... NSA views encryption as evidence of suspicion and will target those who use it: https://bitcointalk.org/index.php?topic=511198.0 That's why everybody should use encryption by default. Its years I'm using the Tor Browser Bundle for +50% of my browsing, basically for everything that is not linked with my real identity (banking stuff and such), and also for my QT instances, Bitmessage, IRC and so on. I also use PGP to sign (and sometimes to also encrypt) important work communications. I may be putting a red target on my back, but I confess I'm not worried about it. If they decide to look into me they will just lose their time as I'm not doing anything illegal, for me end to end encryption and onion routing for standard browsing are just healthy safety procedures that everybody should use. If I'd be doing something illegal, which I'm not, I would use Tor/encryption in a very different way: firstly and foremost I would have a dedicated machine in which I would run throwaway VM instances connecting through chained VPNs with very strict firewall rules, with Tor at the very end of such chain - and I would obviously never connect for such activities from any network used also for my non-illegal activity. I'd say that is just common sense - and wildly offtopic: the OP is about using easy procedures to avoid being an easy target for script kiddies and/or meatspace criminals targeting "bitcoin users" as a whole. Title: Re: MtGox database leak: why you should always mix your coins. Post by: Rampion on March 11, 2014, 05:19:10 PM I don't see how mixing coins is supposed to protect my identity. What is the argument? Bitcoin is pseudoanonymous: as soon as someone links one of your addresses to you (because you made a payment to him, or because a database of a service such as Gox is leaked) then he can learn your total BTC balance - or at least the total BTC balance of the wallet to which that address belongs - with trivial blockchain analysis. By mixing your coins you make that task much more difficult, and thus you eliminate yourself from the list of easy targets in a situation as per the Gox database leak. Said with other words: by not mixing your coins you are revealing your whole balance to the recipient of every transaction you make... And that is an important privacy breach. Title: Re: MtGox database leak: why you should always mix your coins. Post by: Beliathon on March 11, 2014, 05:32:31 PM Information is power. Never give it away. The internet & cryptocurrency are the beginnings of a world where this paradigm no longer holds sway. That is the world I want to live in. "As the Americans learned so painfully in Earth's final century, free flow of information is the only safeguard against tyranny. The once-chained people whose leaders at last lose their grip on information flow will soon burst with freedom and vitality, but the free nation gradually constricting its grip on public discourse has begun its rapid slide into despotism. Beware of he who would deny you access to information, for in his heart he dreams himself your master." Free flow of information. Wikipedia. Torrents. Cryptocurrency. Our technology is taking us in a direction away from centralization of power. Away from dictators and sociopaths running our world. Mankind's age of empires is over. The future is about decentralization, cooperation, openness, transparency, and truth. Title: Re: MtGox database leak: why you should always mix your coins. Post by: Beef Supreme on March 11, 2014, 05:46:37 PM Information is power. Never give it away. The internet & cryptocurrency are the beginnings of a world where this paradigm no longer holds sway. That is the world I want to live in. "As the Americans learned so painfully in Earth's final century, free flow of information is the only safeguard against tyranny. The once-chained people whose leaders at last lose their grip on information flow will soon burst with freedom and vitality, but the free nation gradually constricting its grip on public discourse has begun its rapid slide into despotism. Beware of he who would deny you access to information, for in his heart he dreams himself your master." Free flow of information. Wikipedia. Torrents. Cryptocurrency. Our technology is taking us in a direction away from centralization of power. Away from dictators and sociopaths running our world. Mankind's age of empires is over. The future is about decentralization, cooperation, openness, transparency, and truth. Well said sir. I too want to live in that world. Title: Re: MtGox database leak: why you should always mix your coins. Post by: Beliathon on March 11, 2014, 06:01:01 PM Information is power. Never give it away. The internet & cryptocurrency are the beginnings of a world where this paradigm no longer holds sway. That is the world I want to live in. "As the Americans learned so painfully in Earth's final century, free flow of information is the only safeguard against tyranny. The once-chained people whose leaders at last lose their grip on information flow will soon burst with freedom and vitality, but the free nation gradually constricting its grip on public discourse has begun its rapid