Other ideas?
I’m open to ideas on how to provide the best security to the network. I would love to hear what people have in mind.
How about adding an option for adding decoy transactions? Sometimes coinjoins can be picked apart just by looking at what adds up. This was painfully obvious on the darksend testnet the other day, as I remember seeing darksend transactions like Inputs: 500, 5 Outputs: 400, 100, 4, 1 where there's only one possible solution of who sent what. One could easily construct decoy transactions to specifically add up to the amounts of the legit transaction. For example: Intended transaction: Input: 100 Output: 20, 80(change) Decoy transaction: Input: 500 Output: 10, 90, 50, 50, 35, 65, 95, 5, 100(all sent to change addresses) If that decoy transaction is coinjoined with the intended transaction, there becomes 5 extra possibilities of where the 100 was sent to even if no transactions by others help mask it Also, use more inputs than necessary, and use several change addresses instead of just one to help mask the intentions, and also having more and smaller outputs causes it to be more likely that they can be useful to help mask other transactions joined with them. The testing we did was just a test of the transaction pooling and remote signing of inputs, not a test of anonymity (good eye though checking that out). One of the next tests we should have that working. Here’s the plan for anonymizing amounts if anyone is interested: DarkSend anonymizes unique amounts like 15.15 by using “denominations” of currency in the different transaction pools available. These denominations come in the amounts of 5000, 1000, 500, 100, 50, 20, 5, 1, .50, .25, .10, .05, and .01. For example a payment of 15.15 would be broken down and submitted to the following transaction pools: Submit payment for 10DRK to addr Xyz using pool 10 (in pool 10 ALL outputs are for 10DRK) Submit payment for 5DRK to addr Xyz using pool 5 (in pool 5 ALL outputs are for 5DRK) Submit payment for 0.10DRK to addr Xyz using pool .10 Submit payment for 0.05DRK to addr Xyz using pool .05 The four payments total 15.15, just like paying in cash, except you have no idea who paid you. Users receiving anonymous payments will then receive separate out of order payments for various amounts adding up to the total amount they were intending on receiving. With this methodology, payments could be as granular as 0.01, this could be changed in the future if the currency becomes more valuable by adding smaller denominations. If you leave the smaller units out, and they are used all the time, won't that be a weak link from which you can figure out where the transactions came from? Nope, for example if you sent 30DRK, you would use 2 of the pools. Pool 10 and Pool 20, the transactions then look like this: Users 1,2,3,4,5 send 10DRK to users A,B,C,D,E Users 1,2,3,4,5 send 20DRK to users A,B,C,D,E It just requires the network to process 4 of each of the 10/20 denominations to anonymize them.
|
|
|
Other ideas?
I’m open to ideas on how to provide the best security to the network. I would love to hear what people have in mind.
How about adding an option for adding decoy transactions? Sometimes coinjoins can be picked apart just by looking at what adds up. This was painfully obvious on the darksend testnet the other day, as I remember seeing darksend transactions like Inputs: 500, 5 Outputs: 400, 100, 4, 1 where there's only one possible solution of who sent what. One could easily construct decoy transactions to specifically add up to the amounts of the legit transaction. For example: Intended transaction: Input: 100 Output: 20, 80(change) Decoy transaction: Input: 500 Output: 10, 90, 50, 50, 35, 65, 95, 5, 100(all sent to change addresses) If that decoy transaction is coinjoined with the intended transaction, there becomes 5 extra possibilities of where the 100 was sent to even if no transactions by others help mask it Also, use more inputs than necessary, and use several change addresses instead of just one to help mask the intentions, and also having more and smaller outputs causes it to be more likely that they can be useful to help mask other transactions joined with them. The testing we did was just a test of the transaction pooling and remote signing of inputs, not a test of anonymity (good eye though checking that out). One of the next tests we should have that working. Here’s the plan for anonymizing amounts if anyone is interested: DarkSend anonymizes unique amounts like 15.15 by using “denominations” of currency in the different transaction pools available. These denominations come in the amounts of 5000, 1000, 500, 100, 50, 20, 5, 1, .50, .25, .10, .05, and .01. For example a payment of 15.15 would be broken down and submitted to the following transaction pools: Submit payment for 10DRK to addr Xyz using pool 10 (in pool 10 ALL outputs are for 10DRK) Submit payment for 5DRK to addr Xyz using pool 5 (in pool 5 ALL outputs are for 5DRK) Submit payment for 0.10DRK to addr Xyz using pool .10 Submit payment for 0.05DRK to addr Xyz using pool .05 The four payments total 15.15, just like paying in cash, except you have no idea who paid you. Users receiving anonymous payments will then receive separate out of order payments for various amounts adding up to the total amount they were intending on receiving. With this methodology, payments could be as granular as 0.01, this could be changed in the future if the currency becomes more valuable by adding smaller denominations.
