Bitcoin Forum

I like the idea. I could imagine a client with an "Automatically mix coins" advanced option in a menu, along with a quick dialog box about the anonymity benefits

I like the idea. I could imagine a client with an "Automatically mix coins" advanced option in a menu, along with a quick dialog box about the anonymity benefits, but constant transaction fees.

+1  I love the idea OP, but it should probably not be a mandatory function of the Satoshi client. Better as an option built into many clients.

The reason it shouldn't be a mandatory part of the Satoshi client is that that client should strive to avoid feature-creep. There is value in simplicity, especially for the core client. But if this option became standard in the Advanced tab of all clients, I'd be a happy man :)

Am I correct that the tx created by Alice (including Bob's input tx) is a direct application of the multi-signature transaction BIP (https://en.bitcoin.it/wiki/BIP_0010)?

One of the biggest issues is that once you make a transfer you combine coins from multiple addresses and as a result those can be identified as one wallet. I think casascius proposal addresses this only to some extent. If after mixing coins I again have to combine I have gained nothing.
How about we do it different:
Whenever I want to make a transaction, my client sends this out as a "transaction-indent", other clients that are also about to do a transaction combine their "indent" with mine (adding inputs and outputs) and after a few seconds, we all sign this combined indent to form a transaction.
This would make it impossible to identify a single wallet, because inputs from multiple wallets would end up in a single transaction. And secondary, on one would know which input was the initiator for which output.
Your comments?

The reason this coin mixing strategy reveals that addresses belong to the same wallet is because of addition. Let's say you see a tx with inputs of value 2, 3, 1, and 5. The outputs are of value 5, 5, and 1. It's pretty easy to tell, knowing that this is a mixing tx, that the 2 and 3 came from the same source and that the 1 and 5 came from the same source. We also know that the output of 1 belongs to the owner of the previous 1 and 5 tx's. What we've gained is not knowing who owns each 5 output.

With your proposed solution of just having two transactions per transaction, we still have the same problem. Let's say Alice is paying 3 BTC using inputs of size 2 and 2. Bob has another transaction where he pays 10 BTC with a 3 and a 7.

Inputs: 2 2 3 7
Outputs: 3 1 10

It's still pretty easy to distinguish between the transactions. Clearly, one person owns the 2 and 2 input addresses, and someone else owns the 3 and 7 addresses. We can still tell that addresses are related. With both ideas, the only way to avoid this is to have equally sized inputs (which is difficult when bitcoins are divisible down to 8 decimal places).

Inputs: 1 4 4 2
Outputs: 5 6

Now there's two possible solutions. 1 4 4 2 or 1 4 4 2. Casascius' idea of limiting mixing sizes to 5^n would help ensure that after the first mixing, each output should be of a fixed size. That should help reduce these concerns.

Getting back to the original issue: yes, using this mixing to combine coins would still often show that some of the source addresses are held by the same person. The strength is that that knowledge cannot be used to track future transactions. You become detached from your past, breaking any string of transactions people might be using to track you. Now, if you have 0.3 and 0.7 unspent tx's, and you happen to come across someone else with exactly 0.3 and 0.7, you can make it uncertain that you own both addresses.

Well, my proposal wasn't to mix 2 transactions, but maybe 10, or even 50. And then once you add the change addresses (at least 1 per wallet), it is no longer so easy to figure out what was used for what, and what belongs to what.

No, it is just a normal transaction that combines two inputs, and looks much the same as a transaction that combines two of your smaller coins in your wallet to make a bigger coin when one is needed.  It is not a multisig transaction at all.

The only difference between this and any other transaction is that the two inputs happen to belong to two different people, rather than the same person, so the signatures have to happen in separate steps.  In contrast, all coin-combining transactions already require multiple signatures, we just don't usually think of it that way because the same person's Bitcoin client (the sender's) can provide all of the needed signatures itself, and automatically does so whenever you "send coins" out of your wallet in an amount that makes coin-combining necessary.

Couldn't you say the same thing about this mixing? It could be expanded pretty easily to have Alice's mix offer be "Hey, I'm running a 5 BTC mixing party. Let's get everyone in on this same transaction." If a lot of people are throwing in their 2's and 3's, it'll get difficult to find the original pairs.

One of the biggest issues is that once you make a transfer you combine coins from multiple addresses and as a result those can be identified as one wallet.

Well, my proposal wasn't to mix 2 transactions, but maybe 10, or even 50. And then once you add the change addresses (at least 1 per wallet), it is no longer so easy to figure out what was used for what, and what belongs to what.

