XMR vs DRK

[fluffypony]

So in other words, you've finally come to the same conclusion I've already expressed: everything hinges on the opsec of the MasterNode operators.

Nope, not at all....we went over all that.

It's the 'hardness' of the MN code that's important. How remotely exploitable it is, I would say.

edit: OK, giving this more consideration...remote exploitability of a given MN does have dependencies on Opsec. Let's assume what I think is fair to assume, that basic Opsec is in place similar to what we might expect on the BTC network....i.e MNs are at least behind a firewall and only listening on TCP/9999

Now you're getting it:)

The key difference there is that compromising a BTC node has no real knock-on effect for the network overall.

That question I asked yesterday appears to have gone unanswered, so I'll answer it: the number of honest BTC nodes any given BTC node needs to be connected to is 1. It can have 20 malicious peers all working together to lie to it and only 1 honest peer, and it will be able to determine which is the honest peer. The only way to truly disrupt its connection to the BTC network is to completely blackhole it.

In my opinion that has to be the baseline for comparison when designing a decentralised architecture. Without getting into a big discussion of decentralised vs. distributed architecture, this is the end-goal when you don't encourage decentralisation: http://www.newyorker.com/tech/elements/the-mission-to-decentralize-the-internet

[1714509723]

1714509723

[1714509723]

1714509723

[1714509723]

1714509723

[1714509723]

1714509723

[GTO911]

Our jugdement is always clouded by our emotional investments

Satoshi made us think in a different way, to not to trust, to question. Satoshi gave us Blockchain, the trustless authority.

When we have blockchain based solutions, why should we place our trust on nodes? Isnt it what we all are here for? to build trustless systems?

There are two types of people here, those who want to gain more fiat and those who want to help humanity. Choose your side

[majamina]

So in other words, you've finally come to the same conclusion I've already expressed: everything hinges on the opsec of the MasterNode operators.

Nope, not at all....we went over all that.

It's the 'hardness' of the MN code that's important. How remotely exploitable it is, I would say.

edit: OK, giving this more consideration...remote exploitability of a given MN does have dependencies on Opsec. Let's assume what I think is fair to assume, that basic Opsec is in place similar to what we might expect on the BTC network....i.e MNs are at least behind a firewall and only listening on TCP/9999

Now you're getting it:)

The key difference there is that compromising a BTC node has no real knock-on effect for the network overall.

That question I asked yesterday appears to have gone unanswered, so I'll answer it: the number of honest BTC nodes any given BTC node needs to be connected to is 1. It can have 20 malicious peers all working together to lie to it and only 1 honest peer, and it will be able to determine which is the honest peer. The only way to truly disrupt its connection to the BTC network is to completely blackhole it.

In my opinion that has to be the baseline for comparison when designing a decentralised architecture. Without getting into a big discussion of decentralised vs. distributed architecture, this is the end-goal when you don't encourage decentralisation: http://www.newyorker.com/tech/elements/the-mission-to-decentralize-the-internet

So given the probabilities I listed above, how many DS nodes do we need to compromise, or make 'dishonest' to disrupt the MN network and break privacy? Enough to render the opsec issue negligible it seems.

Yes, I think a distributed vs decentralised debate could be had.

And a 'theoretically best design' debate.

But perhaps more importantly, a 'fit-for-purpose' debate.

[majamina]

There are two types of people here, those who want to gain more fiat and those who want to help humanity. Choose your side

You can be on both sides, can't you?

[sangoku]

OK I plotted the curve: (edit: this is for 4 rounds of darksend)




Here are the numbers of nodes behind the graph - sorry, Excel only renders percentages to 30 decimal places so I'll do 2 tables, one with percentages and one with numbers.