|
|
|
Consumes more energy than scrypt or no?
Users report it consumes about half
|
|
|
In reply to: http://www.reddit.com/r/DRKCoin/comments/1yit1a/using_coinjoin_for_anonymity_is_errorprone/I'm posting this here, for everyone's benefit. Thanks! Hi, I am Gnosis, the Anoncoin developer working on implementing Zerocoin. First of all, I think it is excellent that there is so much interest in developing a fully anonymous currency. I am not just a developer but also a user, or I will be when an anonymous currency exists! When coin creators compete, the coin users win! However, CoinJoin has been around for a while, and it has not seen much use for anonymity. There's a good reason for that: it's not very anonymous. Quoting my bitcointalk post: CoinJoin has questionable anonymity compared to Zerocoin. The reason is that with CoinJoin, two or more users must somehow partner up and forge a transaction together. They communicate over a secure channel to do this. The coins are only mixed among these "partners." Picking partners you can trust is a significant obstacle: how can you know that your partners will "forget" the mixing that happened? One may try to repeat this 10 times with randomly chosen partners, but how can you know that your partners are not all just sock puppets of one malicious entity (on an anonymous network, it is trivial to create as many fake users as you want )? If that is the case, then your efforts are in vain. Compare this with Zerocoin, where you put your coins in an accumulator, and they are mixed with the coins of all users who have put coins into that accumulator, since the beginning of Zerocoin. There would be a different accumulator for different denominations of Anoncoins (1, 5, 10, 50 ANC, etc.). To put it simply, the more users' coins your coins are mixed with, the more anonymity you have. I cannot speak to Darkcoin's implementation (or planned implementation) of CoinJoin since I cannot seem to find any specs or code on their Github or their site. If anyone knows, please point me to them. I look forward to a practical and secure solution for anonymity from the DarkCoin devs! First off, these are fantastic questions. The answer to implementing this in such a way where it is very difficulty to exploit is by adding cost and verification. Here’s the gist of how I envision DarkSend to work in the long run. Some of what I’m going to mention is done, some of it I’m working on currently. I’d love some ideas on possible attack vectors on my implementation, so we can make it as bulletproof as possible. PoolsDarkSend adds various extensions to the Bitcoin protocol for implementing transaction pooling. Like normal Coinjoin the pools take transactions in stages. The stages currently are: POOL_STATUS_IDLE POOL_STATUS_ACCEPTING_INPUTS POOL_STATUS_ACCEPTING_OUTPUTS POOL_STATUS_SIGNING POOL_STATUS_TRANSMISSION So the users relay these items throughout the network as the stages happen. After all items are gathered into the pool, the transactions are merged together into one, remotely signed and then broadcasted. MastersTo defeat propagation problems, master nodes are elected each new block. They are responsible for being the authority of what goes into the joined transaction each session. This is done in a tamperproof way, but I think it’s not important to the discussion. So what is the cost? There must be a cost to using this anonymous network, otherwise like you say there will be issues with millions of accounts popping up. I’m not dead set on which solution(s) to implement, but here’s a couple ideas: Burnt IdentitiesHigher difficulty shares to the current block would be mined and then stored in the blockchain permanently. Multiple of these would be used for each transaction and would be “burnt” when misused, causing the attacker to have to mine them again. Verification? To use the pools it will require unique unspend outputs, someone that wants to mess with the system would have to have a large pool of funds in many addresses. So to attack a pool with 100 slots, you would require funds dispersed to 99 addresses, on 99 nodes working in common. Other possible fee-less solutions? There is interesting research on protecting against sybil attacks that lends itself really well to a decentralized ledger, such as this paper: http://dimacs.rutgers.edu/Workshops/InformationSecurity/slides/gamesandreputation.pdfThe idea is to build a social graph of the inputs and outputs of each entry and they should all know different people. If 99 of them all have the same “friends” that they associate with, then they’ll have to enter a different pool. Which will ensure the pool is not full of the nodes belonging to the attacker. An application for machine learning? I’m been making models for trading equities for over 7 years now. I ran a financial firm that sold the signals for a few years and I have experience with natural language processing using classifiers. So, I could make a classifier and actually embed it into Darkcoin to determine which pool a node should use, to separate out nodes that seem to be in common. Other ideas? I’m open to ideas on how to provide the best security to the network. I would love to hear what people have in mind. I’ve been working on DarkSend about a month and we’ve already fixed the decentralization and propagation issues, this is just another bridge to cross in the future. Thanks! Is it possible to implement 3 solutions to work side by side? Or would that conflict or slow things down too much?? I like repetition I think that's what the end result will be and it shouldn't slow down anything
