And here is our friendly Bitcoin csore developer...

...

I see those (other than gmaxwell who is not very ad hominem in his response, other than the slight "over and over" which is irrelevant to the technical response) who posted while I was sleeping have relished in their boastful snobbery.

Now let's deal with the humbling facts.


And precisely how do you identify which input is the adversary when the correlation of the inputs and the outputs is necessarily cryptographically blinded?

As far as I can see, you can't.

I am confident that now you see the functionally w.r.t. to anti-DOS of what I described and what you described are equivalent, i.e. any one who is the least bit mathematical can see that the salient mathematical foundation of CoinJoin is that the correlation between the inputs and outputs must be cryptographically blinded, thus it makes no difference mathematically for anti-DOS whether the inputs or outputs are specified in the first round of the protocol.

As for whether my proposed protocol of putting the outputs in the first round is implementable on the Bitcoin blockchain, it is irrelevant since we are talking about a general protocol here and an altcoin could be designed to allow a transaction where outputs and inputs can be signed to point to the transaction nonce (a hash of any number) plus the addresses of the inputs OR outputs. I didn't bother to check how Bitcoin signs the transactions, because it is conceptually irrelevant to our discussion. Perhaps in Bitcoin the signature of the transaction must include all the inputs AND outputs. The reason I presented my formulation (in fact I mentioned the ring signatures idea from Adam Back in the Zerocoin thread months ago in this thread) is because it is more powerful conceptually than one gmaxell described. I thought gmaxell would appreciate that since I think he is a math guy.


I will quote from your more detailed description upthread.


Zerocoin (ZC) requires a trusted party to generate the parameters, thus it is the antithesis of decentralized, so you have a logical error above.

https://github.com/Zerocoin/libzerocoin/wiki/Generating-Zerocoin-parameters


And so how can you correlate which input is the one who didn't blind sign all?

As far as I can see, you can't.

I've dug very deep (into cryptography research papers) lately into trying to find a way to delink inputs from outputs without a trusted party, and I have realized that mathematically it can't be done. It is a fundamental conceptualization.

The only way to delink without anti-DOS is to use an accumulator commitment scheme with common NP-hard parameters that can be presented in an NIZKP (non-interactive zero knowledge proof) which will always require a trusted party to generate the common parameters for the trapdoor math.


That isn't anti-DOS.

Each spender commits a hash of his intended output. Then everyone does the blinded protocol. If the blinded protocol fails, everyone including the adversary reveals the link between inputs and outputs, because by definition the output key must be an abundant resource so that it is not costly to reveal it and generate a new one to try again.


A ZKP + accumulator isn't decentralized as I explained above.

Tada!  

Eat humble pie. See my reply in the CoinJoin thread.

You are an ego maniac.

You are asserting it, (over and over again) but it doesn't make it true. It was explained in adequate detail previously enough for other people to understand it and implement tools that address it.

It's actually not, since it's not actually possible in the Bitcoin protocol to do what (it sounds like) you're describing, but more importantly performing the operation in that order defeats the anti-dos. If you lead with the inputs they provide a trivial anti-dos mechanism.

Because they fail to sign. There is no need to identify them beyond identifying their input coins to achieve rate limiting, and no need to identify the input/output correspondence.

I'll repeat it, since maybe other people are having problems following the link:

For non-decenteralized coincoin, you simply pass around a transaction and sign it. It's a single sequence and an atomic transaction, you'd make two loops through the users, one to discover the inputs and outputs, and another to sign them. There really aren't stages to it.

Making a decenteralized CoinJoin secure, private, and resistant to DOS attack (people refusing to sign in order to make it fail) is trickier... for the privacy and dos attack resistance you can use ZC:

Presume the participants for a transaction are sharing some multicast medium and can all communicate.  They need to accomplish the task of offering up inputs (txid:vout) for inclusion in the transaction and then, in an unlinkable way, providing outputs to receive their coins.

Each participant connects and names bitcoin input(s), an address for change (if needed), and the result of performing a ZC mint transaction to add to the ZC accumulator. They sign all this with the keys for the corresponding inputs proving its theirs to spend.

