I will definitely congratulate if warranted. I'm also trying to think of how to make it rock solid.

Probably nothing to do with me, but I been posting very aggressively in other threads that we really need an anonymous coin.

Adversary will wait until he is MasterNode A and MasterNode B. The more Sybil nodes he has, the more often that will be.

Actually adversary doesn't have to wait for that, if he has MasterNode B, he can spend it and cause trouble for DarkCoin. And who can prove he was lying?

Thanks. Very important work, as it enabled me to make the log-logistic theory, since money is apparently ALWAYS adopted by power law distribution not Gaussian (bell curve).

Noted it is mcap and not price, yet the are close proxy to each other now, since coin debasement is only 11% per annum now.

My TA. I put a ruler along the bottom of the green line since 2012 and looks it needs to come down to 3/5 current value to meet the trendline again. Which corresponds very roughly to $300.

P.S. Indeed any activity even promoting Bitpay transactions and driving our idealism into the toilet will satisfy our greed (for a while and that is a poetic note).



So you are arguing that most can't get a credit card or can't use, so they are selling Bitcoin to purchase and then replacing their Bitcoin. I find this so far off the relevance scale. Majority of Bitcoin holders weren't unable to purchase anything online before Bitcoin came along. That is an extreme assumption. We know Bitcoin appeals to tech people who surely had mapped out how to buy online many years ago.


And that is off topic to the point I was making. But I don't disagree with you on your point, it just doesn't refute the point I was making.


Peter Thiel's Paypal doesn't allow filipinos to receive payments (or at least didn't until a year or two ago), because the USA wanted the Philippines to first enact laws to end bank secrecy, support anti-terrorism, have an AML and KYC law, give the IRS access to any private data requested, etc.. Philippines has complied, so now they got upgraded by Moody's, Standard & Poors, etc.. So now they get fattened with debt. Lovely world and now we bow like good slaves to Peter and give him control of our Bitcoin.

P.S. the law of unintended consequences a.k.a. chaos when politicians make laws is why you are reading this thread in reverse.  

---

Also I want to add that I understand it is very difficult to get merchants to hold BTC. But I am not in a rush to have merchants and fiat slavery. I am willing to invest in my future freedom for the long-term and be patient. I am not a greedy bastard.  I live simply.

You put a lot of weight in your humongous pride, as if someone presenting analytical discussion is worried. I am not worried about the BTC price. I could careless because I don't own any BTC nor am I itching to buy any. And you put a lot of weight in arbitrary curve fits.

And people who think they know every thing for sure (and you don't even enumerate the arbitrary assumptions in your model), eventually get a lesson in respecting chaos. Maybe not this time. No one knows. But eventually yes.

I hope you realize the following chart is arbitrary BS.




And why not drawn like this? A least squares fit is an arbitrary choice of slope, because the curve you are fitting is not very linear. The 2011 outlier is your big problem with choosing this arbitrary fit. And we can't really trust that early data back in 2010.

The green line looks much more accurate to me. It removes that bubble from 2013 and follows a trendline from before the bubble started. Or we stay with the purple trendline, in which case the price is almost down to the purple line.

You need to update your chart. The price is now lower than shown.





Also refer to my upthread post quoted below pointing out that adoption (and thus BTC ≅ adoption^2) is likely log-logistic, not logistic. Thus we see the first slope to 2011 was higher, then the slope from 2012 to 2014 was the purple line, and now we may be ready to transition into an even lower slope, such as the green line.

I really don't want to post, but I am compelled to point it out some corrections.


Talk about fantastical dreaming. I thought I was really far out there with wanting an anonymous coin.

So in order to stop rape, first we need to rape until everyone is raped, then we can suddenly stop raping because everyone has a rape kit.

You won't get to even 1% coverage before the entire ecosystem has been co-opted by centralization and fiat regulation. Dance with the vampires only if you want to be bitten and converted.

I guess the love of greed can make one think up any kind of irrational excuse to continue in that greed.


Do most people in Bitcoin have only 3 - 5% gains.



You failed to grasp my point that the credit card holder pays 0% (or even gets cash back). What the merchant pays is irrelevant, unless the merchant is giving that 3-5% discount to the Bitcoin purchaser. Even with a discount, it is bad tradeoff because we are pushing our ecosystem to hell.


Do you see any competitor to Bitpay (or Peter Thiel's Facebook or Paypal)? Do you know how to compound 3X monthly growth (or thereabouts) and realize how few months before that is the entire value of Bitcoin (thus no room for another player)?