|
|
|
Good lord, our developer shouldn't have to not post in the Reddit for his own coin because it, "Looks terrible". That reddit literally makes me sick to my stomach to look at, it is that hard on the eyes. Will whoever is doing the CSS for it PLEASE have a normal Reddit for the main area and just keep the Darkcoin header? You're driving away so many users in my opinion. And our own developer. Agree so hard. There is a thread about it, whoever is in charge made a couple tweaks but it's still horrible. He seems adamant to keep the theme close to what it is, despite many people requesting it is changed. I suggested googling "dark color schemes" for some better ideas, as right now it's really a problem to read for more than a minute or two. As a coder who prefers dark color schemes, I'm positive it could be done better with about 10 minutes of effort. And yet, no response. :/ Can I ask that you please be a bit more constructive, because I've actively addressed people's criticisms, fixed all the glaring RES stylesheet issues, basically done everything people have asked, and received a lot of positive feedback from people who were previously complaining (mostly about RES specific problems that weren't visible on my end at the time, which have since been fixed). If you still have a problem with it, I'm as open to changing things as I've always been. I'm putting my own time into this for the community, after all. You just need to be specific about the problem you're having. It's like filing a bug report -- if you don't give specifics, it's hard for the dev to address the problem. I'm also a coder who uses dark colour schemes so I know what works for me, but I only have my own eyes to go by, so if the scheme doesn't agree with your eyes I need you to be specific about the what & why. I was, read the thread! "I didn't mean to start this shit storm." It needs to be addressed. It is, and will turn people away. That's bad. It's not a good time to "try things" - go with something that makes sense. You can try diff themes out in a test subreddit and get opinions before rolling it out to the community. Basic stuff, here. You're right, can we work on finding a theme that is as aesthetically pleasing to everyone as possible?
|
|
|
Good lord, our developer shouldn't have to not post in the Reddit for his own coin because it, "Looks terrible". That reddit literally makes me sick to my stomach to look at, it is that hard on the eyes. Will whoever is doing the CSS for it PLEASE have a normal Reddit for the main area and just keep the Darkcoin header? You're driving away so many users in my opinion. And our own developer. Agree so hard. There is a thread about it, whoever is in charge made a couple tweaks but it's still horrible. He seems adamant to keep the theme close to what it is, despite many people requesting it is changed. I suggested googling "dark color schemes" for some better ideas, as right now it's really a problem to read for more than a minute or two. As a coder who prefers dark color schemes, I'm positive it could be done better with about 10 minutes of effort. And yet, no response. :/ Can I ask that you please be a bit more constructive, because I've actively addressed people's criticisms, fixed all the glaring RES stylesheet issues, basically done everything people have asked, and received a lot of positive feedback from people who were previously complaining (mostly about RES specific problems that weren't visible on my end at the time, which have since been fixed). If you still have a problem with it, I'm as open to changing things as I've always been. I'm putting my own time into this for the community, after all. You just need to be specific about the problem you're having. It's like filing a bug report -- if you don't give specifics, it's hard for the dev to address the problem. I'm also a coder who uses dark colour schemes so I know what works for me, but I only have my own eyes to go by, so if the scheme doesn't agree with your eyes I need you to be specific about the what & why. I meant my giant blob reply looked terrible, not the theme. I didn't mean to start this shit storm.
|
|
|
Can someone explain for the non-programmers/non-cryptographers what is the difference between Anoncoin and Darkcoin, please?
