You must also factor that your participants might be a Sybil attack. In that case, the number of rounds doesn't help you increase the anonymity set nor decrease the percentage.
That is factored in -- in fact that's the point of this calculation. The assumption being made here (for the sake of getting some hard numbers): 1410 sybil nodes, 1000 non-sybil nodes. We only need one non-sybil node in the pooling chain to retain anonymity. The longer the chain, the greater the likelihood of this. No you misunderstood my point. I mean the participants who are sending inputs to the CoinJoin mix. Those inputs can be Sybil attacked. If you are the only non-Sybil input, then your output is known with 100% certainty. If there are 50% Sybil inputs, then the anonymity set of outputs that you are mixed with is reduced by 50%. I address this in the whitepaper, I propose some users run a script to add entropy to the pools and push transactions though: Improved Pool Anonymity
Users who want to increase the anonymity of the pools can run scripts to “push” DarkSend
transactions through the pool by sending money to themselves with DarkSend. This will allow
them to take up a space in the pool to ensure the anonymity of other users. If enough users run
scripts like this one, the speed of transactions and the anonymity of the network will be
increased. |
|
|
|
But aren't you also in your current design trusting the master node not to steal the collateral inputs?
The whitepaper has my proposed solution to that in the "Defending Against Attack" section: http://www.darkcoin.io/downloads/DarkcoinWhitepaper.pdfThings have changed since then, so we'll have to come up with something else. |
|
|
|
An example of 1. could be, "To mount an attack that would break the anonymity of 20% of DS transactions, assuming that there currently exist 1000 uncompromised full nodes capable of being elected a master node, and assuming 3 levels of pooling, we would require approx 58.5% of the network (i.e. cube root of 20%), i.e. 1410 Sybil nodes, each requiring at least 1000 DRK, to a total of 1.41M DRK."
Would you accept that 20% of your coins are not anonymous? If you are trying to hide from an oppressive totalitarian regime where death or jail time waits you if you are discovered, then you want something 1 in million, not 20%. 20% is analogous to pulling the trigger on a 5 round revolver with one bullet pointed at your head, i.e. Russian Roulette. Try redoing your calculation with 1%, 0.1%, 0.01%, etc. 1 in a million can be achieved with a solution like this: User 1 -> Change Address 1 (master node 1, tor ip 1) Request new tor IP (which Darkcoin could do automatically) Change Address 1 -> Change Address 2 (master node 2, tor ip 2) Request new tor IP Change Address 2 -> Change Address 3 (master node 3, tor ip 3) Change Address 3 -> Change Address 4 (master node 4, tor ip 4) Change Address 4 -> Change Address 5 (master node 5, tor ip 5) Change Address 5 -> Destination (master node 6, tor ip 6) |
|
|
|
I don't know if Darkcoin is designed to allow you to send over Tor.
Even if it is, Tor will not hide your IP reliably from snooping agencies. Tor is better than nothing, but there are designs which can hide your IP absolutely and reliably. I don't think anyone has implemented such a design yet for the way we need to use it.
There is a Sr. Member who posted couple of functional DRK Tor nodes a few pages back. Any coin using the bitcoin source can Tor needs to use it. So it needs to be turned on by default. Because as the participants in your Darksend mix lose anonymity, then you lose anonymity too even if you used Tor. The only feature of Darkcoin is claimed anonymity now correct? The cpu-only aspect is crossed out on the web page. Thus shouldn't your anonymity be actually stronger otherwise an altcoin is simply going to do it better than Darksend. Don't worry about Zerocash, it takes 9ms verification per transaction (Zerocoin is 500msec). That won't scale. Your competition won't come from Zerocash. It will come from another altcoin. Higher end CPUs still mine nearly as well as the GPUs do. I don't think anything says "CPU only" anymore. Would you feel Darkcoin is threatened if another altcoin has true cpu-only and very strong anonymity? Any way I am happy to read below you are thinking about how to improve the anonymity. Your prior reply had me worried that you actually wanted to make it weaker on purpose. Now I see you are open to improving it. That is 2012 document. Many think NSA has control over most or many of the nodes on Tor. Remember these servers cost a lot of money and who is providing that for free and getting nothing in return? Warning FAQ: Tor doesn't protect you from a global adversary: https://tails.boum.org/doc/about/warning/index.en.html#index7h1http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29#Exit_node_eavesdropping"If you actually look in to where these Tor nodes are hosted and how big they are, some of these nodes cost thousands of dollars each month just to host because they're using lots of bandwidth, they're heavy-duty servers and so on. Who would pay for this and be anonymous?" https://www.schneier.com/blog/archives/2013/03/our_internet_su.html#c1238550Attacking Tor: How the NSA Targets Users' Online Anonymity: https://www.schneier.com/essay-455.htmlI was thinking more about Divide and Conquer, I believe it's vulnerable to Sybil attacks. I don't think you can do decentralized DarkSend without collateral, otherwise what would stop 100 nodes from taking up 80% of the spots per DarkSend session and forcing the divide and conquer algorithm to go 20 or 30 levels before filtering them out (EVERY SESSION)?