slide into despotism. Beware of he who would deny you access to information, for in his heart he dreams himself your master." Free flow of information. Wikipedia. Torrents. Cryptocurrency. Our technology is taking us in a direction away from centralization of power. Away from dictators and sociopaths running our world. Mankind's age of empires is over. The future is about decentralization, cooperation, openness, transparency, and truth. Well said sir. I too want to live in that world. http://www.youtube.com/watch?v=yhzNhLgPX9o "We're all here to do what we're all here to do. I'm interested in one thing, Neo. The future. And believe me, I know - the only way to get there is together." -The Oracle Title: Re: MtGox database leak: why you should always mix your coins. Post by: AnonyMint on March 12, 2014, 04:37:17 AM Remember what I was writing about CoinJoin upthread:
And here is our friendly Bitcoin ... Well I got another reply from CORE BITCOIN DEVELOPER gmaxell and here is my rebuttal...posting here in case he deletes my post there as he has threatened me in a private message (which I also publish below)... https://bitcointalk.org/index.php?topic=279249.msg5653238#msg5653238 I see those (other than gmaxwell who is not very ad hominem in his response, other than the slight "over and over" which is irrelevant to the technical response) who posted while I was sleeping have relished in their boastful snobbery. Now let's deal with the humbling facts. And my post to which you are replying is in fact explaining the DOS (denial-of-service) is insoluble if you can't identify the participants in order to rate-limit them. You are asserting it, (over and over again) but it doesn't make it true. It was explained in adequate detail previously enough for other people to understand it and implement tools that address it.And again in that post you admit there is a DOS problem. You didn't solve it. And you can't solve it in a decentralized setting unless you have non-ephemeral identification of the participants. Which is precisely the point of my prior post to which you are replying Quote Incorrect. What I wrote is functionally equivalent to what you described. The point is the transaction can be jammed in the final round. It's actually not, since it's not actually possible in the Bitcoin protocol to do what (it sounds like) you're describing, but more importantly performing the operation in that order defeats the anti-dos. If you lead with the inputs they provide a trivial anti-dos mechanism.And precisely how do you identify which input is the adversary when the correlation of the inputs and the outputs is necessarily cryptographically blinded? As far as I can see, you can't. I am confident that now you see the functionally w.r.t. to anti-DOS of what I described and what you described are equivalent, i.e. any one who is the least bit mathematical can see that the salient mathematical foundation of CoinJoin is that the correlation between the inputs and outputs must be cryptographically blinded, thus it makes no difference mathematically for anti-DOS whether the inputs or outputs are specified in the first round of the protocol. As for whether my proposed protocol of putting the outputs in the first round is implementable on the Bitcoin blockchain, it is irrelevant since we are talking about a general protocol here and an altcoin could be designed to allow a transaction where outputs and inputs can be signed to point to the transaction nonce (a hash of any number) plus the addresses of the inputs OR outputs. I didn't bother to check how Bitcoin signs the transactions, because it is conceptually irrelevant to our discussion. Perhaps in Bitcoin the signature of the transaction must include all the inputs AND outputs. The reason I presented my formulation (in fact I mentioned the ring signatures idea from Adam Back in the Zerocoin thread months ago in this thread) is because it is more powerful conceptually than one gmaxell described. I thought gmaxell would appreciate that since I think he is a math guy. Quote And exactly how do you propose to identify that adversary in a decentralized setting? ;) My point is you can't, at least not without breaking anonymity, and anonymity was the entire point of mixing. Because they fail to sign. There is no need to identify them beyond identifying their input coins to achieve rate limiting, and no need to identify the input/output correspondence.I'll repeat it, since maybe other people are having problems following the link: I will quote from your more detailed description upthread. This is an extremely interesting idea. Could you elaborate on how the Zerocoin transaction stages map to the stages of CoinJoin transaction creation? For non-decenteralized coincoin, you simply pass around a transaction and sign it. It's a single sequence and an atomic transaction, you'd make two loops through the users, one to discover the inputs and outputs, and another to sign them. There really aren't stages to it. Making a decenteralized CoinJoin secure, private, and resistant to DOS attack (people refusing to sign in order to make it fail) is trickier... for the privacy and dos attack