1.00%   0.000000000000000000000000000000%
2.00%   0.000000000000000000000000000000%
3.00%   0.000000000000000000000000000000%
4.00%   0.000000000000000000000000000000%
5.00%   0.000000000000000000000000000000%
6.00%   0.000000000000000000000000000000%
7.00%   0.000000000000000000000000000000%
8.00%   0.000000000000000000000000000000%
9.00%   0.000000000000000000000000000000%
10.00%   0.000000000000000000000000000000%
11.00%   0.000000000000000000000000000000%
12.00%   0.000000000000000000000000000000%
13.00%   0.000000000000000000000000000000%
14.00%   0.000000000000000000000000000000%
15.00%   0.000000000000000000000000000000%
16.00%   0.000000000000000000000000000000%
17.00%   0.000000000000000000000000000000%
18.00%   0.000000000000000000000000000000%
19.00%   0.000000000000000000000000000000%
20.00%   0.000000000000000000000000000000%
21.00%   0.000000000000000000000000000000%
22.00%   0.000000000000000000000000000000%
23.00%   0.000000000000000000000000000000%
24.00%   0.000000000000000000000000000000%
25.00%   0.000000000000000000000000000000%
26.00%   0.000000000000000000000000000000%
27.00%   0.000000000000000000000000000000%
28.00%   0.000000000000000000000000000000%
29.00%   0.000000000000000000000000000000%
30.00%   0.000000000000000000000000000000%
31.00%   0.000000000000000000000000000000%
32.00%   0.000000000000000000000000000000%
33.00%   0.000000000000000000000000000000%
34.00%   0.000000000000000000000000000000%
35.00%   0.000000000000000000000000000000%
36.00%   0.000000000000000000000000000000%
37.00%   0.000000000000000000000000000000%
38.00%   0.000000000000000000000000000000%
39.00%   0.000000000000000000000000000000%
40.00%   0.000000000000000000000000000001%
41.00%   0.000000000000000000000000000011%
42.00%   0.000000000000000000000000000072%
43.00%   0.000000000000000000000000000476%
44.00%   0.000000000000000000000000002994%
45.00%   0.000000000000000000000000018072%
46.00%   0.000000000000000000000000104864%
47.00%   0.000000000000000000000000585907%
48.00%   0.000000000000000000000003157177%
49.00%   0.000000000000000000000016431848%
50.00%   0.000000000000000000000082718061%
51.00%   0.000000000000000000000403286875%
52.00%   0.000000000000000000001906634691%
53.00%   0.000000000000000000008751239469%
54.00%   0.000000000000000000039039188890%
55.00%   0.000000000000000000169439694425%
56.00%   0.000000000000000000716212935450%
57.00%   0.000000000000000002951130766537%
58.00%   0.000000000000000011864228024849%
59.00%   0.000000000000000046575865222660%
60.00%   0.000000000000000178689910246017%
61.00%   0.000000000000000670481502485578%
62.00%   0.000000000000002462267086575060%
63.00%   0.000000000000008856129455897360%
64.00%   0.000000000000031217485503159900%
65.00%   0.000000000000107911699285832000%
66.00%   0.000000000000366028450492200000%
67.00%   0.000000000001218945296953730000%
68.00%   0.000000000003987613122381620000%
69.00%   0.000000000012821158200314400000%
70.00%   0.000000000040536215597144200000%
71.00%   0.000000000126086299122345000000%
72.00%   0.000000000386011029987512000000%
73.00%   0.000000001163667244198870000000%
74.00%   0.000000003455712297483980000000%
75.00%   0.000000010113490511326700000000%
76.00%   0.000000029180140755877400000000%
77.00%   0.000000083034392727673100000000%
78.00%   0.000000233113924181152000000000%
79.00%   0.000000645903002286135000000000%
80.00%   0.000001766847064778400000000000%
81.00%   0.000004773110738113080000000000%
82.00%   0.000012738203734425700000000000%
83.00%   0.000033592891719906800000000000%
84.00%   0.000087567486675137000000000000%
85.00%   0.000225690904542536000000000000%
86.00%   0.000575275792642648000000000000%
87.00%   0.001450575070699360000000000000%
88.00%   0.003619209906631740000000000000%
89.00%   0.008937180547945420000000000000%
90.00%   0.021847450052839300000000000000%
91.00%   0.052882427867883300000000000000%
92.00%   0.126772830665687000000000000000%
93.00%   0.301048095645893000000000000000%
94.00%   0.708318015672206000000000000000%
95.00%   1.651537438501360000000000000000%
96.00%   3.816793317353630000000000000000%
97.00%   8.744575691882720000000000000000%
98.00%   19.864885008204100000000000000000%
99.00%   44.752321376381000000000000000000%
100.00%   100.000000000000000000000000000000%


