Bitcoin Forum

The current BitCoin implementation is certainly better than using a credit card, but I wouldn't use it in environments requiring strong anonymity without a lot of changes.

The history of a coin is publicly available. Anyone can see the flow of BitCoins from address to address.

http://img707.imageshack.us/img707/317/unknownaddress.th.png (http://img707.imageshack.us/i/unknownaddress.png/)

This becomes a problem when certain points in the "transaction chain" become known to the attacker. In the image below, the attacker controls both the source of Mr. Doe's BitCoins and the destination. Since Doe bought his coins using non-anonymous methods, he is easily identified. His identity is tied to an address in the transaction chain.

http://img682.imageshack.us/img682/6671/known.th.png (http://img682.imageshack.us/i/known.png/)

A more likely scenario is for your BitCoin balance to come from transactions made over insecure channels (email, this forum, etc.). If you're particularly careless, the destination can just Google all of the addresses in the transaction chain. Maybe he'll find that one of them is in your forum signature here.

I've thought of two ways to make this harder. The first is to randomly send your coins to new addresses that you've generated just for this purpose. The coins are still part of your balance, but it's impossible for an outsider to prove that you sent the coins to yourself instead of a real person. However, the transaction chain still has your identity in it. In a real investigation, you would be targeted for close examination because you either know (directly or indirectly) the real person who is under investigation, or you are that person.

http://img692.imageshack.us/img692/7418/simplemix.th.png (http://img692.imageshack.us/i/simplemix.png/)

The second way is for an external service to take the coins of many different people, mix them up, and send similar amounts back to those peoples' addresses. If the mixer keeps no logs of who gets which coins, any investigation must stop here.

http://img293.imageshack.us/img293/3070/external.th.png (http://img293.imageshack.us/i/external.png/)

For maximum security, BitCoin should have the capability to automatically send coins through several external mixers. Assuming at least one of them doesn't keep logs (and all of them actually return your coins), this should keep you completely safe.

There's a problem with safely coordinating all of this. You want all of your coins to be mixed at least once, but keeping track of this in a database will ruin your plausible deniability. Probably you'd have to initially keep track, but then delete the database after all the coins have been made safe.

Unrelated to the chain issues above, BitCoin is vulnerable to network analysis. If an attacker can watch all of your incoming and outgoing traffic, he can easily see which transactions are yours. If the connection is unencrypted (as it is now), he can see when you broadcast a transaction that you didn't receive.

Even when encrypted (through Tor or a built-in mechanism), it's not impossible for an attacker to see which transactions are yours if he can see both ends of one of your connections to the BitCoin network.

Your transactions can be identified through Tor like this:
1. The attacker fills the BitCoin network with IP addresses that he controls.
2. When one of these "evil nodes" receives a packet, the attacker sees if it was received close to the time when he saw you send a packet. If this happens a few times, the attacker knows who you are and can see your transmissions to the network.
3. When you send a transaction, the attacker knows it's yours if you send it without receiving a packet in a while.

To fix this, BitCoin should implement encryption, padding (to prevent any size-based identification), dummy packets, and randomization in sending times. Some plausible deniability could also be added if BitCoin could export and import transactions to/from a file (importing would broadcast the transaction to the network, while exporting would not). Then you could transmit this file in other ways (a flash drive, for example).

I also see two structural problems not related to anonymity:
- If the network is segmented at the network layer (because the PoTUS executed his "Internet kill switch", for example), the block chain will be forked. This would be really bad.
- It's very easy for an attacker with lots of IP addresses to fill the network with cancer nodes. I'm not sure how badly BitCoin could be affected by this.

Whatever mechanism is chosen, it had better not significantly slow down the network or client unless strong anonymity is required/requested.

I've tried I2P and Tor, and, for me, super-strong privacy isn't worth the performance cost.

Also, regarding forking the block chain by a network split:

It's only "really bad" if I can get away with double-spending some coins before the network merges again.
If I'm buying valuable stuff, then the merchants will likely require 6 confirmations before releasing the goods, so I'd have to be able to keep the network split for an hour or more.

Merchants will likely have very-well-connected, long-running nodes.  For example, the Bitcoin Faucet has 66 connections right now.  If I wanted to try to implement a "fork the block chain attack" I'd have to somehow manage to insert my "cancer nodes" in between two merchants that I want to rip off (I'll end up ripping off one of the two, because eventually one of the two double-spend transactions will "win").

I don't know enough about network analysis to figure out how many cancer nodes you'd need to have a significant chance of getting in between two merchants with 60+ connections in a network of (say) 1,000 non-cancerous nodes, but I bet it is a very large number.

Everything I mentioned could be user-configurable, and most of it wouldn't slow down actual transactions. Even if you had all of these security features disabled, just having them implemented would give you plausible deniability in certain cases.

Block generation would be slowed in the case of a network split, so executing a double-spend would be even more difficult. I was thinking more of a problem like the Cogent-Level3 peering dispute, where there is no path between two ISPs for a long while. In this case, lots of transactions would be lost when the network is recombined and one of the chain's branches is discarded.

Would the transactions on the other block chain be lost?

I thought they'd just be re-integrated into the new-best-chain (if they were valid), just starting with '1 confirmation' again...

I don't know how this is currently handled. It might already be fixed. I haven't looked at the source.

Anonymity is not a feature that most users need.

*Strong

That's my Steve Jobsian statement of the day ;)

I'm not saying that it's not something worth working on, but we shouldn't prioritize anonymity features ahead of basic functionality, ease-of-use, and driving adoption.  There can always be a special implementation (maybe a separate client even) down the road that takes care of all of the features for ensuring anonymity.   As Gavin implied, many anonymity features would come at cost to users who don't need them.

I don't know, I personally find it rather disconcerting if users in the chain can be identified. For example, it wouldn't be enough for me to simply get bitcoins at an exchange, send them to a random address, and then use them from that point on. Your identity would still be linked. However, given the public nature of the transactions, I'm not sure if there is any way around this.

I agree with you though, the software needs to be usable with a well-designed UI, and it needs to be robust. Bitcoin needs a full security audit to see how robust it is to different kinds of attacks, and what is compromised.

I'm sure somebody somewhere would/will be happy to sell you bitcoins anonymously; just put cash and a bitcoin receiving address in an envelope and mail it.  The exchange (who you'd have to trust to actually send you the coins) takes the cash and send coins to the address.  They have no idea who you are, and your identity isn't linked to the coins.

Well, it isn't linked to the coins until you forget to turn on TOR or I2P before spending coins on something illegal.  Or you remain completely and utterly anonymous right up until you spend coins on something physical and have it shipped to your home address.  Or you arrange to have contraband "dead dropped" somewhere, and you get arrested when you go to pick it up.

None of which have anything to do with Bitcoins, and all of which seem to me to be more likely ways of getting into trouble than somebody managing to figure out that "transaction for purchase of illegal stuff" is linked to "Gavin purchased a bunch of Bitcoins from Bobby's Discount Bitcoin Emporium" last year.

+1 to Previous Post by gavinandresen

Because Bitcoin transactions are not forced through the regulated banking system, bitcoins can range from being not at all anonymous if I announce my transactions on twitter, to being completely anonymous so long as I purchase anonymously, obfuscate ownership by transferring to one or more intermediary addresses and then spend them anonymously. There's nothing wrong with adding that obfuscation optionally, but it's overkill to apply it to all transactions because not everyone needs that level of anonymity and no matter how anonymous you make it, it's never going to be anonymous to the folks who voluntarily reveal their identity.