Agreed it is. I think I had figured that out before when I mentioned it in the CoinJoin thread and dismissed it. I apparently forgot that since. I have a new idea for you. You could force each input to be accompanied by an anonymous proof-of-work that costs considerable computing time. Then move the collateral payment to accompany outputs stage. I think most users wouldn't mind expending 5 minutes computing time before they send a mix transaction. I have another idea as well. On failure only, every input into the mix could reveal which collateral payment they sent in the output stage, so you can isolate the input that was the adversary. Then you blacklist that input. The inputs anonymity is destroyed because no mix transaction was completed. But how can you blacklist system wide? How can you trust that node didn't lie just so it could blacklist someone's coins? Of course I want something that is as secure as possible. But there are lots of trade offs that need to be made to ensure that most users needs are covered while keeping usability at it's maximum. Using a PoW like that was one of my first ideas to protecting against a Sybil attack So what is the cost?
There must be a cost to using this anonymous network, otherwise like you say there will be issues with millions of accounts popping up. I’m not dead set on which solution(s) to implement, but here’s a couple ideas:
Burnt Identities
Higher difficulty shares to the current block would be mined and then stored in the blockchain permanently. Multiple of these would be used for each transaction and would be “burnt” when misused, causing the attacker to have to mine them again. The problem with PoW type solutions is the NSA and other powerful entities would have cheap access to large amounts of processing power. Plus, making a user do that hinders the usability of the product. I like collateral transactions because it accomplishes the same thing and they can be increases to a point where attacking the network becomes way too expensive to do efficiently. Plus, if someone was attacking the network we could ban their collateral inputs by tracing the payments back to the source and isolating them individually. |
|
|
|
My client is not connecting to any nodes, anyone got a conf file example I could copy?
Had the same problem, it took like an hour + to connect to a node but it's all good now. I just left it alone. Both seed nodes were down, I forget to check them. Anyone else want to host a seed node? - It needs to be configured to 200 connections max - Must have 9999 open from the outside - Must be a static IP - Must be permanently available PM me and I'll add them to the source |
|
|
|
I don't know if Darkcoin is designed to allow you to send over Tor.
Even if it is, Tor will not hide your IP reliably from snooping agencies. Tor is better than nothing, but there are designs which can hide your IP absolutely and reliably. I don't think anyone has implemented such a design yet for the way we need to use it.
There is a Sr. Member who posted couple of functional DRK Tor nodes a few pages back. Any coin using the bitcoin source can Tor needs to use it. So it needs to be turned on by default. Because as the participants in your Darksend mix lose anonymity, then you lose anonymity too even if you used Tor. The only feature of Darkcoin is claimed anonymity now correct? The cpu-only aspect is crossed out on the web page. Thus shouldn't your anonymity be actually stronger otherwise an altcoin is simply going to do it better than Darksend. Don't worry about Zerocash, it takes 9ms verification per transaction (Zerocoin is 500msec). That won't scale. Your competition won't come from Zerocash. It will come from another altcoin. Higher end CPUs still mine nearly as well as the GPUs do. I don't think anything says "CPU only" anymore. Tor + Multiple rounds of DarkSend should be nearly perfect anonymity. Even the NSA says they have problems breaking through Tor. ( http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document) I was thinking more about Divide and Conquer, I believe it's vulnerable to Sybil attacks. I don't think you can do decentralized DarkSend without collateral, otherwise what would stop 100 nodes from taking up 80% of the spots per DarkSend session and forcing the divide and conquer algorithm to go 20 or 30 levels before filtering them out (EVERY SESSION)? |
|
|
|
Darkcoin is meant to fix problems with Bitcoin, not to be CriminalCoin. I'm afraid that if you're trying to hide something from the NSA, we don't want to be involved with that.