1.00%   1E-160
2.00%   1.2089E-136
3.00%   1.4781E-122
4.00%   1.4615E-112
5.00%   8.2718E-105
6.00%   1.7869E-98
7.00%   4.05362E-93
8.00%   1.76685E-88
9.00%   2.18475E-84
10.00%   1E-80
11.00%   2.0484E-77
12.00%   2.16023E-74
13.00%   1.30457E-71
14.00%   4.90053E-69
15.00%   1.22265E-66
16.00%   2.13599E-64
17.00%   2.72844E-62
18.00%   2.64119E-60
19.00%   1.99659E-58
20.00%   1.20893E-56
21.00%   5.99161E-55
22.00%   2.47636E-53
23.00%   8.67415E-52
24.00%   2.61156E-50
25.00%   6.84228E-49
26.00%   1.57713E-47
27.00%   3.22925E-46
28.00%   5.92437E-45
29.00%   9.81386E-44
30.00%   1.47809E-42
31.00%   2.03674E-41
32.00%   2.58225E-40
33.00%   3.02772E-39
34.00%   3.29848E-38
35.00%   3.35308E-37
36.00%   3.19301E-36
37.00%   2.8585E-35
38.00%   2.41372E-34
39.00%   1.92827E-33
40.00%   1.4615E-32
41.00%   1.05368E-31
42.00%   7.24341E-31
43.00%   4.75857E-30
44.00%   2.99374E-29
45.00%   1.80718E-28
46.00%   1.04864E-27
47.00%   5.85907E-27
48.00%   3.15718E-26
49.00%   1.64318E-25
50.00%   8.27181E-25
51.00%   4.03287E-24
52.00%   1.90663E-23
53.00%   8.75124E-23
54.00%   3.90392E-22
55.00%   1.6944E-21
56.00%   7.16213E-21
57.00%   2.95113E-20
58.00%   1.18642E-19
59.00%   4.65759E-19
60.00%   1.7869E-18
61.00%   6.70482E-18
62.00%   2.46227E-17
63.00%   8.85613E-17
64.00%   3.12175E-16
65.00%   1.07912E-15
66.00%   3.66028E-15
67.00%   1.21895E-14
68.00%   3.98761E-14
69.00%   1.28212E-13
70.00%   4.05362E-13
71.00%   1.26086E-12
72.00%   3.86011E-12
73.00%   1.16367E-11
74.00%   3.45571E-11
75.00%   1.01135E-10
76.00%   2.91801E-10
77.00%   8.30344E-10
78.00%   2.33114E-09
79.00%   6.45903E-09
80.00%   1.76685E-08
81.00%   4.77311E-08
82.00%   1.27382E-07
83.00%   3.35929E-07
84.00%   8.75675E-07
85.00%   2.25691E-06
86.00%   5.75276E-06
87.00%   1.45058E-05
88.00%   3.61921E-05
89.00%   8.93718E-05
90.00%   0.000218475
91.00%   0.000528824
92.00%   0.001267728
93.00%   0.003010481
94.00%   0.00708318
95.00%   0.016515374
96.00%   0.038167933
97.00%   0.087445757
98.00%   0.19864885
99.00%   0.447523214
100.00%   1

Same graphic in 8 rounds ?

