These are the values for endomorphism on secp256k1. You can read the original post from Hal Finney deriving these values here: https://bitcointalk.org/index.php?topic=3238.msg45565#msg45565

Lambda is such that Lambda^3 (mod N) = 1.
Beta is such that Beta^3 (mod P) = 1.

Whatever coins you try to coinjoin, Wasabi pays Coinfirm to spy on those inputs and decide whether or not they are "naughty".

We don't know, and Wasabi won't tell us. I suspect Kruw doesn't know this either - the knowledge is probably limited to the top 2 or 3 devs at Wasabi. But given that all blockchain analysis companies only exist to gather data and then sell and share that data with third parties, I would be very surprised if Coinfirm don't use this data that Wasabi pay them to gather in a variety of other nefarious ways.

Even if more than one major pool was owned by the same entity, it doesn't make a huge amount of difference. Remember of course that each big pool is used by thousands or even tens of thousands different miners - everything from huge ASIC farms down to individuals running a single ASIC at home. All of these miners are separate entities despite mining under the same umbrella of the pool they use. Should that pool operator decide to turn malicious and attempt to 51% attack the network, then any of these individual mining entities can switch to a new pool in a matter of minutes.

And if they are doing this for Tor, what makes you think they aren't doing the same thing for VPNs? If you think they can pick up on Tor pluggable transports such as obfs4 and meek, then they can definitely pick up on VPN traffic. It's also far easier for the government to set up a malicious VPN service or to subpoena existing VPN services to hand over data than it is for them to do the same thing Tor nodes.

If you really wanted, then you can always connect to Tor via your VPN.

I've spoken before about why commiting seed phrases to memory is a terrible idea, so I'll quote myself below:


There is a very good reason every good wallet tells you to write down your seed phrase. Relying on your memory is a recipe for disaster.

Wasabi won't automatically send your coins anywhere. If you deposit them to your Wasabi wallet and zkSNACKs decides you are a naughty little kid who is not allowed to coinjoin, then your coins just sit in your Wasabi wallet until you send them somewhere else. They won't automatically be returned to the previous address.

He can't answer this because he doesn't know. Nobody except Coinfirm know what their secret analysis involves or know just how far backwards or forwards they are keeping track of your coins. Suffice to say, however, it's more than a single transaction, and they will be using all the data they have at their disposable to deanonymize and track your coins. This is what you subject yourself to if you use Wasabi.

This is not necessary with Electrum. You can import a seed phrase created with an unknown word list and it will still be able to both verify the version bits are correct and generate the corresponding wallet. This is because the checksum is not dependent on decoding the final word to its relevant bits as it is with BIP39 (where you do need to know the word list), but because Electrum seed phrases are simply normalized and hashed to obtain the version bits.

For example, here's a seed phrase I just created using the first few lines from the whitepaper as wordlist:

But even without telling your copy of Electrum the wordlist I used, you can still import that seed phrase and reach the following address:

I agree with the opinions above that Core should never require Tor, and it should always be optional. Having said that, it's an option I will always use. I trust my government and my ISP less far than I could throw them. I don't even want them to know I'm interested in bitcoin, let alone own any, let alone run a node. Yes, the IBD takes weeks, but what's the rush?

There is a middle ground where you can sync your node over clearnet, but then use Tor to broadcast transactions. You can also broadcast transactions over Tor using the likes of http://mempoolhqx4isw62xs7abwphsq7ldayuidyx2v2oethdhhj6mlo2r6ad.onion/tx/push and bypass your node entirely.

Gambling websites are fairly unique in the regard that no coins actually need to move until you withdraw your winnings. You can play and win dozens of bitcoin, but the gambling site only needs to honor that when you actually withdraw. And so they can just place a hold on any withdrawals until your deposit has enough confirmations. You can deposit, start playing after 1 confirmation (or even immediately), but then not be allowed to withdraw until after 3 confirmations, or something along those lines. This keeps the risk of any double spends to a minimum.

This is not possible with centralized exchanges, since as soon as you start trading the exchange has to start filling orders. If you double spent, they would be left with a bunch of orders they would still have to honor. And so you have to wait for longer on centralized exchanges.

This is not the same.

Electrum will always generate a random seed phrase. You cannot pick your own seed phrase (although with Electrum you can use a different word list, although again, I would not recommend this). What you are describing is picking a passphrase, also known as a seed extension. The combination of your completely random seed phrase and your self picked passphrase will generate a wallet. Although you should strive to use long and random passphrases, using your family members' names here is less critical since you still have the security of your seed phrase to fall back on. So using family members' names for a passphrase is unlikely to lead to your coins being stolen in isolation, but pretty much defeats the point of using a passphrase if you are going to use one which is so weak and easily guessable.

Yes, it is possible. No, you shouldn't do it.

Picking your own words from the BIP39 word list is bad enough. It's been endlessly proven that humans are not random and whatever sequence of words you pick will not be random. There is the issue of the checksum in the last word, but that is fairly easily solved simply by calculating the checksum and picking an appropriately matching word.

Picking specific words which have a meaning for you, such as the names of family members, is a monumentally stupid idea. This is really no different to a brainwallet, except instead of using the words or phrase to generate a single address you use them to generate the master private key for an HD wallet. Again, it is easily done, just really dumb. Anyone who knows you likely knows the names of your family members, and anyone who doesn't can probably get that information in <5 minutes from your social media profiles.