90% of money has cocaine on it. :D

Real life example

1) I set up a fresh Bitcoin address/Bitcoin Client in a VPS hosted in Panama, connected via Tor.

2) I purchase a 100 EUR paysafecard code at some newsagent in a big, densely populated city. I pay cash, and make sure the newsagent is 2 km away from my home.

3) I advertise the sale of the paysafecard code on this forum, via Tor and a free public wifi hotspot,  using a fresh username.

4) A buyer shows up. I send him my bitcoin address and the paysafecard code from a freshly set up webmail address, again via Tor and a free public wifi hotspot.



Using above precautions, it will be very difficult to link my physical identity to my bitcoin address. Not impossible, but difficult enough for my purposes.

Not bad.

As far as anonymous internet connections go, prepaid phones aren't a bad choice either.  They're cheap, nearly impossible to tie to the user, and can be destroyed when finished.  Again, they can be bought in densely crowded shopping malls or walmarts.

Dont forget to use an anonymous method to pay for the VPS foreverdamaged.  Perhaps a prepaid credit card also bought from a crowded location would do the trick.

By the way, I like to imagine that this user is in China and is trying to buy a book about freedom ;)

It's hard to imagine the Internet getting segmented airtight.  It would have to be a country deliberately and totally cutting itself off from the rest of the world.

Any node with access to both sides would automatically flow the block chain over, such as someone getting around the blockade with a dial-up modem or sat-phone.  It would only take one node to do it.  Anyone who wants to keep doing business would be motivated.

If the network is segmented and then recombines, any transactions in the shorter fork that were not also in the longer fork are released into the transaction pool again and are eligible to get into future blocks.  Their number of confirmations would start over.

If anyone took advantage of the segmentation to double-spend, such that there are different spends of the same money on each side, then the double-spends in the shorter fork lose out and go to 0/unconfirmed and stay that way.

It wouldn't be easy to take advantage of the segmentation to double-spend.  If it's impossible to communicate from one side to the other, how are you going to put a spend on each side?  If there is a way, then probably someone else is also using it to flow the block chain over.

You would usually know whether you're in the smaller segment.  For example, if your country cuts itself off from the rest of the world, the rest of the world is the larger segment.  If you're in the smaller segment, you should assume nothing is confirmed.

It is easy to imagine some bug in implementation, that may be triggered by some invalid specially crafted network message,
let it cause bitcoin client to hang, but only after retransmission of the same message to peers and after damaging the blockchain
database on disk.

If there will be only one implementation with the same bugs shared among versions and platforms, then the entire network will lose blockchain and when the majority will eventually recover, every separate node will reconnect to some existing majority with it's own notion of history. If that event happens as a coordinated attack, then we may get very different history.
How can that affect previous transactions?
BTW, is there a blockchain backups?

PS: Let's not discuss how impossible it is to exploit software vulnerabilities so precisely. That is an art with it's own secrets and surprises. And no, I cannot do that right now to prove it is possible.

Well, we need a poll. For me, anonymity is the only feature I need

I bet anonymity is a must for many users. We definitely need a poll.
What happens if i send all my money to one of my unused addresses? I guess that coins from all other addresses are gathered in one and no one is able to tell if I sent them to myself. Right? As the OP (I think) said, I will be still in the "suspect" list but nevetheless it offers some deniability.

BTW when you send money to yourself the transaction log doesn't even list which the receiving account is...  ::)

I don't think that "peering dispute" would have bothered Bitcoin networking really. Only direct connections between the two "warring" factions were cut. Indirect connections through one or more nodes not in either of the disputed territories could still link to both sides. (Both sides kept their connections to Google and Microsoft and so on.)

Don't send coins from one address to a different one on the same computer. This actually reduces your anonymity because it combines several different coins (some of which, such as generations, might be pretty anonymous). It's also obvious what you're doing because Bitcoin makes a special transaction when you send coins to yourself: it includes the full public key for the destination instead of the hashed public key used in normal transactions.

Right now, the best way to make your balance anonymous is to use MyBitcoin through Tor. MyBitcoin (presumably) pools all of its customers' balances, so it acts a bit like one of the external mixing services I described in the OP. However, unless they modified Bitcoin, they keep logs of every transaction, so they could identify you if they had to. It's like using a web proxy that keeps logs.

If I really wanted to make an anonymous transaction, this is what I would do:
- Send entire transaction amount to a new MyBitcoin account as a lump sum.
- Set up a brand new (empty) Bitcoin installation using Tor.
- Every day, withdraw 5% of the transaction amount to the new installation. Bonus points: add some randomization to the amount of Bitcoins you withdraw and the time between doing it.
- Finally, send the transaction from the new installation

I doubt you'll ever be traced after doing this unless you're doing something really illegal. If you want more anonymity, you can:
- Send fewer coins from MyBitcoin to your new installation over a longer period of time.
- Also add Vekja (another service like MyBitcoin). This is like chaining encrypted proxies: both will need to be compromised for you to be identified.

MyBitcoin and Vekja don't act like "true" external mixing services because they don't try to mix balances. If you're transferring a lot of money in this way, you're likely to get back most of your own coins, which would greatly reduce your anonymity.

It sounds like this is something which desperately needs to be fixed.  There is no legitimate reason for transactions sent to yourself should be treated any differently than transactions to somebody else.  If anything, all "transactions" like this simply could be sent to "the nearest node" even if merely for confirmation and the "information" sent back to the original node.

This is a protocol problem and not something that should have "work arounds" that are merely kludges to something that can be fixed in the client and protocol itself.

Transfers to yourself are the same as transfers by IP address, so it was probably thought that this type of transfer would "blend in". No one uses IP transfers, though. (And no one should because they're insecure.)

Not much anonymity would be gained if this was fixed. You can't do proper "internal mixing" unless you have the ability to choose which coins you want to send to yourself.

Why?  If you sent a transaction to a bitcoin address, how is that any different than sending the transaction to somebody else?  I just don't "get it", or understand why this is anything different?  Why should sending to a bitcoin address be treated as an IP address transfer, when clearly it isn't?

I'm not disputing that it is the current behavior, I'm just asking why it must be this way.

Would it be useful to use some of the information discussed in this thread in providing a type of documentation or information available on the wiki?  Something like http://www.bitcoin.org/wiki/doku.php?id=level_of_anonymity perhaps?

It's only different because you are capable of sending to a public key instead of a hash, since the full public key is in your wallet. Normally you don't have the full public key, so you must send it to a hash. There's no technical reason why you couldn't send self-transactions to a hash -- Bitcoin just doesn't. You don't need to extend the protocol at all to deal with this (the confirmation stuff you mentioned isn't necessary).

What would be the point of sending bitcoin to another of one's receiving accounts on the same computer?  Even if it weren't less secure, it seems pointless and dangerous (see "lost bitcoin" thread).  Am I missing something?

It's become my practice to create a new Ubuntu VM / Bitcoin client for each major transaction, and to trash it after subsequent transfers to longer-term clients.  The IPs are anonymized.  Does that actually increase anonymity?

Exactly. I thought that if I created, let's say, three addresses and pass the money through each one of them, it would look like the money traveling through three different users. But because of this "inexplicable" feature it looks like I am schizophrenic.

BTW what's going on with that bug? I upgraded, added some good IP's and now it seems OK. But in the front page the older version is still served. Why?