[majamina]

Same graphic in 8 rounds ?

The curve is going to look similar at that scale, but the probabilities are obviously much smaller as you go through the list. Interestingly, with 1% of nodes compromised and 8 rounds, the probability is so small that Excel can't seem to calculate it and displays '0'

8 ROUNDS OF DARKSEND:

1.00%   0.000000000000000000000000000000%
2.00%   0.000000000000000000000000000000%
3.00%   0.000000000000000000000000000000%
4.00%   0.000000000000000000000000000000%
5.00%   0.000000000000000000000000000000%
6.00%   0.000000000000000000000000000000%
7.00%   0.000000000000000000000000000000%
8.00%   0.000000000000000000000000000000%
9.00%   0.000000000000000000000000000000%
10.00%   0.000000000000000000000000000000%
11.00%   0.000000000000000000000000000000%
12.00%   0.000000000000000000000000000000%
13.00%   0.000000000000000000000000000000%
14.00%   0.000000000000000000000000000000%
15.00%   0.000000000000000000000000000000%
16.00%   0.000000000000000000000000000000%
17.00%   0.000000000000000000000000000000%
18.00%   0.000000000000000000000000000000%
19.00%   0.000000000000000000000000000000%
20.00%   0.000000000000000000000000000000%
21.00%   0.000000000000000000000000000000%
22.00%   0.000000000000000000000000000000%
23.00%   0.000000000000000000000000000000%
24.00%   0.000000000000000000000000000000%
25.00%   0.000000000000000000000000000000%
26.00%   0.000000000000000000000000000000%
27.00%   0.000000000000000000000000000000%
28.00%   0.000000000000000000000000000000%
29.00%   0.000000000000000000000000000000%
30.00%   0.000000000000000000000000000000%
31.00%   0.000000000000000000000000000000%
32.00%   0.000000000000000000000000000000%
33.00%   0.000000000000000000000000000000%
34.00%   0.000000000000000000000000000000%
35.00%   0.000000000000000000000000000000%
36.00%   0.000000000000000000000000000000%
37.00%   0.000000000000000000000000000000%
38.00%   0.000000000000000000000000000000%
39.00%   0.000000000000000000000000000000%
40.00%   0.000000000000000000000000000000%
41.00%   0.000000000000000000000000000000%
42.00%   0.000000000000000000000000000000%
43.00%   0.000000000000000000000000000000%
44.00%   0.000000000000000000000000000000%
45.00%   0.000000000000000000000000000000%
46.00%   0.000000000000000000000000000000%
47.00%   0.000000000000000000000000000000%
48.00%   0.000000000000000000000000000000%
49.00%   0.000000000000000000000000000000%
50.00%   0.000000000000000000000000000000%
51.00%   0.000000000000000000000000000000%
52.00%   0.000000000000000000000000000000%
53.00%   0.000000000000000000000000000000%
54.00%   0.000000000000000000000000000000%
55.00%   0.000000000000000000000000000000%
56.00%   0.000000000000000000000000000000%
57.00%   0.000000000000000000000000000000%
58.00%   0.000000000000000000000000000000%
59.00%   0.000000000000000000000000000000%
60.00%   0.000000000000000000000000000000%
61.00%   0.000000000000000000000000000000%
62.00%   0.000000000000000000000000000000%
63.00%   0.000000000000000000000000000001%
64.00%   0.000000000000000000000000000010%
65.00%   0.000000000000000000000000000116%
66.00%   0.000000000000000000000000001340%
67.00%   0.000000000000000000000000014858%
68.00%   0.000000000000000000000000159011%
69.00%   0.000000000000000000000001643821%
70.00%   0.000000000000000000000016431848%
71.00%   0.000000000000000000000158977548%
72.00%   0.000000000000000000001490045153%
73.00%   0.000000000000000000013541214552%
74.00%   0.000000000000000000119419474830%
75.00%   0.000000000000000001022826903227%
76.00%   0.000000000000000008514806145328%
77.00%   0.000000000000000068947103756535%
78.00%   0.000000000000000543421016471357%
79.00%   0.000000000000004171906883622430%
80.00%   0.000000000000031217485503160500%
81.00%   0.000000000000227825861182904000%
82.00%   0.000000000001622618343797370000%
83.00%   0.000000000011284823741053800000%
84.00%   0.000000000076680647226003000000%
85.00%   0.000000000509363843932281000000%
86.00%   0.000000003309422376006270000000%
87.00%   0.000000021041680357344600000000%
88.00%   0.000000130986803482614000000000%
89.00%   0.000000798731961465741000000000%
90.00%   0.000004773110738113080000000000%
91.00%   0.000027965511772018800000000000%
92.00%   0.000160713505949909000000000000%
93.00%   0.000906299558920186000000000000%
94.00%   0.005017144113258120000000000000%
95.00%   0.027275759107716400000000000000%
96.00%   0.145679112273953000000000000000%
97.00%   0.764676040310662000000000000000%
98.00%   3.946136563891700000000000000000%
99.00%   20.027702685748900000000000000000%
100.00%   100.000000000000000000000000000000%