And on what feature could a competitor compete? Bitpay already offers 0% fees, because we the customer pay Bitpay when they fudge the exchange rate slightly.


Do you see my name on anything in the altcoin list.

Agreed I have no skin in whether the price drops or not. My concern is whether I end up a slave or not.


Nonsense. The demand of buyers doesn't increase when the amount of selling through merchants increases. It increases only if the people buying at merchants are all replacing their coins. You completely dunced the math that I explained upthread. Remember demand and supply meet at price. Go back to Economics 101 and don't forget marginal supply and demand sets price.


Markets always move in the direction to hurt the most investors. When most of the investors are 100% sure of something, that is when it most surely won't happen. I don't know if you are representative of the majority or not.

Your calculation is inaccurate. See my calculation example upthread. There are many factors in play.

Also I can't see any way to have multisignatories without worsening the anonymity proportionally per my immediately prior post.

We need to wait until the developer hashes out more of the details so we can get the entire picture and calculation.

It is not as simplistic as you are thinking.

As far as I can fathom, multisig doesn't protect you because master node can just lie and say none signed. How will the other signatories know if the master node is telling truth or not?

However, I have a partial solution for this. Send the collateral payment to the ether. Then master node loses some incentive. But still the master node might lie just to harm the coin and the owners of those collateral.

I guess the inputs can forward their communications to other signatories too?

In that case, your anonymity is more broken because more nodes would see the triplet of IP, input, and output on each Darksend. Thus the percent of master nodes needed to lower anonymity would be proportionally less (e.g. if 5 signatories, then need only 1/5 as many master nodes to be adversaries).

No I meant the collateral payments can be stolen, not the tx fees. Are you meaning to write that collateral payments always go to the miners, thus master nodes have no incentive to lie?

In either case, master nodes can lie and steal, they just make sure they also control miner(s) (or pools).

No one can prove the master node isn't being malicious to hurt the reputation of an innocent pool or miner. Thus you can't blame the pool or miner, so you won't know if the pool or miner is complicit.

Thus you can't stop theft.

In case readers don't understand why the collateral payments can't be associated only with the inputs and not the outputs, it is because the outputs are blind signed. So if output signing fails, then there is no way for inputs to prove they signed the outputs in order to isolate the adversary(ies) who didn't.

So this is why output signing has to be correlated to inputs. This is what breaks the anonymity in terms of allowing Sybil attacks on master nodes (see my calculation example upthread).

Then apparently we also have the problem that collateral payments can be stolen by Sybil attacking master nodes (and miners/pools if the payments go to them), but still waiting to finish that discussion.

I thought of another solution which I am sure you also thought of?

Charge a transaction fee to all inputs of the Darksend.

That may be the only possible solution that works. Anonymity won't be broken. And collateral can't be stolen.

Then Sybil attacking the master nodes won't have any effect because you no longer correlate collateral to the triple of IP, input and output. The collateral is removed from the design. You instead charge a tx fee to every input. Master node can't correlate to blind signed outputs.

And Sybil attacking the inputs will be very very costly.

The downside is of course Darksends are not free. Nothing in life is free.

Yeah I think this is your only realistic option.

Edit: but the master node can steal the tx fees. And then not include the input in the output signing. So scratch this idea.

See CoinJoin just doesn't work. I tried to tell everyone that, but they get all angry at me. Sorry.

I don't see how that could have worked. The master node can simply lie about which collateral payments didn't fulfill all the stages. There is no way to know if the master node lied to other signatories. Did I misunderstand?

If collateral payments can be stolen, then this needs to be abandoned.

I am so sorry, but CoinJoin is a can of worms. I tried to tell you that weeks or months ago back on page 3xx of this thread.

Probably the only thing you can do is move master nodes to a reputation system. But this means you give your coin to the government. Reputation always ends up just like the power vacuum of democracy.

The entire point of Satoshi's brilliant PoW invention, is you don't have to trust any node. He solved the Byzantine General's problem.

In case I wasn't clear, that Sybil node would be sending Sybil inputs, not a Sybil master node. Then see my prior post on the effect of Sybil inputs on anonymity set size.

Let me try to do a calculation to explain my point.

Let's say adversary has 20% of the master nodes that are randomly chosen to process a Darksend.

Let's say I mix with 10 others on each Darksend. And I never mix with the same user twice.

Let's say adversary Sybil attacks (i.e. provides) 50% of the inputs on each Darksend.

Let's say my adversary is a snooping agency that defeats Tor 20% of the time.

Let's say only 40% of users use Tor. And the snooping agency can see IP addresses 100% of the time when Tor is not used.