Darkcoin plans to use "CoinJoin": https://bitcointalk.org/index.php?topic=279249.0Anoncoin plans to use Zerocoin: http://zerocoin.org/I'm not sure on which is more anonymous.. I think we should start a debate thread perhaps. CoinJoin has questionable anonymity compared to Zerocoin. The reason is that with CoinJoin, two or more users must somehow partner up and forge a transaction together. They communicate over a secure channel to do this. The coins are only mixed among these "partners." Picking partners you can trust is a significant obstacle: how can you know that your partners will "forget" the mixing that happened? One may try to repeat this 10 times with randomly chosen partners, but how can you know that your partners are not all just sock puppets of one malicious entity (on an anonymous network, it is trivial to create as many fake users as you want[1])? If that is the case, then your efforts are in vain. Compare this with Zerocoin, where you put your coins in an accumulator, and they are mixed with the coins of all users who have put coins into that accumulator, since the beginning of Zerocoin. There would be a different accumulator for different denominations of Anoncoins (1, 5, 10, 50 ANC, etc.). To put it simply, the more users' coins your coins are mixed with, the more anonymity you have. I cannot speak to Darkcoin's implementation (or planned implementation) of CoinJoin since I cannot seem to find any specs or code on their Github or their site. If anyone knows, please point me to them. Notes: [1] Otherwise known as a Sybil attack: https://en.wikipedia.org/wiki/Sybil_attackI replied here: https://bitcointalk.org/index.php?topic=421615.msg5282966#msg5282966
|
|
|
In reply to: http://www.reddit.com/r/DRKCoin/comments/1yit1a/using_coinjoin_for_anonymity_is_errorprone/I'm posting this here, for everyone's benefit. Thanks! Hi, I am Gnosis, the Anoncoin developer working on implementing Zerocoin. First of all, I think it is excellent that there is so much interest in developing a fully anonymous currency. I am not just a developer but also a user, or I will be when an anonymous currency exists! When coin creators compete, the coin users win! However, CoinJoin has been around for a while, and it has not seen much use for anonymity. There's a good reason for that: it's not very anonymous. Quoting my bitcointalk post: CoinJoin has questionable anonymity compared to Zerocoin. The reason is that with CoinJoin, two or more users must somehow partner up and forge a transaction together. They communicate over a secure channel to do this. The coins are only mixed among these "partners." Picking partners you can trust is a significant obstacle: how can you know that your partners will "forget" the mixing that happened? One may try to repeat this 10 times with randomly chosen partners, but how can you know that your partners are not all just sock puppets of one malicious entity (on an anonymous network, it is trivial to create as many fake users as you want )? If that is the case, then your efforts are in vain. Compare this with Zerocoin, where you put your coins in an accumulator, and they are mixed with the coins of all users who have put coins into that accumulator, since the beginning of Zerocoin. There would be a different accumulator for different denominations of Anoncoins (1, 5, 10, 50 ANC, etc.). To put it simply, the more users' coins your coins are mixed with, the more anonymity you have. I cannot speak to Darkcoin's implementation (or planned implementation) of CoinJoin since I cannot seem to find any specs or code on their Github or their site. If anyone knows, please point me to them. I look forward to a practical and secure solution for anonymity from the DarkCoin devs! First off, these are fantastic questions. The answer to implementing this in such a way where it is very difficulty to exploit is by adding cost and verification. Here’s the gist of how I envision DarkSend to work in the long run. Some of what I’m going to mention is done, some of it I’m working on currently. I’d love some ideas on possible attack vectors on my implementation, so we can make it as bulletproof as possible. PoolsDarkSend adds various extensions to the Bitcoin protocol for implementing transaction pooling. Like normal Coinjoin the pools take transactions in stages. The stages currently are: POOL_STATUS_IDLE POOL_STATUS_ACCEPTING_INPUTS POOL_STATUS_ACCEPTING_OUTPUTS POOL_STATUS_SIGNING POOL_STATUS_TRANSMISSION So the users relay these items throughout the network as the stages happen. After