While I've railed against the software in some ways, this is the behavior that Freenet uses... as a means to preserve anonymity.  By acting as if you had "received" the transaction from another node (even though you are the one generating the data in the first place), it puts plausible deniability that you were the origin of that data.  Furthermore, I fail to see how "dangerous" it would become if you are asking for another node to "confirm" the transaction.... something quite important to the health and stability of the network in the first place.  Freenet even goes an extra step by having clients randomly "inject" data received from other nodes to 3rd party nodes to make it even fuzzier who got the data in case somebody does an audit.  There is no need for Bitcoin to be that paranoid but it is useful to see what extreme step you can take if you want to preserve anonymity.

There is no need to create a whole new VM/Bitcoin client, and in fact that sort of behavior actually puts a huge load on the network unless you are also copying over the whole block chain when you are creating this "new client" and keeping that block chain up to date.  Even then, that is a whole bunch of extra work that is a waste of your time.  Again, you are taking on a relatively simple problem that can be fixed within the protocol and hitting it with not just a big hammer but using a nuke instead.  You can waste your time if you want, but using that as a recommendation to others to waste their time when it isn't needed is bad form.

In terms of the danger of losing transactions, this last little issue of the bad block which forced the upgrade to v. 0.3.10 has actually increased my "faith" that the network will do just fine if you send the transaction and just depend on the network getting it right.  How you might lose coins is if you send them to an address that doesn't exist through mistyping the recipient's address (in this case your own) in some fashion or some other technical fault that has nothing to do with transmitting the transaction to another node.


I'm not talking about extending the protocol here at all.... as a matter of fact it is a simplification of the protocol and perhaps even the client software too.  There is no reason to have a special case if the transaction happens to go to a key that exists on that same computer, and certainly no reason for any extra data to be recorded that would indicate a self-referential transaction that appears externally as anything other than a coin transfer from one user to another.  Explicit special coding must happen for that situation to occur... in other words software development effort has been spent to make the current situation that removes anonymity.  It is a case where keeping it simple helps improve the overall algorithm.

+1

Maybe this should be the next news headline posted at top of forum pages after the current warning becomes less important.

I was thinking of http://bitcointalk.org/index.php?topic=782.msg8905#new (http://bitcointalk.org/index.php?topic=782.msg8905#new).

Right.  So far, I've done that only for large purchases of bitcoin.  I'm not an exchange, so it's relatively infrequent.  Also, given that I'm mailing cash, receiving clients typically live for a week or two, and the additional load is small relative to my total contribution to the network.

Is that a waste of time?  Well, creating a new Ubuntu VM / Bitcoin client only takes a few minutes.  If that increases my anonymity, even marginally, it's well worth the effort.  For those who aren't as concerned about anonymity, it's certainly overkill.

Edit:  To be explicit, my threat model is this: Can I remain anonymous when all with whom I exchange bitcoin are conspiring to identify me?  For me, here and now, that's probably overkill, in that I'm just a guy buying anonymous connectivity and server resources.  In China, OTOH?  Anywhere in ten years?  Hard to say.

In my experience, sending doesn't work with incorrect addresses.

I totally agree with this, FWIW.

Incorrect addresses as in malformed addresses that are illegal or as in addresses that are currently considered nonexistent due to not being generated yet?

If the latter, how is it possible that all clients can verify whether an address exists or not?  Perhaps a call asking if it exists and if no response in ~2secs or so, then it doesn't exist?

You can send to an address that does not exist.

A bitcoin address has a checksum in it, so it will stop you sending to a 'made up - invalid' address like 1abadadfakjflsdfjadslfjalfj
But it's possible to construct valid non existing addresses if you know what you are doing. But you won't do this accidentally.

Being able to verify if an address existed would be bad.
Does the address with the lost private key that has 8999 BTC in it exist or not?

Yes, I've struggled sometimes copying addresses among isolated machines.  Including checksums is a great feature.

Why would one do that?

Related question.  Suppose one created an address, and then took the host client down.  And suppose someone then sent bitcoin to that address.  Would that bitcoin exist indefinitely in limbo, waiting for the address to appear?  Or would the transfer just fail, and reverse itself?

I can't think of a reason why you'd want to. I was just trying to illustrate that you didn't actually need to generate a private key to create an apparently valid Bitcoin address.

You don't need to have a client running to receive bitcoins.
Once you create an address, any coins sent to it will just sit there waiting for you to spend them.
Any transfer to a 'valid' address should be successful. It is VERY rare for a transaction to be reversed.
There are other threads that explain this in more detail.This is not really an Anonymity issue.

So, in theory, I could parse all the blocks, extract all the addresses and then make a tree of txins and txouts. With a little (a lot of?) effort, I could then try and split the txins from a txout into payment / change, effectively knowing which addresses belong to a single user. For those users that have a public address, this would be an unexpected disclosure.

I know the 'splitting the payment / change' is somewhat of a flawed argument, there is no way of being 100% sure all the time, but some rules might apply more often than not:
- Is there a txin for change = 0? This one is obviously from the sender
- On transactions of high value, chances are the highest part is the change (the 8999 lost coins thread being one such example)
- Future transactions from the change address will always carry the exact change amount + new txins, whereas the transfer receipient may very well already have a balance on the provided address.

I'm sure that all the statistical inclined fellow bitcoiners, being presented with a large enough annotated sample of the transactions to date could come up with a hihg accuracy model.

Actually, when you send coins to an address you can view the coins as sitting there waiting for the address "holder" to spend them even if the address doesn't exist. If that address is created in future then they can spend the coins.
If you send coins to an address for which the private key has been lost then the coins can be imagined to be in limbo waiting for either the private key to be recovered or for a new key with the same address to be generated.
(Not sure about the "new key with same address" bit. May depend on the details of the transaction).

ByteCoin

Sending payments to fake addresses provides a way to broadcast short encoded and optionally encrypted unalterable messages to the world anonymously. Have security codes for the organization committing genocide, but scared you'll be killed if the publisher accidentally reveals your identity? :o Publish them with Bitcoin. 8)

From the "Anonymity" article (http://www.bitcoin.org/wiki/doku.php?id=anonymity) on the wiki:

Also:


As long as it's not illegal to use Bitcoin, Bitcoin can satisfy that threat model. The current implementation does not, however.


I agree that the behavior should be changed. The change is not really a simplification, though: it's the use of hashes (addresses) that is a bit of a "hack". The thought was probably, "We know the public key, so let's avoid all of that hashing garbage."

It would be just terrible if people realized there was a way to post messages to the internet.  ::)

Bitcoin is much harder to crash than your average web server. Bitcoin is harder to manipulate than your average decentralized message board.

That is an interesting application of Bitcoins that I hadn't thought of.  Sending 0.0000001 BTC to some "trigger" address to detonate some weapon or to trigger a bot/virus to send a simple (even "complex") message when the value is received.  I could think of several "covert" applications to something of that nature, and it would be difficult to trace the origin of that transmission too.

Other peer-to-peer networks could work along a similar approach, but the current organization of Bitcoins assures that everybody in the entire network is aware of the transaction in a relatively short period of time (usually just an hour or less) and even temporarily split off sections of the network will eventually get the message out.

I've heard about this being done in the financial industry where somebody will send out an ask/bid order for stocks or mutual funds that is far outside of normal trading boundaries as a means to transmit a message in some fashion (aka bidding $5 for Berkshire Hathaway Class "A" stock).  I'm sure other examples could be given but it is something that has already been discussed in other forums and even has fiction written about it.  Tom Clancy wrote about it in terms of a trigger event for a melt-down of Wall Street in one of his novels.

It is the persistence that nodes have for transmitting transactions to each other that would be beneficial here.  If anything, this is a consequence of becoming more anonymous in terms of the transactions.

Not really any different from the classified ad.