It doesn't matter. Bitcoin private keys provide 128 bits of security, which matches the amount of security provided by a properly generated 12 word seed phrase. It does not matter if you used a seed phrase with 5000 truly random words providing tens of thousands of bits of entropy - your resulting private keys would still have 128 bits of security.

Seed phrases are not meant to be remembered, and so picking something memorable is pointless. Generate a random seed phrase properly and write it down on paper.

Here's a very quick fix I just tested if you use uBlock Origin (and if you aren't you really should):

Open your uBlock Origin add on and open the dashboard by clicking on the three cogwheel icon.
Click on "My Filters".
Paste the following:


Save your changes, and then refresh bitcointalk. This will hide the Ignore button. This will also work on mobile. It may work with other ad blockers which also implement similar functions to allow you to block specific elements.

Equally important to bitcoin is "be your own bank" and that you have completely sovereignty over your own wealth. This ceases to the case if a small group of developers decide to start siphoning off some of your coins against your will.

Why is that very likely? The majority of blocks which are currently being mined already take part in merged mining via the likes of RSK.

The outcome is identical - I can now purchase fewer good or services with my holdings. It doesn't matter if you take away 1% of my holdings as tax, or you devalue my holdings by 1% by printing more. Either way, the amount of goods and services I can purchase with my holdings has been decreased by 1%. Under both systems, the longer I hold my coins, the poorer I become.

Yes, clearly. If I can predict what you would choose 1% of the time versus I can predict what you would choose 10% of the time, then that's an order of magnitude difference.

They really aren't. There is no evolutionary advantage to imagining or visualizing completely abstract random numbers. There is, however, a strong evolutionary advantage to noticing patterns, sequences, order, and so on. Our brains are hardwired to be ordered and logical, which is why we are so terrible at picking random numbers and why there are tens of thousands of examples of brainwallets being hacked.

Except you do have to trust zkSNACKs not to censor you after they are done paying blockchain analysis companies to spy on you.

There are other blockchain coinjoin implementations which do not have this weakness. Any sensible person will use one of them instead.

Edit: typo.

Right right. But unless you have rooted your phone (which brings a whole host of other security risks) and can individually block specific permissions or specific apps, is there anyway to prevent these keyboard apps from accessing the internet any time you are connected? I suspect not.

Smart phones in general are awful for your privacy and security. Everyone should go in to their phone's permissions at some point and take a look at just how many apps can access your camera, your microphone, your files, your messages, your location, and so on. And for lots of these apps, if you try to disable these unnecessary permissions they will just refuse to work.

This is another reason I avoid using these 2FA wallets. Multi-sig is good not just because it makes your actual electronic wallets more secure, but also because it makes your physical back ups more secure. In a proper 2-of-3 multi-sig, an attacker needs to compromise two separate back ups to be able to access your wallets, which should be exponentially harder for them than accessing a single back up, and hopefully you have an arrangement where if one back up is accessed you will be aware of this and can take steps to move your coins to a new wallet. With Electrum 2FA wallets, this is completely lost, and your back ups are no more secure than that of a regular single sig wallet, since all the necessary keys can be derived from a single seed phrase.

Not daft at all - a good question.

As ranochigo explains, nodes are important to verify and validate all the transactions and blocks which make up the blockchain, but they do not judge where these transactions and blocks came from.

For example, if I submitted a transaction which sent all of Satoshi's coins to an address I control, then obviously that transaction would have an invalid signature. Nodes would therefore reject that transaction and not propagate it through the network.
If a 51% attacker submitted a block which contained such a transaction with an invalid signature, then again, nodes would reject that entire block and not propagate it through the network.
However, a 51% attacker is able to submit valid blocks which contain valid transactions, which nodes will accept. They can also submit a whole chain of blocks which is longer than the current main chain, and nodes will automatically swap to this new longer chain if it is all valid. So as I explained above, if there is already a confirmed transaction sending their coins to someone else, they can replace that by releasing a longer chain which includes a transaction sending those same coins back to themselves. This double spend is still entirely valid as far as nodes are concerned - it spends a valid UTXO with a valid signature - so nodes will validate it and accept it.

This is the crux of a 51% attack. It allows the attacker to freely double spend their own coins. But nodes checking the validity of all transactions are what prevents the 51% attacker from accessing anyone else's coins.

Paying transactions fees is vastly different to an endless emission.

I don't disagree, but that doesn't change any of the points I made above.

It is no different for the users. The whole point of a fixed supply is to stop your holdings being diluted by inflation and losing value. If you start taking x% from everyone, the same thing happens.

If I have $100 and you take 1% of it, my money is now only worth 99% of what it was worth.
If I have $100 and you inflate the supply by 1%, my money is now only worth 99% of what it was worth.

There are other options beyond taxing everyone one way or another, though, such as sufficient on chain fees or merged mining.

Economically speaking, your proposal is really no different to raising the supply and having an endless emission of bitcoin.

In your proposal you take a fee of (for example) 0.5% from every coin every year. Each year, everyone loses 0.5% of their coins and gets 0.5% poorer.

Alternatively, by raising the supply and minting an additional 0.5% of the cap each year, then everyone owns the same amount of coins, but a smaller proportion of the overall supply. And so each year everyone gets 0.5% poorer.

The end outcome is the same regardless of which method you choose.