1.00%   0
2.00%   1.4615E-272
3.00%   2.1847E-244
4.00%   2.136E-224
5.00%   6.8423E-209
6.00%   3.193E-196
7.00%   1.6432E-185
8.00%   3.1217E-176
9.00%   4.7731E-168
10.00%   1E-160
11.00%   4.1959E-154
12.00%   4.6666E-148
13.00%   1.7019E-142
14.00%   2.4015E-137
15.00%   1.4949E-132
16.00%   4.5624E-128
17.00%   7.4444E-124
18.00%   6.9759E-120
19.00%   3.9864E-116
20.00%   1.4615E-112
21.00%   3.5899E-109
22.00%   6.1324E-106
23.00%   7.5241E-103
24.00%   6.8202E-100
25.00%   4.68168E-97
26.00%   2.48734E-94
27.00%   1.0428E-91
28.00%   3.50982E-89
29.00%   9.63118E-87
30.00%   2.18475E-84
31.00%   4.14831E-82
32.00%   6.66801E-80
33.00%   9.16707E-78
34.00%   1.08799E-75
35.00%   1.12431E-73
36.00%   1.01953E-71
37.00%   8.17101E-70
38.00%   5.82607E-68
39.00%   3.71824E-66
40.00%   2.13599E-64
41.00%   1.11024E-62
42.00%   5.2467E-61
43.00%   2.2644E-59
44.00%   8.96248E-58
45.00%   3.26589E-56
46.00%   1.09965E-54
47.00%   3.43287E-53
48.00%   9.96777E-52
49.00%   2.70006E-50
50.00%   6.84228E-49
51.00%   1.6264E-47
52.00%   3.63526E-46
53.00%   7.65842E-45
54.00%   1.52406E-43
55.00%   2.87098E-42
56.00%   5.12961E-41
57.00%   8.70917E-40
58.00%   1.4076E-38
59.00%   2.16931E-37
60.00%   3.19301E-36
61.00%   4.49545E-35
62.00%   6.06276E-34
63.00%   7.8431E-33
64.00%   9.74531E-32
65.00%   1.16449E-30
66.00%   1.33977E-29
67.00%   1.48583E-28
68.00%   1.59011E-27
69.00%   1.64382E-26
70.00%   1.64318E-25
71.00%   1.58978E-24
72.00%   1.49005E-23
73.00%   1.35412E-22
74.00%   1.19419E-21
75.00%   1.02283E-20
76.00%   8.51481E-20
77.00%   6.89471E-19
78.00%   5.43421E-18
79.00%   4.17191E-17
80.00%   3.12175E-16
81.00%   2.27826E-15
82.00%   1.62262E-14
83.00%   1.12848E-13
84.00%   7.66806E-13
85.00%   5.09364E-12
86.00%   3.30942E-11
87.00%   2.10417E-10
88.00%   1.30987E-09
89.00%   7.98732E-09
90.00%   4.77311E-08
91.00%   2.79655E-07
92.00%   1.60714E-06
93.00%   9.063E-06
94.00%   5.01714E-05
95.00%   0.000272758
96.00%   0.001456791
97.00%   0.00764676
98.00%   0.039461366
99.00%   0.200277027
100.00%   1