Then all the parties connect again anonymously and provide ZC redeem transactions which specify where the resulting bitcoins should go.

This isn't the only way to do this in a decentralized manner, the way to do it with blind signatures is fairly similar:

Each participant connects, names Bitcoin input(s), an address for change (if needed), a key for blind signing, and a blinded hash of the address they want paid. They sign all this with the keys for the corresponding inputs proving its theirs to spend.

Each participant then blind signs the blinded hashes of all participants (including themselves).

This is just one example of a way to address this. There are several other ones possible— and discussed early on in this thread.  Other ones include publishing commitments and then if the process fails having everyone reveal their intended outputs (which they then discard and never use) in order to avoid being banned, or using an anonymous accumulator instead of blind signing to control access.

, or using an anonymous accumulator instead of blind signing to control access.

...
Also using the centralized (VPN, mixer, tumbler, laundry) identifies you as someone that deserves extra monitoring by the authorities.
...

LOL, yeah but, didn't those same users just lose their ass and are now broke?

Keep your ad hominem attacks out of it please. I asked kindly for technical comments.


And my post to which you are replying is in fact explaining the DOS (denial-of-service) is insoluble if you can't identify the participants in order to rate-limit them.


And again in that post you admit there is a DOS problem. You didn't solve it. And you can't solve it in a decentralized setting unless you have non-ephemeral identification of the participants. Which is precisely the point of my prior post to which you are replying


Incorrect. What I wrote is functionally equivalent to what you described. The point is the transaction can be jammed in the final round.

Since you didn't see the equivalence let me explain it. I thought you were smart enough to deduce such things. I chose to let the signatures of inputs go in the second and final round and point to a transaction because I envisioned using ring signatures. And the transaction won't be valid (blockchain will reject it) if the inputs are less than the outputs, so my version is just as safe as yours. And the DOS problem is equivalent. Come on you are a math guy, you can surely see that without me needing to explain it you.

And if you think about it a while you will realize, by inverting the operations and using a ring signature, mine has advantages suchas that not all have to sign in the first round before proceeding to the second round (they get excluded from second round too). Yet the DOS issue remains in the final.


Well now you see your error. You can reread my post again, and admit I was correct.

From your upthread post:


And exactly how do you propose to identify that adversary in a decentralized setting?  My point is you can't, at least not without breaking anonymity, and anonymity was the entire point of mixing.

AnonMint, Every post you've made here has been error and confusion.

The very first post in the thread points out that decentralized versions take more work because of the anti-DOS proofing.

[A couple posts down](https://bitcointalk.org/index.php?topic=279249.msg2984051#msg2984051) I give some examples of how it can be done.

You're presuming a broken model that I don't believe anyone here has ever suggested.

You'd always being the protocol by specifying the inputs in which you intend to sign. Signature authority over inputs is the principle scarcity that allows you to may the system dos-attack resistant. After the inputs are signed, outputs can be specified in a cheat proof way, and then the only avenue for disruption is refusing to sign which can be addressed by blacklisting your inputs (and other rate limiting tokens) and restarting.

If a party fails to sign, everyone else is convinced that its because they are jamming the process (intentionally or maliciously) and then can all ban (ignore in the future) whatever costly identity they used to enter the mix, or — if there is no other mechanism— that particular txin which they used.

Incorrect. Total debt is $157 trillion in developed countries plus $66 trillion in emerging markets, because is 313% of GDP and the GDP is $72 trillion:

http://www.gfmag.com/tools/global-database/economic-data/11855-total-debt-to-gdp.html#axzz2iu5C4Y4Z

http://blogs.wsj.com/economics/2013/05/11/number-of-the-week-total-world-debt-load-at-313-of-gdp/

Chinese corporate debt is the highest in the world as a percentage of GDP:

https://bitcointalk.org/index.php?topic=365141.msg4337574#msg4337574

Don't forget to add on $1000 trillion of sovereign bond derivatives, and $1000 trillion of unfunded social liabilities.

http://www.indexq.org/economy/gdp.php

Soooooooooo, I read today that the world's debt amount to $100 trillion.
Wikipedia says that in 2012, the GDP was ~72 trillion. Let's suppose that it's $80 trillion now.