Determining my true identity would be nontrivial.  Even XeroBank doesn't know who owns the email address posted in my profile.  If y'all complained enough about me, they'd nuke the account, but they still wouldn't know who I am.  Indeed, I'd still be paying for the account, even though it no longer existed.  Google "VAULTS".  Of course, they may be lying about all that  ;)

How would they find me?  What's the equivalent of my street address?  Is it just the network of clients that I've done transfers with?  What if none of them know who I am?  Am I missing something?

Yes, you could do this with something on Craig's List too.  Some of it would depend upon the triggering mechanism and how light-weight you would need the software stack, and to make sure you aren't tipping off somebody looking for messages of that nature that just seem a little bit odd.  A coin transfer would be harder to spot as something a little bit off and I think you might be able to create a lightweight version of Bitcoins that could be smaller than an http scanner to act as a trigger.

Anyway, for those who are into terrorist activities, I'm sure you can come up with dozens of ways to accomplish that kind of mechanism.  Perhaps some day I'll set up something that will release my blueprints to the Area 51 facility that will be untraceable.

Why would the addresses need to be fake?  It is a good way to inexpensively referrence a purchase online.  Say, for example, that you wish to order something from an automated commerce website that costs 205.53 bitcoins.  There is still six digits of the bitcoin that can be used to imprint an order number.  Say the order number is 633729, the total cost of the order would look like 205.53633729 bitcoin on the blockchain.  Granted, the commerce site could issue a new address for every order, but what if they had some reason not to do that.  What if each unique customer had an address assigned to them, but the ecommerce site desired to positively identify each of that person's orders from one another without requiring some kind of additional message parameters that bitcoin does not support, and even if it did, would provide TMI about the transaction.

The history of your coins is your "street address". Anyone who knows any of your addresses can see all past and future transactions for coins gotten with that address, even if those coins are (or have been) transferred to different addresses.

You're safe if none of your addresses are used to receive coins from people who know who you are and you never send coins to people who know who you are.

Good.  Thank you.  I was never intending to do either.  I'm intending to use Bitcoin only where anonymity is one of the goals.

I'm sort of the opposite.  I don't really need or depend upon the anonymity aspect of Bitcoins, but the fact that it is there is something that I don't mind and can serve a useful purpose from time to time.  There is value in Bitcoins for me even if anonymity were completely compromised, and would be fine with identity being merely difficult to trace rather than impossible.  I also know that isn't necessarily the attitude of everybody, and on the whole if there is something that can improve the identity security of users of this software, I'm completely supportive of the idea.

Put me mostly in the pragmatic camp here if it can be said.

I suppose that I am in your pragmatic camp as well, as I do not really require the anonymity of bitcoins, yet I can also see the value to others (and therefore to myself).

(1) How am I supposed to know who "knows" me and who doesn't?   Strangers to me often have all sorts of information about me in their databases, even if I have never heard of them before.

(2) A sufficiently unique and detailed set of transactions can be sufficient to uniquely identify you, like a fingerprint.

Any anonymity in this system is very weak and won't withstand any vigorous investigation effort by competent technical investigators.  It bears no resemblance to the strong anonymity available with, for example, David Chaum's digital cash and various relatives of that blind-signature scheme.     It is in no sense secure in the same kind of way the hash chain or other cryptographic properties of the system are secure.   Of course the Chaumian ecash systems don't have the decentralized trust in terms of transaction clearing that this system has.   So there's you're tradeoff, better currency security but no strong anonymity.   It's probably reasonable to give up anonymity for better currency security if one has to make that tradeoff, but let's not throw around the description "anonymous" as if Bitcoin securely has that property, it does not.

Now somebody could develop a system to issue securely anonymous digital bank notes, and use bitcoins as the reserve currency for the issuing bank(s), thus achieving both strong anonymity and currency security greater than fiat or government-currency-backed anonymous cash.   One could audit the bank reserves by looking at its publicly signed bitcoin chains (taking advantage of the *lack* of anonymity in Bitcoin).   This strikes me as a pretty nice combination, but it would require some additional software and services currently lacking.

@EconomyBuilder

No offense, and are you sure about that?  Even from a nontechnical perspective, having a fully-public transaction history is troubling, to say the least.

Although every $20 bill that I've used has my DNA on it (except perhaps for the ones I've digested with hog pancreatic DNase) and every $20 bill has cocaine on it, there's arguably no persuasive evidence that I'm using cocaine.  Right?  Couldn't Bitcoins be randomized just as $20 bills are?  For example, could something like this scheme (http://bitcointalk.org/index.php?topic=624.msg6799#msg6799) provide anonymity?

When I say that someone doesn't know who you are, I mean that you're talking to them through Tor with a disposable identity and not giving them any information about yourself. They have to defeat Tor in order to identify you.

An incredibly powerful attacker might be able to group addresses that ordinarily couldn't be grouped, but they don't gain anything from this when all of your addresses were used safely. Even if an attacker can find every address in your wallet and they can talk to all of the people you transacted with using those addresses, they can't identify you because you were talking to all of these people through Tor.

This is an unusual case. I doubt ichi is actually doing this. Most people will need to acquire Bitcoins non-anonymously, put them into a separate balance, mix them (as I've described in this thread), and then send them to people who they deal with through Tor.

The full transaction history of every transaction everybody makes is available. (If that is what you were questioning.)
What do you think is in the block chain?
The Anonymity comes from not knowing who 'owns' a particular Bitcoin Address.

Well, I was feeling OK about that, until EconomyBuilder's post  :-\

I haven't read this entire thread, but if we are concerned about the directed graph of transactions (represented by the block chain) being visible for a long time, then what about using self-destructing data for the block chains that will expire and erase themselves after a specified time (such as a couple hours) or after a certain number of nodes have confirmed the transaction?  For example, I stumbled upon this scheme called Vanish - Self-destructing digital data (http://vanish.cs.washington.edu) which uses on-line distributed hash tables to store and gradually degrade the encrypted data and key over time?  So basically have older block chains automatically vanish after a certain time -that way transactions could be verified in the short time span, but would be destroyed in the long time span...thus preventing the authorities or whoever you are worried about from reconstructing the block-chain and use that directed graph to determine your identity. 

Anyway, I'm just brainstorming here, not giving any solutions ;), and I don't totally understand the internal workings of bitcoin either :(, but maybe someone out here in the forums is clever enough to figure out some scheme using self-destructing data to protect anonymity.

Bitcoin is designed with the ability to forget old transactions as you describe, just it isn't implemented yet. Its only intended to save disk space and maybe some bandwidth though I believe.

It could help mask coin tracks from someone new to bitcoin but if they are monitoring the net they are not obligated to erase old transactions. They could build up historical records if they want.

Hey all,

Something just occurred to me... using mybitcoin's new bitcoin payment forwarding couldn't someone just bounce their coins in and out of mybitcoin automatically and use it as a free bitlaundry-like service? Could you not rotate to+forwarding addresses to pull it off?

I should really spend more time looking at how the underlying database is structured in bitcoin. :P

Cheers! :D

Added anonymity, but not recommended due to loss of transaction data vulnerability:

- If the Bitcoin block can be fractionalized amongst active nodes (nodes gracefully exiting the network to allow for data passing) with plenty of backup data overlapping amongst the nodes - but no one node knows the full block chain, it will also increase anonymity.  But this may cause vulneribility in the system database in case of node failure - this route is not recommended.  If a majority of nodes in one geographic location holds the only copy of a particular section of the database, and that geographic area suffers a catastrophe, it might wipe out some/all Bitcoin wealth completely.