resistance you can use ZC: Presume the participants for a transaction are sharing some multicast medium and can all communicate. They need to accomplish the task of offering up inputs (txid:vout) for inclusion in the transaction and then, in an unlinkable way, providing outputs to receive their coins. Each participant connects and names bitcoin input(s), an address for change (if needed), and the result of performing a ZC mint transaction to add to the ZC accumulator. They sign all this with the keys for the corresponding inputs proving its theirs to spend. Then all the parties connect again anonymously and provide ZC redeem transactions which specify where the resulting bitcoins should go. Zerocoin (ZC) requires a trusted party to generate the parameters, thus it is the antithesis of decentralized, so you have a logical error above. https://github.com/Zerocoin/libzerocoin/wiki/Generating-Zerocoin-parameters This isn't the only way to do this in a decentralized manner, the way to do it with blind signatures is fairly similar: Each participant connects, names Bitcoin input(s), an address for change (if needed), a key for blind signing, and a blinded hash of the address they want paid. They sign all this with the keys for the corresponding inputs proving its theirs to spend. Each participant then blind signs the blinded hashes of all participants (including themselves). And so how can you correlate which input is the one who didn't blind sign all? As far as I can see, you can't. I've dug very deep (into cryptography research papers) lately into trying to find a way to delink inputs from outputs without a trusted party, and I have realized that mathematically it can't be done. It is a fundamental conceptualization. The only way to delink without anti-DOS is to use an accumulator commitment scheme with common NP-hard parameters that can be presented in an NIZKP (non-interactive zero knowledge proof) which will always require a trusted party to generate the common parameters for the trapdoor math. This is just one example of a way to address this. There are several other ones possible— and discussed early on in this thread. Other ones include publishing commitments and then if the process fails having everyone reveal their intended outputs (which they then discard and never use) in order to avoid being banned, or using an anonymous accumulator instead of blind signing to control access. That isn't anti-DOS. Each spender commits a hash of his intended output. Then everyone does the blinded protocol. If the blinded protocol fails, everyone including the adversary reveals the link between inputs and outputs, because by definition the output key must be an abundant resource so that it is not costly to reveal it and generate a new one to try again. , or using an anonymous accumulator instead of blind signing to control access. A ZKP + accumulator isn't decentralized as I explained above. Tada! :P Here is the private message he sent me and my response to him... (bold emphasis is mine) Go read my post in his thread from yesterday. It wasn't belligerent. It was a discussion of the technical issues and asked for technical comments. How is discussing technical facts belligerent? Looks to me like below he is trying to justify an imminent abuse his authority... Note about the veracity and quality of my technical arguments, perhaps this one by me about the quantum computing threat qualifies (https://bitcointalk.org/index.php?topic=500994.msg5563229#msg5563229). Eat humble pie. See my reply in the CoinJoin thread. You are an ego maniac. AnonMint, Every post you've made here has been error and confusion. Keep your ad hominem attacks out of it please. I asked kindly for technical comments.It wasn't an ad hominem— I'm not expressing any opinion about your character. I can only assume that if you treat other people like you do people on the forum that you'd be starving in the streets or incarcerated, so presumably you're actually a nice person when you're not hiding behind a pseudonym on a Bitcoin forum... Regardless, Your behavior in the technical subform is not very productive. I have warned you previously. Your responses come across as universally belligerent which is particularly aggravating to people because they are often confused in the technical details. Whatever approach you are using is not effectively communicating to people and not getting you useful answers because many people have you on ignore. Your posts have been cited as an example by technical experts as to why they no longer participate in the forum... and I've certainly experienced it myself. If you do not adopt a style which is less aggressive or up your level of technical mastery to the nearly flawless state which would be required to justify your aggressiveness I will exclude you from the technical subforum. Cheers. Title: Re: MtGox database leak: why you should always mix your coins. Post by: gollum on March 12, 2014, 12:53:11 PM Why is it often people from eastern Europe or Russia that hacks people for profit?
Don't they have any ethics at all? I know some good hackers, they hack for fun but they never do it to hurt innocent people. |