So on each round there are 5 non-Sybil inputs, 0.4 x 5 = 2 don't use Tor, and so I have 1 in 3 = 33% chance to be randomly identified from the small anonymity set. But when the adversary doesn't identify me with nodes and Tor, then my anonymity set shrinks by 3 x (0.20 + 0.20) = 1 thus 1 in 2 or 50% chance.

Thus on each Darksend, the adversary has a 0.20 + 0.20 + 0.50 = 90% chance of identifying me.

Thus after 10 Darksends, adversary has a 0.90^10 = 1 in 3 chance of identifying me.

So 1 in 3 of my coins will not be anonymous.

And this does not factor in when I spend 2 or more of my coins together in one transaction (since Darksend requires me to break coins into constant amounts). That further reduces anonymity.

You see that attaining 1 in 1000 anonymity could be difficult with this type of design depending on the capabilities of the adversary.

It is this sort of calculation that made me really not like CoinJoin too much.

Let me try again. I am getting very sleepy.

LimLims wrote if 20% non-anonymity for 3 rounds, then adversary needs cube root of .20 or 58.5% adversarial node coverage.

I normally do it like this. It would be 80% anonymity over 3 rounds requires 41.5% non-adversarial node coverage, i.e. allows 58.5% adversarial coverage,  0.585 ^ 3 = 0.20.

You can calculate it either way. I prefer your way, but I was following LimLims.

The above is for Sybil attack on nodes.

Now I discuss about Sybil attack on the inputs.

My point remains that the size of anonymity set is also a factor (which can be reduced by Sybil and by the adversarial node coverage), not just the adversarial node coverage alone.

I am talking about Sybil attack on the inputs not on the nodes. If there are only 10 inputs to a CoinJoin, then you have a 1 in 10 chance to be identified correct just by random selection. If 5 of the inputs are Sybil, then reduce the non-Sybil to 5, so now 1 in 5 or 20% chance to be identified by random choice. This might sound silly until you realize that over time people in your mix may be identified and thus the anonymity set reduces over time. The anonymity set size is not irrelevant. Otherwise we could simply mix with one other person every time.

And because the analysis of the adversary might have data such as "I know these 3 outputs are correlated to these 3 inputs". So as overlapping anonymity sets decrease in size, then they can pinpoint identity.

Essentially you are saying that users should send Darksends as much as possible. A script can automate for them.

Potential threat with this (don't know how realistic) is that the more they send deterministically (scripted), then the more incentive to hack them (they are always online) and turn them into a Sybil node. Deterministic is not really same as entropy.

If everyone is doing it, then probably not reasonable to hack everyone. But if only a few are doing it, it might be a low hanging fruit attack vector.

Add: they need to not reuse addresses ever.

Can you explain more? I don't understand.


Depends. Because 50% means that your anonymity set is reduced by 50% on each round as I explained in my other post above.

Example. If you are mixed with 10 others on each round, then only 5 will be anonymous (and one of the five might be you), so that means have 50% + 20% (1 in 5) chance to be non-anonymous. So 70% per round. You will need more rounds or you need larger mix sizes.

Also if it is same 10 you are mixed with every round (or any overlap), then anonymity is reduced. If always same 10 on every round, then you attain no better than 20% non-anonymous no matter how many rounds you use.

Also you have to factor in the non-anonymous rate of Tor and those inputs who didn't use Tor at all are not anonymous. This reduces your anonymity set, even if you use Tor.

And there is another complexity to factor into your calculation. If there is a 58% chance (as you suggested) that each input into each of your mixers can be non-anonymous, then your anonymity set is reduced by 58%.

No you misunderstood my point. I mean the participants who are sending inputs to the CoinJoin mix. Those inputs can be Sybil attacked. If you are the only non-Sybil input, then your output is known with 100% certainty.

If there are 50% Sybil inputs, then the anonymity set of outputs that you are mixed with is reduced by 50%.

Anoncoin employs the i2p which is a low-latency chaum mix net similar to Tor but operates at a lower network stack layer protocol (IP). I don't think it will really resolve the weakness of Tor, because they have same the problem that low-latency mixnets can be analyzed with traffic analysis.  I don't know if i2p is p2p wherein users are the nodes, instead of others providing expensive servers for free. We need something like that, because I don't trust the Tor servers. And we need more hops. Tor is only 3 (or 5 for Tor service).

For transaction mixing, I am trying to see if we can find a way to make CoinJoin work better. The only other thing available is Zerocash or Zerocoin.