One more point, while casascius method would extremely bloat the block chain, mine could actually reduce the size.

Not really, because once I do my 100btc transaction, I have to combine all those in my own wallet. So mine are again identifiable as mine. The "bad" operation is to actual combine. So my idea was, make the combine operation more anonymously.

One more point, while casascius method would extremely bloat the block chain, mine could actually reduce the size.

I see your points.
How about this:
First step is creating a transaction as it is now.
After this the client creates a combined transaction with other unconfirmed and uncombined transaction. This combined one is almost like of a double spend on the first one, so legacy miners would ignore it.
Now other clients upon seeing this combined transaction, check if they can sign it, and will do so if necessary.
Once all inputs in the combined transaction are signed, a miner can replace all those single transaction by the combined one.

Nice idea. But it could be fairly easy for someone with good connectivity to de-anonymoize transactions. If for example someone with the address 1NotMixed keeps broadcasting his address as suitable for mixing every transaction that involves that address you know that the other output was the real destination address. Even if it is a chain of mixed transactions every one they manage to involve themselves in increases the likelihood of predicting the final destination address.

Or not necessarily using the same address, but unique addresses and sending back to 1NotMixed after.

None of these things should occur to users who don't understand them or explicitly opt in to them.  They could be briefly explained as benign side effects to a user who checks a checkbox to enhance his anonymity.

Reducing the swaps to specific granular amounts helps prevent this by making the units as indistinct as possible.

...

...Then, all of those chunks will be traded with others, one-for-one.  By the time each chunk has been traded six or seven times, what's a recipient going to learn to know that for example three chunks of five were combined to make fifteen?  Not much of use.

One could perform an analysis on those three chunks to see if they might happen to all share a common possible point of origin on the block chain (an intersection attack), which could identify the original origin.  But that could be easily mitigated just by the client occasionally "mixing" same-sized chunks with itself, which is indistinguishable from mixing with others, and which would make the ancestry of each chunk look very "inbred" so to speak, and therefore poorly useful for confidently identifying distinct faraway ancestors.

if the mixing has been done properly (like in Casascius' last post), there won't be any cases of "Oh, I see from tx1 that someone owns addresses A,B,C and I see from tx2 that someone owns C,D,E. Therefore, the same person owns all 5 addresses."

Nice idea. But it could be fairly easy for someone with good connectivity to de-anonymoize transactions. If for example someone with the address 1NotMixed keeps broadcasting his address as suitable for mixing every transaction that involves that address you know that the other output was the real destination address.

... by default ?

What's the benefits of participating in mixing someone else coins ?

Say 98% of users do not have anything to hide and would prefer all transactions be traceable for the benefits of discouraging bad behaviors ?

I would much prefer someone who stole BTCs to pay a fee to shameless mixer than to help him unknowingly.

I will probably discard the remaining 0.02 as a transaction fee somewhere so long as it's not worth mixing.

Bad behaviors like what?  Donating to WikiLeaks and other politically incorrect causes?

Do we want Bitcoin to be a system that tracks taint of coins, or don't most of us share the consensus that the system as a whole would be better off without the notion of tainted coins, even if that means a few thieves will have an easier time getting away with their crimes?  For everything you're asking for, there's MasterCard.

if coin mixing were built into the client, there would never be a need for anyone to use a coin mixing service, and thereby deliberately and identifiably participate in so-called "money laundering"

Bad behaviors like what?  Donating to WikiLeaks and other politically incorrect causes?

Do we want Bitcoin to be a system that tracks taint of coins, or don't most of us share the consensus that the system as a whole would be better off without the notion of tainted coins, even if that means a few thieves will have an easier time getting away with their crimes?  For everything you're asking for, there's MasterCard.

... by default ?

What's the benefits of participating in mixing someone else coins ?

Say 98% of users do not have anything to hide and would prefer all transactions be traceable for the benefits of discouraging bad behaviors ?

I would much prefer someone who stole BTCs to pay a fee to shameless mixer than to help him unknowingly.

... by default ?

What's the benefits of participating in mixing someone else coins ?

Say 98% of users do not have anything to hide and would prefer all transactions be traceable for the benefits of discouraging bad behaviors ?

I would much prefer someone who stole BTCs to pay a fee to shameless mixer than to help him unknowingly.