This is such a good point. People want the anonymity to trade files but they don't want to pay the performance costs of anonymous networks. The problem is in implementing a trust system based on anonymous peers, when there is no anonymous way to pay for resources.

This is the main reason why I wrote Open Transactions: because providing an untraceable form of cash makes it possible to solve issues of resource allocation on anonymous networks.  If download requests are accompanied by digital postage, college kids will start leaving their computers on all day to collect that postage while anonymous downloads occur through their computing resources. Then when they get home from class, the digital postage that has accrued covers the cost of their own downloads. Effectively, people won't have to contribute cash at all, as long as they are contributing computing resources.

Then anonymous networks can run fast. As a bonus, people can also send each other anonymous digital cash payments on these networks -- and information markets and prediction markets can start popping up.

Bitcoins are difficult to counterfeit because they require "work" aka "computing resources" in order to produce them. SURELY THESE SORTS OF COMPUTING RESOURCES that I have described above, which provide real value to people in the form of fast, anonymous downloads, have some real and measurable monetary value as well? Not only do they require computers to work, but they also provide real value to people on a market where other things are traded.
 

aha...ok.  thanks for the info


hmm...yeah, I suppose so.  They are probably building up the historical record already. :(


hmm...good point.


Are you saying that market will develop with OpenTransactions whereby people use bandwidth/cpu resources as currency?  But basically OpenTransactions isn't backed by anything?  It is just that they will allow people to anonymously trade, and will thus produce a commodity of bandwidth/cpu resources?  (I'm not terribly familiar with OpenTransactions)

Open Transactions is software that allows anyone to connect and issue currencies (just like Loom, if you're familiar with that) and then transact in them untraceably.  So there could be a bitcoin-backed currency, an e-gold-backed currency, a goldmoney-backed currency, a fiat-backed currency, and a hundred others.

My point above was that using untraceable money, it becomes possible to pay for resources on anonymous networks, which would therefore solve issues of resource allocation on anonymous networks.  And since the digital cash, in that case, is being used to pay for resources on anonymous networks, that means it could also be redeemed for those resources as well. Thus, a digital cash backed in Bitcoin would have value beyond just the "proof of work" that went into creating the Bitcoins, but would also have the value of paying for filesharing resources on anonymous networks.

In fact, the three pieces fix each other's weaknesses...

Bitcoin is fully-distributed but not untraceable.
Open Transactions is untraceable but requires a server.
Anonymous networks allow you to run a server but they run too slowly...
Open Transactions would solve issues of resource allocation on those networks, but requires an issuer somewhere to store the gold...
Unless you back it with Bitcoin, in which case there is no backing storage needed since that becomes fully-distributed.

Excellent!  Basically bitcoin and open transactions are complementary means of exchange. 

Do you have any good recommendations about relatively cheap and high-bandwidth VPS or other server that I could purchase anonymously with Loom or Open Transactions?  Unfortunately, I'm not terribly impressed with the price/GB for the VPS servers listed in the bitcoin trade (and again am a wee bit concerned about the potential traceability of bitcoin by a clever adversary), but maybe there are other servers that could be purchased with Loom or Open Transactions instead.

This is sortof like Rock-Paper-Sissors, or one of those RPGs where you have Water weak against Lighting, Fire and Ice weak against eachother, Black Mages with high MP but low HP, Warriors with high HP but no magic, White Mages with poor attack but can restore HP, etc. (you get the picture).  But then you get to put together your team which combines their special powers and is able to defeat any enemy/boss!  :)  Sorry for the lame analogy.   :D

My understanding of this stuff is still pretty precursory, but I think adding Ripple to the mix could be a game changer: enabling small, local transactions without the need to exchange fiat currencies. This is huge, because getting bitcoins or digital gold is currently infeasible for small transactions, whereas with Ripple, you're in the game out of the box. All you need is a friend on Facebook. This is exactly the kind of convenience that can kickstart a revolution.

I'm a big fan of Ripple actually, and I would love to see it built into the first real OT client.

Ripple also eliminates any need for "server-to-server" transfer, since all such transfers would be p2p instead of centralized.

Along the same lines we've been discussing, I would also love to see such software integrated into the next generation of anonymous networks. 

I setup bitcoin just yesterday. But had been thinking about it for a while. Particularly I had an issue with each coin containing it's own transaction history.
I was thinking about anonymous payment gateways, and came up with the idea of having external services that can forward payments for you. So, Aleph wants to pay Bravo some coin, but doesn't want Bravo to know where the money is coming from, and doesn't want Gerry (the government) to know where the money is coming from, or going. So, Aleph sends the money to Cent (external server). Cent has received money from various other users in the past, and so has a stack of coins from various people. Cent randomly selects from these coins the appropriate number and forwards these on to Bravo. Cent never keeps logs, and so has no record of who sent money to Cent, or where Cent subsequently sent that money to.

Anonymous payment gateway.

Now, to my thinking, the most trusted of these would be the ones that were run by community groups such as EFF, or on darknets, or similar. But, there is nothing to say that commercial operations could exist that would take a percentage, or a slice of every payment.

My first post, I don't think I repeated what anyone else has said.

I think a safe way would be to go through 7 or so sites, there are already gambling accounts in addition to all the exchanges in the future, ATITD, etc. Even if 6 of them kept records and were coerced into telling it would be useless. There could even be a service that did that for you and you could use 2 of them or more. This still doesn't save you from the merchant tattling on you if he needs info about you to serve you.

Yes indeed.

Anyway, As I kept browsing the forums, I came across the BitLaundry, which looks like what I described!
* http://bitcointalk.org/index.php?topic=963.0
* https://bitlaundry.appspot.com/

Since BitLaundry has so few users, you'll probably get your own coins back, which is pointless. You might as well just send the coins to yourself at a new address. Your best bet is to use a large site like MyBitcoin or MtGox.

At the moment there are few people using the service. But then again, there are so few people using Bitcoin as well. The point is, that as/if bitcoin takes off, there already exists an anonymous payment gateway. And there is nothing stopping more from springing up. The trouble with the two services you mention, is, I believe, that they keep logs, and are not explicitly designed to "launder" bitcoins (as it were).

I love am writing a short SF story which involves digital nomads and digital currency. Considering no one has, so far, come up with anonymous digital cash of the sort that can be transfered between individuals without an intermediary, bitcoins with a decentralised net of anonymous payment gateways is the next best thing that I can find.

Sure there are plenty of anonymous payment systems, but as far as I can tell, they require an intermediary server which is generally controlled by one actor (as, indeed, is the entire payment system).

My reading of Wikipedia suggests that http://en.wikipedia.org/wiki/Blind_signature might be relevant, but I'm not a mathematician (or a doctor).

BitLaundry also keeps logs because Bitcoin permanently saves every transaction you make to wallet.dat. You'd have to modify Bitcoin to truly keep no logs.

In what way would the wallet.dat logs be any different from what you find on the public chain already?
I don't think that's the kind of log he worries about... logs linking the input with the output that would be the problem... the wallet.dat wouldn't have such logs since bitcoind itself wouldn't have such info.

The attacker would be able to see which transactions went through the mix service. With the dates and amounts of each transaction, an attacker may be able to reconstruct input<->output links (especially with small services like BitLaundry), even though the exact information is not included in wallet.dat. Without the wallet an investigation would not be able to recover this information.

Probably mixing services will not be raided often, so proper mixing is much more important than logging.

Do you really have to modify Bitcoin? Isn't it enough to send all coins to a separate wallet, delete original wallet, make empty wallet, send all coins back to blank wallet.