Privacy is a human right and it's about time that a coin implemented it. However, if the NSA wants to find out what you're doing, they will. No matter how much you protect it, if someone wants your information bad enough they'll get it.
It's Especially true with Zerocash/Zerocoin and their use of exotic mathematics. I've read through it and it's insanely complicated, I wouldn't be surprised if there's a room full of cryptographers in the NSA ripping it apart already.
I do believe NSA-proofing is a virtually impossible task, since they have control on factors beyond our own code (hardware, networks) but the issue here is this: DarkSend is launched, everything rolls, it's open sourced etc etc. Then another one comes along, takes Dark Send code, implements divide & conquer and then boooom. He claims they have the superior anonymous coin. It's a market weakness for DRK placement right there if it lags behind. Now, the situation is obviously difficult having to choose one or the other, so I propose this: What if DarkSend had 2 checkboxes, one that is simple "Enable DarkSend" and a further one which activates "Divide and Conquer" for "extra anonymity". I've been thinking about a slide bar actually that enhances the degree of anonymity, with something like 1 to 10 - and increasing parameters like time delay for transaction or laundry depth (multiple laundering) to make it more obfuscated, but maybe it could simply go the Div/Conq way at max setting for the more paranoid about their secrecy. Why not just offer "rounds" of DarkSend through separate master nodes, i.e: User 1 -> Change Address 1 (master node 1) Change Address 1 -> Change Address 2 (master node 2) Change Address 2 -> Change Address 3 (master node 3) Change Address 3 -> Change Address 4 (master node 4) Change Address 4 -> Change Address 5 (master node 5) Change Address 5 -> Destination (master node 6) I suppose my issue with Divide and Conquer is that it involves implementing blind signing, which could be done later but is not simple. So I doubt there will be versions of that popping up in other coins. |
|
|
|
Design B: Users provide inputs, outputs and collateral at once. In this case the master node knows who is sending money to who, but later it can tell who didn’t sign.
I’ve chosen to use design B (users will add inputs and outputs at the same time) because it’s the only design that can’t be attacked in the way you’re saying.
Okay he has confirmed that you are not anonymous to the master node, as I wrote upthread would be the case if he associates the collateral transaction with both input and output stages of the CoinJoin. eduffield I would like to say that is not acceptable because for the same reason I don't want to use mixer or laundry website, I can't know if the master node is an NSA honeypot. I would like to suggest you think about my divide-and-conquer idea as another electable option for users. If there is failed stage, then divide the inputs into two groups. Then ask for outputs again. Divide and conquer as necessary, then the join will complete. Not ideal, but at least you don't break anonymity and require trust of the master node. Best of luck with it. +1 definitiv an nice idea to use a "divide-and-conquer"-algorithm on signing ! the master node is still elected randomly, so no node will be default master everytime yes, but if you could do it better, than do it better, even if the current solution seems trustfull and enough (because of randomly chosen nodes), but something like the divide-and-conquer approach will help it to make it even better in my eyes. ofc there are problems, too - which needs a solution. like - if you divide-and-conquer, at some points the darksend transaction wouldn't be as obfuscating as it could be, because only a fragment of users would be in that darksend transaction. (right?) but i believe thats a good idea, which could help us. Problem with trusting a random node is Sybil attacks. Unless the cost of creating a node is significant, the adversary can flood with nodes. Also a market could develop for buying the information from nodes. Trusting a node is not anonymity. It is a form of privacy. Can you have perfect trust with perfect anonymity? Or are they dynamic dualities