[majamina]

8 ROUNDS:

[majamina]

And in the interests of balance and fair play, here is the chart for 1 ROUND of darksend:

[fluffypony]

So given the probabilities I listed above, how many DS nodes do we need to compromise, or make 'dishonest' to disrupt the MN network and break privacy? Enough to render the opsec issue negligible it seems.

The problem with the probabilities discussion is that it relies heavily on a gambler's approach (I suspect Evan is/was a pro poker player or similar). It forgets two things:

An Attacker Can Extrapolate Data

If you have an attacker that owns 50% of the 2400-strong MN network through a combination of legal (subpoena+gag order) and illegal (hacking, torturing the operator into compliance) you would typically calculate "probabilities" for unmasking an 8-round Darksend like this:

(1200/2400)^8 = 0.00390625

However, consider the following series of Darksend mixing rounds:

    1            2            3            4            5            6            7            8
observed -> unobserved -> observed -> unobserved -> observed -> unobserved -> observed -> unobserved

Because there's only a single block between the observed rounds it is trivial for the attacker to extrapolate the unobserved rounds. In fact, unwinding an unobserved gap of 2 or 3 transactions is not infeasible.

This substantially changes things, and makes pure probabilistic thinking an incorrect analysis.

MasterNode blinding modifies the parameters, but not the outcome. An attacker can still extrapolate missing data, to a greater or lesser degree.

An Attacker Has Unlimited Time

If an attacker can control a portion of the network surreptitiously for a short period of time it can be accepted as a given that they can control it indefinitely and only grow their monitoring base by dedicating resources to taking over the remaining nodes (again through a combination of available methods). But let's assume that, hypothetically, they only control a portion of the network and are unable to grow it.

They will collect detailed MN data indefinitely, and will be able to extrapolate data and make "best guess" efforts at correlations. Remember that all they have to do is provide a tenable link between two people, and they can use external evidence to cement the rest. In fact, they can use parallel construction to attribute "good old fashioned police work" instead of a sophisticated and ongoing compromise.

They also don't need to observe a specific Darksend path - they have infinite time. They may not be able to observe enough of your Darksend mixing today, but what about tomorrow? Or next week? The more you mix (a natural result of time and usage) the greater their chances of figuring one of them out and being able to find this tenable link.

Of course, there can be continued attempts at obfuscation: increasing the minimum number of Darksend rounds to 150 or 200 to increase the probability of a big observation gap, for instance, but ultimately you're just increasing the complexity until you have an unbridled and unmanageable mess...and that is when an attacker stops needing to do complicated stuff and can just exploit the mistakes that are always made in overcomplicated systems.

[majamina]

MasterNode blinding modifies the parameters, but not the outcome. An attacker can still extrapolate missing data, to a greater or lesser degree.

Isn't it to a massively lesser degree?

No blinding:

(1200/2400)^8 = 0.00390625

Blinding

((1200/2400)^20)^8) = 6.84228E-49   (i'll let you work out the percentage, excel only displays 30 decimal places)

An Attacker Has Unlimited Time

If an attacker can control a portion of the network surreptitiously for a short period of time it can be accepted as a given that they can control it indefinitely and only grow their monitoring base by dedicating resources to taking over the remaining nodes (again through a combination of available methods). But let's assume that, hypothetically, they only control a portion of the network and are unable to grow it.