Obviously you'll want to automate. Do it every 6 hours or something.

That would make an odd transaction pattern-- e.g. if you started with 11 bitcoins in your wallet, you'd generate a chain of transactions that was:

A paid B 11 bitcoins
B paid C 11 bitcoins
C paid D 11 bitcoins
 ... etc, every 6 hours.  That makes it obvious what you're doing (a series of exactly-11-bitcoin transactions would be extremely unlikely).

Ideally, you want the graph of transactions involving your coins to be indistinguishable from a random sub-graph of the entire bitcoin transaction graph.  Creating lots of wallets won't help you do that; you need to mix your coins with other people's, so the mixing looks the same as just ordinary "X paid Y" transactions.

I only meant that as an additional step to eliminate the log aspect of wallet so that you could be safe even if someone later got a wallet file of your mix service. Would doing this in addition to the mixing already discussed reduce anonymity? You could arrange your mixing to periodically empty a wallet without sending all of the coins to one other wallet and delete the empty wallets. The period doesn't have to be strictly fixed either.

That would work, though it does give away more information to an attacker. I actually mentioned that in the original BitLaundry thread:


(A self-quote within a self-quote! :D )

Ah, sometimes I wonder if every idea I've every had is just me forgetting that I've heard it somewhere before. I'll read a book, learn something, think of it 2 years later not remembering the source, read the source again - DOH there it is.

I feel an irresistible need to post a link to this thread which I started last week: http://bitcointalk.org/index.php?topic=2893.0

I'm starting to think about implementation now. Given Bitcoin and anonymizing communications networks I am of the opinion that anonymous transactions are within our grasp.

So David Chaum's Digicash http://en.wikipedia.org/wiki/DigiCash and blind signature  http://en.wikipedia.org/wiki/Blind_signature techniques have been mentioned further back in the thread already.

I don't think it has been made clear why you could not (or would not) incorporate the blind signature technology into Bitcoin.

Did I miss something here?

What exactly would you blind sign?

The Chaum system assumed a central authority. It was big on privacy but low on decentralization. I don't see any obvious ways to use blind signing in BitCoin to improve privacy, but maybe somebody else does.

I don't see how the two are mutually exclusive as you seem to be implying and someone was saying further back up.

Are you saying there is logical reason that if you decentralize you preclude privacy? Couldn't the central authority in Chaum's scheme be replaced with the network itself?

Just. to let you know, you cant buy a mobile phone sim card in China without your national I.D. so all phone numbers, even mobiles are tied to identity.

It's the same in Australia, South Africa, Spain, and many other countries, and going that way in the UK soon too.

Bring on Mesh Networking! No SIM needed.

have fun carrying your router in your pocket  :P

My N900 phone has a full Linux stack, so no problem.

Actually, there is a problem. Today Nokia announced that they're abandoning open source for Windows Mobile 7.

Really ? WOW, what a misfire...

WM7 will soon be a dying platform, before it even took off...

Open Source RLZ, apparently

Yep, really. Two former giants battling to see who can make themselves irrelevant fastest.

A damn shame about Nokia. Nokia's N900 phone is a real Linux box with unrestricted root access, an X Terminal "out of the box", and even a control key on the keyboard. And it runs bitcoind very nicely. They apparently have one more Linux phone in the pipeline, then that's the end.

Maybe we need to make our own phone.   :)

I was toying with the same idea just before I read your post, but couldn't figure out a robust way to replace the need for a secret, which seems to be the sole reason for a trusted authority. I'm just speculating, but, the first thing that springs to mind is to require blind signatures of (and verification by) a certain number of nodes, but this is very weak compared to the very idea that makes bitcoin great. It could be used to create a decentralized banking authority, which might not be a bad way to create a complementary anonymous/untraceable currency indexed to bitcoin, but not an extension to the bitcoin network, IMHO. Has there been any research about this?

If David Chaum would work for bitcoins maybe we could entice him or one of the Digicashers to figure out the details of a blind singing scheme for the transactions?
If implementable as a separate layer, it could even be an option in the client, "Anonymous" or "Identified" transaction.

I figure the early adopters generating that first year when difficulty was at 1 are sitting on some BTC 1.5 million, (tongue firmly in cheek), it would greatly increase BTC value if they could be guaranteed anonymous transactions.

If not, I'm thinking the next bitcoin clone, fork, child, etc will have blind signing transactions or a subnet dealing in a crypto-currency indexed to BTC as you say.

Well, maybe Nokia abandonning open source will revive the openmoko initiative.

Which part of the topic says, "let's discuss smartphones here" to you guys exactly?

Here's the original '82 paper of Chaum's on blind signing.

Here, the elector, carbon-ink envelope analogy is described differently by Chaum than that in general circulation, i.e. on wikipedia, which misses the nested envelope part of the scheme.

There is an outer envelope layer that is return addressed and inside that is the carbon-inked envelope that contains the voting paper that can then be 'blind signed' by the trustee and returned anonymously to the voter in a new envelope ...

http://www.hit.bme.hu/~buttyan/courses/BMEVIHIM219/2009/Chaum.BlindSigForPayment.1982.PDF

Although, still difficult to see the logic of how it could be implemented on a bitcoin P2P transaction let alone the crypto-mechanics of it ...

I suspect it is possible.  But we need someone with a big brain, or someone who has enough time to think about it thoroughly.

Okay, in the second to last paragraph of Chaum's paper there is a small section "Elaborations"

He clearly states that it could be extended to a decentralised model where there are multiple clearing agents, i.e. signing authorities, so on that basis it can be done.

Seems wrong then to say that decentralisation precludes anonymity, red herring rule-of-thumb (rot).

I'll see if I can come up with a schema that fits easily into the bitcoin transaction model for comment. Would be based around the block-generating node blind signing the transactions in essence.

If you would like to play with an actual implementation of Chaumian blinding,
then I recommend you check out my digital cash library, Open Transactions:  
https://github.com/FellowTraveler/Open-Transactions/wiki (https://github.com/FellowTraveler/Open-Transactions/wiki)

Some scoff at blinded digital cash, since it involves withdrawing cash from a "server" and that means "client/server" which means it's not fully p2p distributed and instead is a "centralized solution"--and therefore politically uncool.

Let's keep in mind that blinded tokens are what provide the untraceability. No "signing authority"? No untraceability.

Let's also keep in mind that, as Chaum said, it's possible to run MULTIPLE SERVERS. (The various diagrams for Open Transactions depict this.)

Open Transactions also makes it possible to distribute funds across multiple servers, and to distribute currencies across multiple issuers (through basket currencies.)

If anyone really has a problem with running a server somewhere, let's also keep in mind that I2P and Tor are specifically designed to allow "HIDDEN SERVERS" to exist within the network, untraceable in their actual location yet still processing services online. Presumably any future anonymous networks will also feature this important functionality. Thus, it can be said that any hidden service (including Open Transactions, for example) is made possible by the p2p, distributed nature of the anonymous network on which it runs.

The publicly-auditable nature of Bitcoin means that, by its very nature, it cannot be untraceable. Software such as Open Transactions must be employed as a layer above, in order to add the functionality of untraceable cash, as well as the ability to use other instruments like markets, payment plans, cashier's cheques, etc.

I find it interesting how blinded token software such as Open Transactions complements Bitcoin (providing an untraceable layer), while Bitcoin provides a publicly-auditable and fully-distributed backing for the currency. (A backing which, unlike gold, cannot be confiscated from some central storage location.)

In fact, combined with some next-generation anonymous network, all three pieces conveniently solve the problems of the others!