all items are gathered into the pool, the transactions are merged together into one, remotely signed and then broadcasted. MastersTo defeat propagation problems, master nodes are elected each new block. They are responsible for being the authority of what goes into the joined transaction each session. This is done in a tamperproof way, but I think it’s not important to the discussion. So what is the cost? There must be a cost to using this anonymous network, otherwise like you say there will be issues with millions of accounts popping up. I’m not dead set on which solution(s) to implement, but here’s a couple ideas: Burnt IdentitiesHigher difficulty shares to the current block would be mined and then stored in the blockchain permanently. Multiple of these would be used for each transaction and would be “burnt” when misused, causing the attacker to have to mine them again. Verification? To use the pools it will require unique unspend outputs, someone that wants to mess with the system would have to have a large pool of funds in many addresses. So to attack a pool with 100 slots, you would require funds dispersed to 99 addresses, on 99 nodes working in common. Other possible fee-less solutions? There is interesting research on protecting against sybil attacks that lends itself really well to a decentralized ledger, such as this paper: http://dimacs.rutgers.edu/Workshops/InformationSecurity/slides/gamesandreputation.pdfThe idea is to build a social graph of the inputs and outputs of each entry and they should all know different people. If 99 of them all have the same “friends” that they associate with, then they’ll have to enter a different pool. Which will ensure the pool is not full of the nodes belonging to the attacker. An application for machine learning? I’m been making models for trading equities for over 7 years now. I ran a financial firm that sold the signals for a few years and I have experience with natural language processing using classifiers. So, I could make a classifier and actually embed it into Darkcoin to determine which pool a node should use, to separate out nodes that seem to be in common. Other ideas? I’m open to ideas on how to provide the best security to the network. I would love to hear what people have in mind. I’ve been working on DarkSend about a month and we’ve already fixed the decentralization and propagation issues, this is just another bridge to cross in the future. Thanks!
|
|
|
WHAT'S HAPPEN TO OFFICIAL POOL??? WHY IS IT DOWN???
rumor says ddos Hope to see up again. I don't want to lost my drk back up
|
|
|
NET HASH @ 6GH/s. It is amazing !!! With pool.darkcoin.io down? Apparently the wallet shutdown randomly, we'll work on adding something to monitor it
|
|
|
Anyone else impressed that we're the ONLY crypto that is up today above #20?
|
|
|
I must say I started mining this coin yesterday and everything runs 50% plus cooler. I need to get my killawatt out and see the draw compared to a normal scrypt coin. So far I love it!
Thanks Devs
I also put few of my card to mine this coin and it's true that cards run a lot cooler. Please post results from that killawatt reader. Ok here are the results. This miner is a 4x270 Normal Coin: 887 - 892 Darkcoin: 550-552 That's a huge difference on my power bill Yep. Mining scrypt my rig pulls 1150W doing 2.1Mh/s. On darkcoin it uses 650W doing 6.2Mh/s. As someone else has pointed out earlier though, this reduced power consumption could simply be because there's way more code optimisation to be done yet and the GPUs are only doing 50% of what is possible. I can make my GPUs run cooler mining scrypt coins too (and more efficiently) if I want to. Here's another point of view... assuming that we can't push any more performance out of the GPUs while mining darkcoin, it could be argued that it is less efficient because you need to purchase 2 cards to do the work that 1 card should be capable of, in terms of raw computing power. I was thinking about this earlier, does anyone know how hot GPUs run mining bitcoin? If that runs cooler I would tend to think the extra power draw and heat is because scrypt pretty much rewrites the entire ram available as fast as possible over and over again, whereas Bitcoin/Darkcoin would only use a small amount of ram.
|
|
|
Metal style This is fantastic! But it looks a bit strange smaller, can you alter the lighting to make it look more natural?
|
|
|
Do we have an Official "Darkcoin accepted here" banner? If not we may need one soon, Please post imgur links here or the DRK subreddit!