I'm having trouble conceiving how trust might work with perfect anonymity and vice versa
Let's differentiate between anonymity and privacy. Anonymity means that no one can know some aspect of your identity, e.g. you might decide to reveal the name of your company but never who runs that company. Privacy means only some people know some aspect of your identity, e.g. the merchants you buy from may know your account number but otherwise not public unless revealed by one of those merchants. Anonymity is a more secure form of privacy because there is no trust involved, because no one knows what you have not revealed to anyone. So I can choose to trust a merchant who reveals its name and stakes its reputation on that name, without needing to know who owns that merchant. The key here is that prior bad outcomes don't follow the owner to new ventures. So history of performance of a merchant becomes paramount. If I don't want to trust a merchant to deliver the goods, the merchant and I can agree on a 3rd party escrow agent with multisig on payment (both I and escrow agent must sign for payment to be transferred to merchant). Again no need for the escrow agent to reveal his/her true name rather the historical reputation of a pseudonym will suffice. Ditto on contracts, arbitration agents can be chosen on contract signing. In short, our personal identity can be orthogonal to our business performance identity. This allows us to fail and start over again. It is very forgiving. And it keeps the government, conniving attorneys, and the Kangeroo court system out of our business. The master nodes would be required to have a single input greater than 1000DRK (or something like that). So if there's 5000 capable nodes it would cost 5000*1000DRK to see 50% of the messages. It would be impossible to buy enough darkcoin off of the exchanges to pull off such an attack on a large amount of users. So if you can pull off getting 5% of the transactions, the clear ones should become worthless because there's no trail to follow. The black budget of the NSA is at least $40 billion as documented by Edward Snowden recently, but Catherine Austin Fitts and others document the $2.3 trillion that went missing from the Pentagon budget that Defense Secretary Donald Rumsfeld admitted on TV the day before 9/11. The documents were destroyed in the Pentagon missileairplane attack. Obtaining a lot of DRK will be the first and ongoing priority of the national security agencies, as it is their job to crack any encrypted data transfers on the internet. By concentrating master nodes among the wealthy, you've created the perfect motivation for the wealthy to be friends with the government. The government gives them favors, they give the government data. This is why privacy is not good enough. Only anonymity will suffice. Sorry I don't like being a pain, but false claims of anonymity is going to hurt a lot of people in the end. The best is to fix it. Of course divide-and-conquer is not as efficient or elegant as your collateral payment. But the collateral payment breaks anonymity. What is the point of building something which can be easily broken by the NSA. Darkcoin is meant to fix problems with Bitcoin, not to be CriminalCoin. I'm afraid that if you're trying to hide something from the NSA, we don't want to be involved with that. Privacy is a human right and it's about time that a coin implemented it. However, if the NSA wants to find out what you're doing, they will. No matter how much you protect it, if someone wants your information bad enough they'll get it. It's Especially true with Zerocash/Zerocoin and their use of exotic mathematics. I've read through it and it's insanely complicated, I wouldn't be surprised if there's a room full of cryptographers in the NSA ripping it apart already. |
|
|
|
Design B: Users provide inputs, outputs and collateral at once. In this case the master node knows who is sending money to who, but later it can tell who didn’t sign.
I’ve chosen to use design B (users will add inputs and outputs at the same time) because it’s the only design that can’t be attacked in the way you’re saying.