Debt to GDP = 125%

Listen up please to learn some new technical information...


Problem is there is no way to know if a centralized service (VPN, exchange, mixer, tumbler, laundry) is hacked, under NSA gag order, dishonest, buggy, etc..

Also using the centralized (VPN, mixer, tumbler, laundry) identifies you as someone that deserves extra monitoring by the authorities.

A decentralized solution is always best, as it should look like regular transactions.


A decentralized CoinJoin will have difficulty forming transactions (including unequal or equal transaction amounts) that look like this if anyone can join:

https://blockchain.info/tx/e4abb15310348edc606e597effc81697bfce4b6de7598347f17c2befd4febf3b?show_adv=true


Because the way it must work is the users sign the transaction first with their requested outputs, then in the second round they sign their payments as inputs to the transaction. If the payment inputs are less than the total, then the transaction is invalid. There is no way to determine who cheated and rate limit them. Thus the saboteur can stomp on every attempt to create a CoinJoin transaction and destroy the decentralized system.

DarkCoin says they can solve this by charging a fee, but you will see I originally proposed that idea in the CoinJoin thread and the requirement is all the participants must be permanently identified and then must use divide-and-conquer to whittle down to who was the saboteur. But identification defeats the mixing!

Thus I have not yet seen a workable decentralized CoinJoin that can scale. And I don't expect one.

I posted this to the CoinJoin thread to get their technical peer-review of my statement.


Just forget zerocoin even in an altcoin it won't work. Because it requires a trusted person to hold the private key that can unlock everything including taking all the zerocoins. This can't be fixed (contrary to ruminations otherwise), it is a fundamental mathematical property of the way zero knowledge proofs work when combined with an accumulator.

Also zerocoin has to be dedicated to preset transactions amounts (e.g. 1 BTC) else the anonymity set can be trivially collapsed by comparing input and output transaction amounts.


Not true. Tor is always subject to timing analysis by an entity such as the NSA (which is recording ans storing nearly all global encrypted traffic in Utah) which can see the encrypted packets running between Tor nodes.

Popular VPNs are also very likely all honeypots and unpopular ones give only a small anonymity set.

Currently the only known way to be reliably anonymous is use a connection to the internet that can't be traced to you, e.g. netcafe without cameras any where and don't drive your car as that has secret tracking built-in according to CEO of Ford, a throw-away mobile device and simm that doesn't have your id registered and used for no other activity, etc.

The government and the criminals are sometimes one in the same.

But (uninformed) trust is all that is holding up the $150 trillion in fractional reserves, so you won't find too many people that subscribe to my view (yet). They will learn by 2020.

And you did not address my technical point about CoinJoin, which has nothing to do with the NSA.

In short, we are pretty well f8cked approaching the 2016ish global conflagrapocalpyse.


Adam Back (the creator of Hashcash which Bitcoin is based on) explains the anonymity problem (jump to 24:25 mins into the video).

Anonymint: we are not discussing being safe against a global adversary such as the NSA, we all know that mixers + Tor is probably not enough to defeat them because of honeypots, timing attacks, deep packet inspection, etc...

We are discussing using basic security procedures in order not to be "the low hanging fruit" and thus being reasonably safe against the casual hacker/criminal doing trivial blockchain and network analysis to easily link identities to BTC balances. For that purpose running your wallet through Tor and using a decentralized and trustless mixer such as coinjoin should be enough.

Incorrect. Total debt is $157 trillion in developed countries plus $66 trillion in emerging markets, because is 313% of GDP and the GDP is $72 trillion:

http://www.gfmag.com/tools/global-database/economic-data/11855-total-debt-to-gdp.html#axzz2iu5C4Y4Z

http://blogs.wsj.com/economics/2013/05/11/number-of-the-week-total-world-debt-load-at-313-of-gdp/

Chinese corporate debt is the highest in the world as a percentage of GDP:

https://bitcointalk.org/index.php?topic=365141.msg4337574#msg4337574

Don't forget to add on $1000 trillion of sovereign bond derivatives, and $1000 trillion of unfunded social liabilities.

http://www.indexq.org/economy/gdp.php

About the imminent conflagrapocalpyse...