This is the only one available, I think this isn't good enough.. I'll improve it later. the top font looks unprofessional. -onetime That isn't too bad, I know we have some graphic talent here. Let's get the ball rolling as I'm starting to advertise for us and we will need a proper "Accepted here" banner for merchants! Also everyone don't forget to vote on mintpal to add DRK, and retweet my posts that concern Darkcoin. People are noticing us but with our great devs rolling out these big features soon it should catch on very nicely. https://twitter.com/Kreative_Crypto/status/436486080355770368 RETWEET! How's about something simple like this? Tips welcome: Xo1BJ2GA2Ei9wN92NbrXKhRCDUYYiwqt4o Sent 1 DRK. Graphically the only time someone hasn't made me want to puke in this thread. Clean and easy on the eyes, good job. Yes, this one is super nice. I'll send a tip later
|
|
|
EDIT: I accidentally copied misinformation from a bad source on the internet for the Darkcoin vs Zerocoin post, I was looking for original sources this morning trying to vet my post and found it was wrong. Sorry! https://bitcointalk.org/index.php?topic=421615.msg5241291#msg5241291Ps, can anyone who posted this anywhere edit and update your post to the new numbers?
|
|
|
Progress Report #6
Thanks to everyone that showed up last night to help out with the alpha test! We had a great showing of about 30 people and a full chatroom at #darkcoin-test. After 3 full hours of darksending money randomly around, we ended up doing over 100 darksent transactions!
It worked fantastic, so next I'll be moving on to fixing some of the last known issues, then on to the next milestones.
Looking forward to the next test. Thanks everyone
|
|
|
Save it for future use. !!! Do we have an Official "Darkcoin accepted here" banner? If not we may need one soon, Please post imgur links here or the DRK subreddit!
We'll add these to the website, thanks!
|
|
|
I’ve heard some chatter and misconceptions about the difference between Darkcoin vs Zerocoin, so here’s a write up about the pros and cons of each approach and what they do differently. DarkcoinFirst off, most people start by asking is DarkSend actually real and does it work? Yes! Checkout the development progress here: https://bitcointalk.org/index.php?topic=467857.0DarkSend is based off of Greg Maxwells original idea called Coinjoin, with some added improvements and decentralization. The decentralized approach is important because the logic is self contained in the client, which is managed by the users themselves. This is a trustless solution. Darkcoin uses the base transaction layer to sign it’s transactions in much the same way that Bitcoin does. The mathematics are tried and true and have been used for years in computer security and banking. Transactions will be grouped together and the same cost as sending transactions on the normal network. Both DarkSend and normal transactions will be available to choose from, but at some point we might default to DarkSend (and go Dark). It’s also worth noting that this approach doesn’t bloat the blockchain at all either. Transactions are the same size as the would have been. ZerocoinThe approach Zerocoin takes is to use some exotic mathematics to hide the identity with a zero-knowledge proof. This allows a higher quality of anonymity, but also could have some unforeseen hole that will be exploited later. Checkout this link to see the mathematics I'm talking about: https://github.com/Zerocoin/libzerocoin/blob/master/AccumulatorProofOfKnowledge.cppZerocoin's proof of work is in the 2kb range, which was reduced from 1024kb in Mathew Green’s original work. These proofs must be stored in the blockchain for each transaction that goes through the network for confirmation purposes and the ledger history, so this will cause a lot of bloat. There is also a need for these proofs to be processed by the networks nodes, being larger will cause more intense CPU usage with smaller transaction rates. The spec for Zerocoin also requires a 100% premine. I believe mining is what gives cryptocurrency their base value, so this could be a problem for the currency in the long haul. With the high CPU usage, how will the network deal with DDOS attacks? I could send bad proofs that must be processed. It’s much harder with the Bitcoin protocol because the math is pretty fast and you would be banned quickly. Imagine if Zerocoin had to deal with 20 transactions a minute, that would be 58.98MB/day that will be added to the blockchain. After a year, that would add up to 21.5GB. Now god forbid you have to reindex this, you’ll have to process all of the proofs on your computer? That might take another year to complete. --- I think the Darkcoin approach has the best mix of features, with the least risk and it’s decentralized. So we definitely have our place in the market. References: Coinjoin spec: https://bitcointalk.org/index.php?topic=279249.0;all I'm requoting this because everyone needs to read it! Thanks! Thats a great explanation of the differences between zerocoin and darkcoin. Could you also compare the mixing service vs darksend? I updated the post to explain that, https://bitcointalk.org/index.php?topic=421615.msg5241291#msg5241291
|
|
|
|