Okay he has confirmed that you are not anonymous to the master node, as I wrote upthread would be the case if he associates the collateral transaction with both input and output stages of the CoinJoin. eduffield I would like to say that is not acceptable because for the same reason I don't want to use mixer or laundry website, I can't know if the master node is an NSA honeypot. I would like to suggest you think about my divide-and-conquer idea as another electable option for users. If there is failed stage, then divide the inputs into two groups. Then ask for outputs again. Divide and conquer as necessary, then the join will complete. Not ideal, but at least you don't break anonymity and require trust of the master node. Best of luck with it. +1 definitiv an nice idea to use a "divide-and-conquer"-algorithm on signing ! the master node is still elected randomly, so no node will be default master everytime yes, but if you could do it better, than do it better, even if the current solution seems trustfull and enough (because of randomly chosen nodes), but something like the divide-and-conquer approach will help it to make it even better in my eyes. ofc there are problems, too - which needs a solution. like - if you divide-and-conquer, at some points the darksend transaction wouldn't be as obfuscating as it could be, because only a fragment of users would be in that darksend transaction. (right?) but i believe thats a good idea, which could help us. Problem with trusting a random node is Sybil attacks. Unless the cost of creating a node is significant, the adversary can flood with nodes. Also a market could develop for buying the information from nodes. Trusting a node is not anonymity. It is a form of privacy. Can you have perfect trust with perfect anonymity? Or are they dynamic dualities
I'm having trouble conceiving how trust might work with perfect anonymity and vice versa
Let's differentiate between anonymity and privacy. Anonymity means that no one can know some aspect of your identity, e.g. you might decide to reveal the name of your company but never who runs that company. Privacy means only some people know some aspect of your identity, e.g. the merchants you buy from may know your account number but otherwise not public unless revealed by one of those merchants. Anonymity is a more secure form of privacy because there is no trust involved, because no one knows what you have not revealed to anyone. So I can choose to trust a merchant who reveals its name and stakes its reputation on that name, without needing to know who owns that merchant. The key here is that prior bad outcomes don't follow the owner to new ventures. So history of performance of a merchant becomes paramount. If I don't want to trust a merchant to deliver the goods, the merchant and I can agree on a 3rd party escrow agent with multisig on payment (both I and escrow agent must sign for payment to be transferred to merchant). Again no need for the escrow agent to reveal his/her true name rather the historical reputation of a pseudonym will suffice. Ditto on contracts, arbitration agents can be chosen on contract signing. In short, our personal identity can be orthogonal to our business performance identity. This allows us to fail and start over again. It is very forgiving. And it keeps the government, conniving attorneys, and the Kangeroo court system out of our business. The master nodes would be required to have a single input greater than 1000DRK (or something like that). So if there's 5000 capable nodes it would cost 5000*1000DRK to see 50% of the messages. It would be impossible to buy enough darkcoin off of the exchanges to pull off such an attack on a large amount of users. So if you can pull off getting 5% of the transactions, the clear ones should become worthless because there's no trail to follow. |
|
|
|
Design B: Users provide inputs, outputs and collateral at once. In this case the master node knows who is sending money to who, but later it can tell who didn’t sign.
I’ve chosen to use design B (users will add inputs and outputs at the same time) because it’s the only design that can’t be attacked in the way you’re saying.
Okay he has confirmed that you are not anonymous to the master node, as I wrote upthread would be the case if he associates the collateral transaction with both input and output stages of the CoinJoin. eduffield I would like to say that is not acceptable because for the same reason I don't want to use mixer or laundry website, I can't know if the master node is an NSA honeypot. I would like to suggest you think about my divide-and-conquer idea as another electable option for users. If there is failed stage, then divide the inputs into two groups. Then ask for outputs again. Divide and conquer as necessary, then the join will complete. Not ideal, but at least you don't break anonymity and require trust of the master node. Best of luck with it. Thanks AnonyMint! You are the real deal in anonymityland James What he suggests is unlikely, but even if some nodes are run by the NSA, which is likely, why not?, then they might get info for one transaction. Big deal, they can't always be the master node, there are too many other nodes running. And to "fix" such a minute problem, or possible issue, one would have to complicate the system to such a degree, I am certain you'd create more holes than you can cover up. sounds good, in practice it's a disaster. KISS, Is the way I think it should go. That Anonymint will never understand, as he keeps going on and on about the same half dozen issues. It's like conspiracy theories. yah, they could have happened, but how likely is it? With other more reasonable explanations and the fact that the government is so dang inept. It's just silly. It's even more unlikely if we require the master nodes have 1000DRK and it would elect them from the whole network. That way if there's 5000 capable master nodes, it would cost 5000*1000DRK to de-anonymize 50% of the transactions. Seems like a good compromise. PS. If one user doesn't sign, the whole process needs to restart. Which really just means the master node will ask all users to resubmit their inputs/outputs/signatures and will charge the user. |
|
|
|
Hey AnonyMint, welcome back. Your questions have been some of the best that we’ve gotten and really have helped the design of DarkSend, I really do appreciate your input. CoinJoin can't work. Period. I had another debate in the CoinJoin thread a few weeks ago with gmaxwell and I won. Go read it for yourself.