As I explained in an upthread post (which I am too rushed to go find the link to at the moment), the ledger of who owes whom is less important consideration than the fact that it represents $150 trillion of human capital that was misdirected in its activities since mid-1980s and especially since 1994 or so when the debt-based economy accelerated (1994 is when Clinton had the equations for official statistics changed so they can unleash the surge).



(note we have inflation of fractional reserve digits which is why official stats lie about inflation to hide its relevance, but simultaneously we have a deflation of M0 which official stats also lie about by including bank deposits held Federal Reserve (which should be monetary base MB not M0), thus MB is hockey stick but the Fed doesn't show us the true M0. The Fed is trying to hide from us the deflation that is really there. We can get a proxy for what is happening with M0 by looking velocity of MB which falling like rock! Go to this link then change the "a/b" to "b/a", click the "Redraw Graph" button, so that you get GDP / MB, then you will see velocity is falling off a cliff since 2008.)

So this is why technological employment is going to be so severe and massive overcapacity in manufacturing, fixed capital infrastructure, and conspicuous consumption, because all during the 1970s, 80s, 90s, and 2000s, while a few of us hackers were becoming 100000X more productive with our new found toy (the personal computer), the bulk of the population was able to stay in the old industrial economy thanks to increasing debt.

So what you are going to see when the $150 trillion debt bomb explodes 2016ish is that anyone who is not very technically relevant in the new Knowledge Economy will find themselves unemployable. The governments will try to appease this majority by taxation and confiscating everything, because they fundamentally don't understand the cause of the problem.


Those ledger IOUs are worthless to both lender and borrower. The capital now is all in the brains of hackers such as myself. We take over now. Checkmate. While we were busy sleeping under our desks for the past 3 decades, the rest of you were out enjoying yourself. Now the payback comes. Oxford U. admits 47% of the existing jobs will be replaced with robots over next 19 years (was 20 last year when study was published).


The government isn't run rationally. The vested interests want to suck as much blood out of a turnip as they can. They have no foresight on outcomes, especially they don't even understand.

However, I am one of those who do believe the Bilderbergs understand they must first collapse the economy in order to create the chaos from which they can get their one world government. They want to weaken local and national structures so they can get the economy-of-scale of control to compete with the technology which is rewarding bottom-up hackers.

It is really a defensive move for them and they while getting their world outcome are actually in retreat and losing the way ultimately.


The nation-state is being destroyed by this. The national institutions will be completely discredited and untrusted within a decade.

Out of the ashes the Phoenix will rise. The world will see massive new productivity once the youth take political control away from the boomers and we move to a high tech Knowledge Age where there are no more severe national barriers. You will be able to freely travel and invest in all countries, we will be headed towards a Jetsons level of lifestyle...


The constitutions aren't followed any more any way.

Government is reactionary. The owners of the government (the vested interests) only do what they need to maintain their position of privilege. They are preparing (e.g. the 2714 tank-like vehicles and 10 billion rounds of hollow point bullets for the Homelove Security dept in the USA, the 9/11 pretext to track everything we do, etc..) but just like in Ukraine and other places where there have been unrest, they will only act as necessary.

The peripheral economies blow up first. We see already Ukraine, Greece, Spain, Thailand, India, Indonesia, Egypt, even China has -18% drop in exports just this month over last year.

Then core of Europe 2015ish or so.

Then the USA will be last to fall 2016ish.

We are getting very close now. We might see a dead-cat bounce in 2017, and the severe SHTF hard down phase maybe 2018.


Well yeah that is why I've been screaming this in the Mad Max thread in the Politics forum. Check it out for more details. See also the Economic Devastation thread in the Economics forum.

There is no chance I am wrong. Zero. The only variability is in the timing. By 2020, I assure you we are in a shithole outcome.