They will collect detailed MN data indefinitely, and will be able to extrapolate data and make "best guess" efforts at correlations. Remember that all they have to do is provide a tenable link between two people, and they can use external evidence to cement the rest. In fact, they can use parallel construction to attribute "good old fashioned police work" instead of a sophisticated and ongoing compromise.

They also don't need to observe a specific Darksend path - they have infinite time. They may not be able to observe enough of your Darksend mixing today, but what about tomorrow? Or next week? The more you mix (a natural result of time and usage) the greater their chances of figuring one of them out and being able to find this tenable link.

Of course, there can be continued attempts at obfuscation: increasing the minimum number of Darksend rounds to 150 or 200 to increase the probability of a big observation gap, for instance, but ultimately you're just increasing the complexity until you have an unbridled and unmanageable mess...and that is when an attacker stops needing to do complicated stuff and can just exploit the mistakes that are always made in overcomplicated systems.

I think this misrepresents how darksend works. Once you've mixed your coins you're good to go....if someone collected small amounts of information from a small number of MNs about those rounds of mixing, but didn't get enough to decode the transaction, when you mix at a later date this is completely unrelated to the earlier mixing session. How would you expect to correlate these sessions today, tomorrow or next week?

[strix]

I still don't understand what these "probabilities" illustrate? Either a transaction is traceable or it isn't. What exactly are the probabilities for?

I just popped in because I heard about majamina's chart and wanted to check it out. I must commend him for his patience in dealing with the discussion I see going on here.

Johny, either you have never studied statistics/probability or your Mnemonics aren't working. One coin toss will yield either a head or a tail. This equates to your "Either a transaction is traceable or it isn't." But what about the set of a billion coin tosses? While each is either heads or tails the set in a normal distribution tends towards .5 of each. Majamina's excellent chart shows that for anything less than close to 100% of the masternodes compromised, the chance of tracing any single transaction is vanishingly small.

For the gentleman (whose name I forgot sorry!) The refusal to comment on the implications of the chart, should the data be valid, shows yourself to be disingenuous. As a scientist and educator, I have no problem challenging the data behind a graph while recognizing the implication of that graph as it stands. It saves time, and shows respect for a worthy opponent. (Not to mention, demonstrates you have at least the education necessary to comprehend the math behind it.) There were many (and still a few, though much less) who disputed the validity of the data coming out of the LHC when the discovery of the Higg's Boson was announced. There was no disputing of the fact that the charts seemed to indicate that fact--if--the data was subsequently verified; which it was.

Your unwillingness to commit to the significance of majamina's chart reveals a mindset more concerned with preserving your personal status than one of someone who is truly in pursuit of the truth. That was sadly apparent after my reading the first few posts on this thread, and why I have refused to participate here.  I will watch for a little while to see the response this post gets. And maybe, if, it is received (and even countered) in a respectful manner I continue to check in.

Peace to you all...

[fluffypony]

Isn't it to a massively lesser degree?

No blinding:

(1200/2400)^8 = 0.00390625

Blinding

((1200/2400)^20)^8) = 6.84228E-49   (i'll let you work out the percentage, excel only displays 30 decimal places)

You're still approaching it probabilistically - a thousand factors can fingerprint the data and let our hypothetical attacker extrapolate (eg. output ordering). The more complication you layer on top the more likely it is to have cascading failures.

I think this misrepresents how darksend works. Once you've mixed your coins you're good to go....if someone collected small amounts of information from a small number of MNs about those rounds of mixing, but didn't get enough to decode the transaction, when you mix at a later date this is completely unrelated to the earlier mixing session. How would you expect to correlate these sessions today, tomorrow or next week?

You're misunderstanding. If you are only ever going to perform a single transaction then the attacker only has one chance of observing it. However, you are (presumably) going to receive funds on more than one occasion and use Darksend to pre-mix them. The danger is greater for a seller, who will do this more often, than for an individual who gets paid his salary once-a-month. For both, though, our hypothetical doesn't only have one chance to catch you, they have an indefinite number of chances. And you can take it as a given that the number of MasterNodes they control will grow over time, not decrease, especially if it gets used for illicit activity by a portion of the userbase.