I'll explain:

Bitcoin is fully distributed and decentralized, but it's not anonymous or untraceable, and in fact it's publicly auditable.
Open Transactions provides untraceability and anonymity, but you have to have somewhere to store the gold.
Bitcoin solves the problem of storing the gold (through its distributed nature), but it has no intrinsic value (it's more similar to dollars than to gold, in the sense of intrinsic value, due to its fiat nature.)
An anonymous network can hide your web activities, including your Bitcoin messages to each other and your communications with an Open Transactions server. But unfortunately, there are problems of resource allocation on an anonymous network. (Because you normally can't pay for something anonymously...)
...Unless you have digital cash. Therefore Open Transactions can be used to solve problems of resource allocation on anonymous networks, meanwhile the anonymous network is what makes it possible to safely hide an Open Transactions server.
Furthermore, the anonymous network also provides REAL value to Bitcoin (besides just "proof of work") since now the Bitcoins are redeemable in network resources. Thus it solves the problem of intrinsic value in the Bitcoin.
No issuer can ever lie about any currency in circulation, since the backing funds are publicly auditable.

Make you library easier to use and give us a code based use case, OT is like Google Wave, maybe it's revolutionary if people knew what the hell it was.

The actual use cases are very simple:  Issue currency, create account, write cheque, deposit cheque, withdraw cash, deposit cash, etc. These are actually not confusing for you at all. In fact, you intuitively understand these concepts from normal, everyday banking. For users of any OT client, the concepts are all intuitive and easy for them to understand as a result of this direct analogy with all of the financial instruments. The only difference is that OT allows you to create new currency types (while obviously normal banks mainly deal in a single currency type with their everyday customers, like dollars or euros.)

Which API calls are used for each Use Case? Exact instructions are here:
https://github.com/FellowTraveler/Open-Transactions/wiki/Use-Cases

To see the notes for each individual API call, look here:
https://github.com/FellowTraveler/Open-Transactions/wiki/API

The "Use-Cases" file describes exactly which API calls to use for each Use Case, and the API file gives the exact details on using each call.

That's pretty exact as far as instructions go -- and of course if you have any questions, I will be very responsive to anyone using the OT API.

In fact, Nefario, you contacted me recently regarding a build issue you had, and I wrote you back (on Github and posted here.) It had turned out that my instructions were wrong for installing OpenSSL 1.0.0c on Linux--they were actually installing 0.9.8--so I fixed my instructions accordingly, and also wrote you back. (http://bitcointalk.org/index.php?topic=2598.msg41445#msg41445)

The updated installation instructions are here:
https://github.com/FellowTraveler/Open-Transactions/wiki/Install

My conclusion was that, due to my instructions having been wrong, you probably never had actually installed the right version of OpenSSL. (I never found out for sure because I didn't hear back from you -- but I'm sure I can help you get the software building on your system, if there are still any problems.)

There is also an OT client called Tempest that contains sample code for most of the OT API in Perl:
https://github.com/dspearson/tempest

(You asked for a code-based use case. Tempest implements most of the use cases.)

The Tempest author may also be contacted via email (as well as myself) to satisfy any questions you might have about using the API. He will be also be releasing a new version of Tempest sometime in the next month or so.

I hope this is helpful and clears up any confusion. OT of course is new software so this process is necessary where I provide support to early experimenters. This helps me refine the docs, the software, etc to continually make things easier for you to use it.

By the way, below is the current list of Use Cases available on OT. Please feel free to ask me for any clarifications, since this helps me to update my own FAQ and other documentation for the future benefit of others. In fact your last contact to me already resulted in a fix to my install doc.

USE CASES
-- (Client software starts up.) Initialize the library and load the wallet.
-- Display for the user:
    Server Contracts,
    Nyms (key pairs),
    Asset Accounts,
    and Asset Types (asset contracts).
-- Change the wallet’s local display label for any:
    server contract,
    asset type (asset contract),
    asset account,
    or nym.
-- Import a server contract (or asset contract) into the wallet.
-- Create a new Pseudonym (public/private key pair).
-- Register a public key (a “Nym”) at an OT server.
-- Issue a new Asset Type.
   (Uploads an asset contract which creates an issuer account.)
-- Retrieve any Currency Contract (by ID).
-- Create a new Asset Account (by asset type ID).
-- Write a cheque (or invoice)
-- Send a Message to another user
   (via the server, encrypted to the recipient’s public key and placed in his inbox.)
-- Deposit a cheque
-- Withdraw cash  ************
-- Deposit cash
-- Withdraw Voucher (like a cashier's cheque.)
-- Account-to-Account Transfer (received via inbox)
-- Create a new Basket Currency
-- Exchange Digital Assets in and out of Baskets (from your Asset Accounts)
-- Process your Inbox (Receipts and pending transfers)
-- Set up a Payment Plan
-- Issue a Market Offer

FellowTraveller, yes you did reply but i'd moved on by that point.

Getting ruby to link with the latest version of openssl, getting the ruby headers for your library, figuring out how it works, figuring out how the server works, figuring out how to use it etc. Too many variables to calculate the time it would take me to get what I wanted.

I'll admit I'm not a great developer, having greater difficulty getting other peoples stuff to work I tend to just go and build my own. And on top of this Im slow getting things done(progrramming things) and dont have much time, I'll be starting back work after the spring break next week and will have even less time.

Building it myself I have an idea of how long it will take, I dont need all the functionality of OT. I understand the basic concepts well, and think OT's a great idea, but it's not the easiest to use.

I'm at the point where Ive almost finished my first version of the server, the client needs a proper interface but thats it. a bitof testing, some bugs fixed, and its ready to start.

When I've got my first version done I'll re-investigate OT again, and be determined to get it to build and see whether I should go for that or continue using my own system.

To be clear Im building a stock market using ricardian contracts and bitcoin as the only currency, everything is priced in bitcoin. On top of that it will also be used to manage share ownership, that is for "companies" that issue share on this market they can put forward motions and people can vote on those motions with the shares they own. It will also have share dividend payment functionality.

I havn't gotten around to implementing the voting or dividend payments yet as other things come first but it would be relatively trivial. The system doesn't use it's own http server it uses ruby sinatra, which has a lot of flexibility and can hsve better http sesrvers put in front of it.

My contrracts are stored in a db, alng with everything else instead of on the file system.

I understand my own terrible code very well, and know what all the options are, I don't write cpp, and I dont know all the options in your system(theres a lot, its a big complex system). and other users on this forum have had a look at your system, and they've also found it hard to use, I know grondilu has also gone and made his own system, I don't know if that is because of the difficulty of using OT or if thats just because he wants to do it himself.

Right now, if you want me to use OT you're going to have to join me in my project and kind of hold my hand a little, maybe even do this with me jointly, for that I'd happily give you 1/2 of the ideas/businesses profit if it makes any.

If you want to arrange for a chat on IRC I'd be happy to do so, I've got plenty of questions about the way OT works.

That's what I was proposing. Your bitcoin-note might be signed by n nodes. Think of the note as (r, s1, s2, ..., sn). And let's say at least n/2+1 verifications are necessary for you to deposit. What if those n/2+1 are not online, or quit the network? What if one too many of them are malicious and give false replies?

Like fellowtraveler said: No "signing authority"? No untraceability.

That kind of thing could work as a multiple-bank system with an interbank protocol, as in the Open Transactions scheme (which by the way looks pretty cool, thank you fellowtraveler), where you trust the bank you are working with.