Incorrect. Total debt is $157 trillion in developed countries plus $66 trillion in emerging markets, because is 313% of GDP and the GDP is $72 trillion:

http://www.gfmag.com/tools/global-database/economic-data/11855-total-debt-to-gdp.html#axzz2iu5C4Y4Z

http://blogs.wsj.com/economics/2013/05/11/number-of-the-week-total-world-debt-load-at-313-of-gdp/

Chinese corporate debt is the highest in the world as a percentage of GDP:

https://bitcointalk.org/index.php?topic=365141.msg4337574#msg4337574

Don't forget to add on $1000 trillion of sovereign bond derivatives, and $1000 trillion of unfunded social liabilities.

http://www.indexq.org/economy/gdp.php

About the imminent conflagrapocalpyse...


As I explained in an upthread post (which I am too rushed to go find the link to at the moment), the ledger of who owes whom is less important consideration than the fact that it represents $150 trillion of human capital that was misdirected in its activities since mid-1980s and especially since 1994 or so when the debt-based economy accelerated (1994 is when Clinton had the equations for official statistics changed so they can unleash the surge).



(note we have inflation of fractional reserve digits which is why official stats lie about inflation to hide its relevance, but simultaneously we have a deflation of M0 which official stats also lie about by including bank deposits held Federal Reserve (which should be monetary base MB not M0), thus MB is hockey stick but the Fed doesn't show us the true M0. The Fed is trying to hide from us the deflation that is really there. We can get a proxy for what is happening with M0 by looking velocity of MB which falling like rock! Go to this link then change the "a/b" to "b/a", click the "Redraw Graph" button, so that you get GDP / MB, then you will see velocity is falling off a cliff since 2008.)

So this is why technological employment is going to be so severe and massive overcapacity in manufacturing, fixed capital infrastructure, and conspicuous consumption, because all during the 1970s, 80s, 90s, and 2000s, while a few of us hackers were becoming 100000X more productive with our new found toy (the personal computer), the bulk of the population was able to stay in the old industrial economy thanks to increasing debt.

So what you are going to see when the $150 trillion debt bomb explodes 2016ish is that anyone who is not very technically relevant in the new Knowledge Economy will find themselves unemployable. The governments will try to appease this majority by taxation and confiscating everything, because they fundamentally don't understand the cause of the problem.


Those ledger IOUs are worthless to both lender and borrower. The capital now is all in the brains of hackers such as myself. We take over now. Checkmate. While we were busy sleeping under our desks for the past 3 decades, the rest of you were out enjoying yourself. Now the payback comes. Oxford U. admits 47% of the existing jobs will be replaced with robots over next 19 years (was 20 last year when study was published).


The government isn't run rationally. The vested interests want to suck as much blood out of a turnip as they can. They have no foresight on outcomes, especially they don't even understand.

However, I am one of those who do believe the Bilderbergs understand they must first collapse the economy in order to create the chaos from which they can get their one world government. They want to weaken local and national structures so they can get the economy-of-scale of control to compete with the technology which is rewarding bottom-up hackers.

It is really a defensive move for them and they while getting their world outcome are actually in retreat and losing the way ultimately.


The nation-state is being destroyed by this. The national institutions will be completely discredited and untrusted within a decade.

Out of the ashes the Phoenix will rise. The world will see massive new productivity once the youth take political control away from the boomers and we move to a high tech Knowledge Age where there are no more severe national barriers. You will be able to freely travel and invest in all countries, we will be headed towards a Jetsons level of lifestyle...


The constitutions aren't followed any more any way.

Government is reactionary. The owners of the government (the vested interests) only do what they need to maintain their position of privilege. They are preparing (e.g. the 2714 tank-like vehicles and 10 billion rounds of hollow point bullets for the Homelove Security dept in the USA, the 9/11 pretext to track everything we do, etc..) but just like in Ukraine and other places where there have been unrest, they will only act as necessary.

The peripheral economies blow up first. We see already Ukraine, Greece, Spain, Thailand, India, Indonesia, Egypt, even China has -18% drop in exports just this month over last year.

Then core of Europe 2015ish or so.

Then the USA will be last to fall 2016ish.

We are getting very close now. We might see a dead-cat bounce in 2017, and the severe SHTF hard down phase maybe 2018.