I don't think you realize just how non-anonymous the current bitcoin client really is.  Most people would prefer that the amount of coins under their control not be so easily discerned from the block chain.  Do you walk around wearing a shirt that announces your net worth to everyone?  It has nothing to do with people engaged in what some may consider bad behavior.

Tracking tainted coins is already very challenging

Sorry but I always thought of this as a feature of Bitcoin and I will continue to see coin mixing as a non-issue for 99.99% of honest peoples and 99% of dishonest ones.

...I don't think you realize just how non-anonymous the current bitcoin client really is. ...

... Imagine in the future a naive user (your mom, your grandma) who is unaware of the technical details, and keeps receiving and sending Bitcoins always using the same and/or chained addresses.  Every time they buy something, no matter how trivial, they are potentially giving a determined snooper/attacker a window into all of their income and purchases since the dawn of time.  This is a disaster waiting to happen.  It will make life wonderful for criminals in countries (e.g. Latin America) where robbery and kidnapping and extortion are common. ...

So, should peer mix requests be in-band, or out-of-band (on a different port)? How realistic is it that the core devs would accept a pull request that extends the protocol for the purposes of mixing?

I'm thinking it would be cleaner with a simple mod to allow an rpc-request of the peer list, and use a separate, simple protocol for mixing.

[...]

User A then ends up receiving amounts of BTC totaling his wallet's balance from a multitude of different addresses across the world, practically rendering all participating nodes legally liable for everyone else's transaction history.

The point is to offer plausible deniability as to the origin of the coins you spend once they've gone through the 'laundry', while making the process of mixing coins itself common practice for everyone.

[This] would help obscure coin movement and ownership to a degree where reversing transactions on legal grounds or effectively monitoring transaction routes would become virtually impossible. And bitcoins themselves would be 'good as cash'.

When you think about it this isn't much different from how money works today:

When I deposit $1000 at a bank today the clerk will jot down that I deposited $1000 but when I return the next day to withdraw it, the banknotes themselves will be entirely different from the ones I had carried in my hand the day before. Regardless of where exactly the money comes from I am entitled to spend $1000.

One doesn't pull individual banknotes from circulation saying that according to their transaction history they once rightfully belonged to somebody they had been stolen from [in reference to legally reversing transactions; I wrote this shortly after MtGox was hacked]. Such scenarios would greatly reduce the value bitcoins.

Neither should it be possible to say "The transaction history of your money shows that it was used in connection with an undesired organization so we link you to that type of organization."

Since the bitcoin you hold in your wallet doesn't have a reliable transaction history anymore, the moment you have it it's yours, just neutral money, just money.

An integrated coinmix is useful mostly for preventing legal entities from easily singling out your tainted coins on the grounds that they originated from something like a theft. The majority might never trust money which they feel may easily be taken away from them due to the transparent nature of its transaction history. At least I feel that way. Cash has to be anonymous/neutral.

I believe this to be vital for commerce and the general public to accept Bitcoins as a real currency.

[...]

Upshot:
Instead of having coins sitting around idly while you're not spending them, they are [...] shuffled around the network night and day, further anonymizing the network and making the coins themselves even more cash-like, consequentially raising their value, as I believe there is a huge clientele of people who will consider Bitcoins valuable only when they have reached that level of collective anonymity. As well as potentially giving miners a new source of revenue*.

This would leave us with only two types of truly clean Bitcoins: 'newly generated' and 'gone through the puddle'...

... by default ?

What's the benefits of participating in mixing someone else coins ?

Say 98% of users do not have anything to hide and would prefer all transactions be traceable for the benefits of discouraging bad behaviors ?

I would much prefer someone who stole BTCs to pay a fee to shameless mixer than to help him unknowingly.

I'm convinced passive coin mixing won't work unless it's automatic and widespread. Which means I'd be more supportive of an opt-out (or better yet, mandatory) client-level mixing methodology, but I still think the best way to do automatic, widespread mixing is to alter the protocol.

Great idea, keep going!

There is both an individual and a social incentive to want to mix, so I'd guess that many if not most users will select the "mix" option if it was offered.

For the individual:
Simple question, given the choice, ask yourself would you rather have a bank account that is totally private with no possibility of anyone gaining information about your financial transactions or another bank account that is maybe private, but has no guarantees against who your financial transaction behaviour maybe data-mined by?

Then shouldn't it just be an automatic, mandatory thing, hardwired into clients, forcing those who want to avoid mixing to find clients that didn't mix?