The problem is you can't prevent someone from denial-of-service attacking by refusing to sign the second stage of the operation. They can block all DarkSends this way.
There is not any anonymity offered by DarkSend, because the shorts will simply attack it once the coin becomes valuable and DarkSends won't get processed. The system will jam. And the price will plummet.
Earlier in the development someone attacked DarkSend this way and broke it for a day or so. I ended up coming up with what I call collateral transactions. A collateral transaction is a transaction that is only sent to the master node and if broadcast will transfer money from the node in question to the master node. The main problem is CoinJoin happens in 3 main stages: 1.) ACCEPTING INPUTS (inputs are the money I’m sending) 2.) ACCEPTING OUTPUTS (outputs are who I’m sending to) 3.) SIGN INPUTS (everyone signs their input separately then sends them) In stage 2, what if someone fails to send their output? In stage 3, what if someone fails to sign? So with blind signing (footnote 1) when a user adds an output, you know it’s one of your users but you don’t know which. So if a user fails to provide outputs, the whole session must restart and no one can be punished. I've thought about multiple designs for DarkSend, many of which do have the issue you’re talking about: Design A: Users provide inputs and collateral, then later will provide outputs. The master node must know which user didn’t provide the outputs to be able to charge him. If we use blind signing we can’t charge the bad actor fees. Design B: Users provide inputs, outputs and collateral at once. In this case the master node knows who is sending money to who, but later it can tell who didn’t sign. I’ve chosen to use design B (users will add inputs and outputs at the same time) because it’s the only design that can’t be attacked in the way you’re saying. //Accepting inputs 1. User A provides (Input, txCollateral, Output1, Output2) 2. User B provides (Input, txCollateral, Output1, Output2) 3. User C provides (Input, txCollateral, Output1, Output2) //Signing 1. User A provides (Input, txCollateral) 2. User B fails to provide to sign 3. User C provides (Input, txCollateral) //Fees 1. User B is charged So to be clear, the master must know who is sending money to who. But ONLY the master node will need to know this. Beyond that the blockchain is still anonymous, and master nodes can be decentralized among the users of the network. (1) More about blind signing:
http://ojs.academypublisher.com/index.php/jnw/article/viewFile/0508921928/2053
|
|
|
|
Hands off, she's taken! LOL A Saroshi! I like it  |
|
|
|
Diff is all over the place, it cycles from 300 to 750... I think DGW doesn't work as they thought it would.
The hashrate is all over the place, DGW works perfect. http://darkcoin.mine.nu/graph.htmlHow is hashrate calculated? The client calculates it using the speed at which blocks are created |
|
|
|
Diff is all over the place, it cycles from 300 to 750... I think DGW doesn't work as they thought it would.
The hashrate is all over the place, DGW works perfect. http://darkcoin.mine.nu/graph.html |
|
|
|
Briefly attacked and InternetApe fixed it. Seems to be humming along now. |
|
|
|
DarkSend Beta V5 Release (v0.10.0.0) !This release has a bunch of new features, I’ve been laying the groundwork to get DarkSend closer to the implementation described in the whitepaper. Check out the whitepaper here to see what the following bullet points are talking about:
http://www.darkcoin.io/downloads/DarkcoinWhitepaper.pdf
- Separated payment node from master node
- Decentralized the master node, signing now happens on a “finalized transaction” which is whatever the masternode decides made it into that transaction.
- Using the finalized transaction users can know if they need to resubmit into the next session (extremely rare).
- Integrated the denominate functionality into an automated process, if inputs are needed when you try to DarkSend they’ll be created on the fly now.
- Removed denominate button and api calls
Remember to add this to your config:
addnode=23.23.186.131
http://www.darkcoin.io/downloads/DarkSendDocumentation.pdf
OH BABY STRAIGHT TO V5 Thanks for being such a beast Evan. lol did I skip V4? I don't even remember |
|
|
|
|
Show Posts