Well yeah that is why I've been screaming this in the Mad Max thread in the Politics forum. Check it out for more details. See also the Economic Devastation thread in the Economics forum.

There is no chance I am wrong. Zero. The only variability is in the timing. By 2020, I assure you we are in a shithole outcome.

AnonyMint, I realize you are a very intelligent man and I enjoy reading your posts because they address many glaring problems others might realize but either subconciously or deliberately ignore to protect their investments or agendas.
My question to you though is because I have read your prediction about the burst of a $ 150 trillion debt bubble multiple times in your posts how you think such an event will unfold.

To whom is the world in debt exactly and how does this creditor force the government(s) to act as his debt collector(s)? From my understanding of your scenario it will lead to a widespread pauperization of the world respectively the majority of the people. Do you predict a simultaneous increase in the creditor's wealth or is this a scenario where basically everybody gets poorer?

With both scenarios (further concentration of wealth/obliteration of wealth) I see several problems that make this scenario seem unlikely.

1) The widespread confiscation of wealth would inevitably weaken or even nearly eradicate consumerism which is one of the strongest motors to our society and one of the most effective measures for the elite to concentrate wealth at the same time by concentrating the production to satisfy consumerism.  What would the elite gain by basically wiping out most people's spending capacity?

This would in either case harm the creditor by either obliterating his own wealth or at least a lot of possibilities to spend his own wealth.
2) Do all relevant governments work on this collectively? From my current observations of international politics it seems as this is not the case most of the time. Why would it be the case in this event and wouldn't it create opportunities for backstabbing and breaking of the agreement to confiscate all wealth?

3) What boundaries are set for the governments in this scenario? Are concepts like democratic elections or consistency with the constitution still applicable in this case? If not what changes and what keeps governments from doing now what you predict for 2016?

I hope you can answer some of these potential problems/questions as the theory seems pretty far-fetched in my opinion. I would rather fear a global nuclear war at the moment.

Looking forward to hearing from you.    

A decentralized CoinJoin will have difficulty forming transactions (including unequal or equal transaction amounts) that look like this if anyone can join:

https://blockchain.info/tx/e4abb15310348edc606e597effc81697bfce4b6de7598347f17c2befd4febf3b?show_adv=true


Because the way it must work is the users sign the transaction first with their requested outputs, then in the second round they sign their payments as inputs to the transaction. If the payment inputs are less than the total, then the transaction is invalid. There is no way to determine who cheated and rate limit them. Thus the saboteur can stomp on every attempt to create a CoinJoin transaction and destroy the decentralized system.

DarkCoin says they can solve this by charging a fee, but you will see I originally proposed that idea in the CoinJoin thread and the requirement is all the participants must be permanently identified and then must use divide-and-conquer to whittle down to who was the saboteur. But identification defeats the mixing!

Thus I have not yet seen a workable decentralized CoinJoin that can scale. And I don't expect one.

...

Tumblers like bitcoinfog provide better obfuscation, but the (huge) trade-off is that you should trust an unknown third party. I'd never risk more than 1% of my holdings to such services, but I think the service they provide is necessary and should be used, albeit with care and with just a very minor portion of ones funds at a time.

I'm not aware of any either but don't let that deter you from using one of the already existing solutions even if they aren't perfect.

A sharedcoin transaction will look something like this: https://blockchain.info/tx/e4abb15310348edc606e597effc81697bfce4b6de7598347f17c2befd4febf3b (picked at random). As you can see multiple inputs and outputs make the determining the actual sender and receiver more difficult.

The server does not need to keep any logs and transactions are only kept in memory for a short time. However If the server was compromised or under subpoena it could be force...

Now, if the zerocoin concept would be implemented in bitcoin, it would be cool.

Not if you stay in-network. Unfortunately, my services (bitcoin node) are not tor-enabled yet. Namecoin has the potential to facilitate this with human-readable addresses as well.

I'm sure I don't know what you mean, but I'll have a stab at interpreting your riddle.

Materialist TOEs (theories of everything) cannot account for -- among other things -- a "first cause". If a person writes a new OOP language using another OOP language, where does "object" come from?