I think you have it all backward,  even with today's with unsophisticated coin mixing services it is still near impossible to track the origins and ends of 99% transaction.

What make you think 100% of people would want to help anonymize wrong doing using bitcoin.

Why don't you take it one step further and wonder why not everyone is willing to run a TOR exit node by default ? .  And why it wouldn't necessarily be a good thing ?

As if Bitcoin isn't revolutionary enough, it's required to provide 100% anonymous transaction while being ~95% anonymous already and criminals can easily achieve 99.99% anonymity with a small fee and some know how.

my bitcoin activities are all legal.. so why would I be willing to swap my clean coins for tainted ones?

another way to ruin any chance of getting bitcoin some clean legal rep' to go to mass market.

by making everyones coins dirty......

great for the druggies in the sort term. but not great for any expansion plans into real world markets. not great for bitinstant when every single coin they receive has taint. and banks stop dealing with them. causing all legitimate FIAT conversion services to disappear..

causing bitcoin to be harder to buy into or sell out of.

causing bitcoin to move back 2 years..

atleast think of the wider picture for the whole community and bitcoins future. not your own personal selfish desires to hide your drugg obtained funds.

all i can say is make ur own client and let the druggies swap between themselves and those that dont care about taint that have clean coins can join the mix only if they are given a good profit to outway the risk.. but in no way, shape, or form should this be adopted as a standard practice for all clients and all users of bitcoin.

Bottom line is, if coin mixing were built into the client, there would never be a need for anyone to use a coin mixing service, and thereby deliberately and identifiably participate in so-called "money laundering".  Rather, they would be exchanging coins in the normal course of business, the same way I can go to the grocery store with a twenty and ask for two tens without being guilty of "laundering" the twenty.

This process would also help greatly toward network scalability.  If coupled with a scheme where small penny txids (such as those generated by p2pool) were consolidated into amounts large enough to be valid for mixing, this also would defragment them without forcing whoever owns those outputs to deanonymize themselves... this would dramatically reduce the storage burden on near-future clients who will only be tracking unspent transactions instead of the whole block chain.

Mike, do you know the current status of this type of effort?

As far as I know, it's only an idea.  I am unaware of any efforts undertaken to turn it into something real.  I have considered doing one by hand as a proof-of-concept: making a forum post saying "here's an address with 25 of my BTC" and "here's an empty address in my wallet" and proposing that someone else produce an incomplete transaction that swaps my 25BTC with theirs, waiting only for me to sign and release it.

Step 2 would be to do the same thing in an IRC channel.

Step 3 would be to write a client that sits in an IRC channel and repeatedly does the same thing with strangers.  (I've never written anything that automates activities on IRC, so while this is something I could do, I probably wouldn't get around to it due to the modest learning curve and other worthwhile priorities)

As for having this done by default on the main client,,, please stop dreaming.

Why stop dreaming about good features that could be technically feasible?

A private p2p payment system was nothing but a dream as little as 4 years ago.  Should Satoshi have stopped dreaming about such a grandiose, idealistic, pie-in-the-sky notion?

Private banking and predictable inflation are the two key qualitative differentiators between Bitcoin and all other currencies.  Faster transactions, less fraud, lower transaction fees, all such things are wonderful but can eventually be imitated by traditional banks, while true privacy cannot.  If eventually the Bitcoin community mistakenly starts believing that privacy features are merely peripheral and not worth allocating resources for improvement, it will significantly increase the chance of Bitcoin being rendered irrelevant.  Personally, I'll put my coins where my mouth is and happily donate to any Foundation (or independent) development initiatives to build full anonymity into Bitcoin or as an altchain/fork.

A perfect centralized Tor-compatible web service already exists for hooking up these deals: IRC.

The right client could sit in there and make/accept automated requests to do coin swapping.

It doesn't even need to be part of the Satoshi client.  It could be a standalone program that takes two wallets as input: one full of coins and one virgin wallet, call them wallets A and B.

After spending 24 hours in IRC, all the coins should end up in Wallet B, in nice even granular chunks perfectly sized for swapping.

I would like to see this idea implemented.  I am willing to donate BTC to the project if anybody wants to take the bull by the horns and go for it.  I would also rather see it done under the auspices of the Bitcoin Foundation, but that isn't absolutely necessary.

And just so we are clear:

A no fee service.
Hopefully implemented into some bitcoin client.
Is rock solid before rolled out to the bitcoin network.
Is tested on some test network first.

Quantum

Count me in for donations to any serious efforts meeting this spec.