Our scheme, if I understand you correctly, should work differently. The network blindly signs the note and the bitcoins that are to be represented by the note are destroyed at the moment of "potential" generation. The notes don't have to be used immediately, Alice can store all her bitcoins indefinitely in such notes. When she gives one of them to Bob, Bob has to deposit the note to see if it is valid and not double-spent (a la online e-cash). Now the network verifies the note, adds it to the "spent" notes list, creates new bitcoins out of thin air and awards them to Bob. So it is radically different in the sense that "encapsulated" bitcoins are not stored anywhere but destroyed/re-created.


Good luck. I'd like to wander to a different direction but I very much would like to know if the above scheme is also what's in your mind.

Would you care to support this statement? Bitcoin has value by fiat no more than gold does. Nobody is forced to accept Bitcoin for payment of debts, as they are dollars. The only entities that accept Bitcoin are those that value it as a currency.

I believe fellowtraveler means here 'fiat' in the sense that bitcoin's only value is its use as payment, and not 'fiat' in the meaning that its value is forced by government decree. Compare this to gold which has a use as component for jewelry, even when not used as monetary system.

You're right, I didn't mean fiat in the sense of "by decree", as if mandated by a government.

I just meant that Bitcoin's only value was based on the decision of early adopters to accept it, based on their future ability to pass it on to others, and not based on any other actual market value (such as a precious metal, or a bushel of wheat... or network resources.) In this sense, Bitcoin is more similar to dollars than gold, which is what I was trying to say. (Gold/silver has several thousand years of market history demonstrating that it is what markets naturally use unless they are perverted with some combination of force and fraud. You are probably closer comparing Bitcoin to the Pet Rock fad, at this point, than comparing it to Gold. Though time will tell, and I'm rooting for Bitcoin -- I'm a fan.)

My over-arching point was that if Bitcoin were used as the backing currency for an OT-based untraceable cash, and if that were built into an anonymous network (used to solve resource allocation issues) then many holes would be filled: the Bitcoin would be backed in network resources and would be untraceable, the OT would have a publicly-auditable, distributing backing, and the server could run hidden safely on the anonymous network, and the anonymous network would have proper resource allocation (which requires untraceable cash.) And those are all good things, no?

Heya I'm working under my own deadline over here for the next few months anyway, so I can't take on any new projects.

What I CAN do is:
Help you get OT built on your system,
and answer any questions,
and help you with any fixes,
related to the OT API.
(And I'm happy to do a chat if you need one.)

As I said before, the Use Cases are all pretty simple stuff... issue currency, open account, withdraw cash, deposit cash, market offer, write cheque, etc. The parameters are all what you'd expect: withdraw needs to know the account ID, the amount being withdrawn etc. Compared to what's going on behind the scenes (chaumian blinding, destruction of account history, etc) I think the API is sweet and easy. That's the whole point of the library.

Most of the anonymity talk I see around Bitcoin seems to be oriented around the assumption that the attackers will be governments who will be forced to accumulate proof beyond a reasonable doubt in order to get a conviction in court.

I think we need to be talking as though the attackers will be criminal thugs who need just a whiff of suspicion, and who don't mind killing a lot of innocent people as long as they get the one they're after as well.

Because if Bitcoin, or some other untraceable, uninflatable, and non-centrally-controllable currency gains critical-mass popularity and takes off, that's what governments will become.

Guaranteed.

For them, it'll be a life-or-death case of us or them.

Anonymity required?

Use coin mixing and money laundering services. They are all readily available today AFAIK.

A complicated reengineering of bitcoin is the last thing we need right now.

Let me see if I got this correctly since most laundering services only "mix" coins that it's trying to transfer...

What about a "cash" like system that's backed from miners(pools).

I first make these assumptions.
1. freshly generated coins from a block isn't linked to anything(or would only contain the Address of the pool which they came from.)
2. coins are tracked on a Address to Address basis.

The system is as follows.
a needs to send btc to b.
a instead send btc to S.
S as a server, uses fresh bitcoins to send the amount to b.
so the capability of S as a laundering service is equal the amount of hashrate that it generates bitcoins at.

tl;dr
Pools are the best launderers

Comments? sounds good to me.

Its worth someone coming out with a client or even a separate alt coin because The same people who will control all of mt gox US transactions also have access to the user data from the bitcoin foundation.

This could be dangerous for anyone wanting to use bitcoin for activism purposes, with the large data matching abilities this offers.

If 80% of the network is able to be identified it compromises the other 20% who dont want this for numerous reasons. Donating to wikileaks for example.

This post may cause a flame war, so I apologize in advance if it happens. Now onto my post:

Is anybody else starting to feel the anonymity of the *coin clients will ultimately be the demise of them? We see scams popping up regularly from people who think things like child pornography, selling hard drugs to any age group, and various other acts that most sane people will view as disgusting. In the IRC channels (#litecoin at least) I can't tell you how many times I've seen questions involving evading taxes, at least as often as I see questions on how to get a mining rig setup. When I ask other engineers who are not currently involved in any crypto currency why they are not the usual answer is "I do not want to be grouped with the scum using them." (their words, not mine) or "Why hide if you have nothing to hide?" I understand privacy is everybody's right and not something any government should control but it seems the scammers have once again proven they will use any means necessary to make a buck. I used to advocate the use of bitcoin due to it's anonymity and lack of control by a overall authority however after the most recent case with Liberty Reserve I can no longer in my right conscious recommend it. So now I ask the more "in the know" / senior members of this community, what valid reasons are there for preserving the users identity?

I'll have a go with an example:

Bob hears about Bitcoin from a man in a bar, who sells him ten dollars worth.
Later that day, Bob decides to gamble his Bitcoin on Satoshi Dice and wins big time!
The next day he's in the same bar, and that man sidles up to him, angling for a handout from his big win.
Bob is really creeped out by this - how did this man even know he'd been gambling?
He loses interest in Bitcoin and advises his friends to stay away from it.

You could provide this privacy with a centralised mixer like the one at blockchain.info, and they can store logs to keep the feds happy. But if you don't want to sacrifice decentralization, you end up aiming at full anonymity.

This is a good point, and it's certainly what the politicians will be thinking. I think what we'll see are coin tainting and government mandated blacklist checking. It's just so easy to implement with a public ledger it's inevitable. On the conference security panel (http://www.youtube.com/watch?v=si-2niFDgtI&list=PLUOP0P68GJ3BGjfqoLLnzAefk3ZzXQtJ7&index=14), Peter Vessenes talks like Bitcoin tainting is here already.

When blacklists are commonplace, you can still have your anonymity, you just use a "clean coins only" mixer.

You sound like you have something to hide.

I don't know about others, but for me, the reason is exactly that the authorities are, and will ask me to give up my rights whenever they have a chance. My rights(privacy, anonymity, etc) are my rights because I don't need to justify to anyone why I need it, rather, whenever I choose to compromise it a bit I do need some justifications.

The lack of anonymity is the worst thing in the Bitcoin protocol. In my opinion the anonymity should be fixed urgently if you want Bitcoin to be adopted my mainstream people! Most people who heard about bitcoin doesn't know their transactions could be traced. When they realize that they say bye bye Bitcoin. I was very enthusiastic about Bitcoin, I bought some domains and was going to build some websites but when I realize the lack of anonymity I stopped all my plans. Yes I know, there are work arounds but why should I use a system that involve work arounds in order to not be traced ?! If I use banks at least I know only a few people/institutions can see my transactions, using Bitcoin anybody can see my transactions, that's horror !!!

Why don't adopt zerocoin solution ? , it add complexity to protocol but mainstream people don't care about technical things, they just want an easy to use, cheap system...