[fluffypony]

Johny, either you have never studied statistics/probability or your Mnemonics aren't working. One coin toss will yield either a head or a tail. This equates to your "Either a transaction is traceable or it isn't." But what about the set of a billion coin tosses? While each is either heads or tails the set in a normal distribution tends towards .5 of each. Majamina's excellent chart shows that for anything less than close to 100% of the masternodes compromised, the chance of tracing any single transaction is vanishingly small.

I don't think anyone's questioning the validity of the data, but rather that probabilistic analysis of this makes WAY too many assumptions.

[majamina]

You're still approaching it probabilistically - a thousand factors can fingerprint the data and let our hypothetical attacker extrapolate (eg. output ordering). The more complication you layer on top the more likely it is to have cascading failures.

OK...perhaps you can give us, say, the top-ten of those factors that can fingerprint the data.

Also could you please explain how it is trivial to extrapolate the data when you control 50% of the MNs in your example above.

You're misunderstanding. If you are only ever going to perform a single transaction then the attacker only has one chance of observing it. However, you are (presumably) going to receive funds on more than one occasion and use Darksend to pre-mix them. The danger is greater for a seller, who will do this more often, than for an individual who gets paid his salary once-a-month. For both, though, our hypothetical doesn't only have one chance to catch you, they have an indefinite number of chances. And you can take it as a given that the number of MasterNodes they control will grow over time, not decrease, especially if it gets used for illicit activity by a portion of the userbase.

OK, I'm still not sure this is a fair representation. Hopefully someone who knows more about Darksend can chime in. I'll do some more research in the meantime.

And no offence, but you got it wrong about Darksend yesterday so I'm not sure that your assessment can be considered reliable.

[strix]

I still don't understand what these "probabilities" illustrate? Either a transaction can be traced or it cannot. What exactly are the probabilities of?

If you compromise a masternode and spy on it's activity, you can theoretically start to piece together all the required information to trace a Darksend transaction back to a user's wallet. Since nodes are selected randomly for Darksend, you would need to compromise the correct nodes to do so. These are the probabilities of you having compromised the correct nodes and therefore being able to decode the transaction.

Okay that makes sense. Thank you.

Johny M, I am reading from where majamina's chart was posted, up until I see my post. Having just read your post quoted here, I see that your question was not due to a lack of understanding statistics, but simply their application to masternodes. Please forgive my lack of approbation for you understanding of statistics. (FWIW--nice nym. )

[BlockaFett]

Johny, either you have never studied statistics/probability or your Mnemonics aren't working. One coin toss will yield either a head or a tail. This equates to your "Either a transaction is traceable or it isn't." But what about the set of a billion coin tosses? While each is either heads or tails the set in a normal distribution tends towards .5 of each. Majamina's excellent chart shows that for anything less than close to 100% of the masternodes compromised, the chance of tracing any single transaction is vanishingly small.

I don't think anyone's questioning the validity of the data, but rather that probabilistic analysis of this makes WAY too many assumptions.

do you have a specific vulnerability you want to bring to DRK's attention?  Sounds like more waffle and time wasting.

[Joshuar]

OK I plotted the curve:




Here are the numbers of nodes behind the graph - sorry, Excel only renders percentages to 30 decimal places so I'll do 2 tables, one with percentages and one with numbers.

1.00%   0.000000000000000000000000000000%
2.00%   0.000000000000000000000000000000%
...

This is just the upper bound of the probability to brake it if there are no flaws at all in the master nodes (but there is no way for you to prove so). With the current Dash "model" you can't know what the lower bound is. The lower bound could be just a straight vertical line at 0. So the best you could say about the probability of braking it with owning no master nodes at all is that it's between 0% and 100%.

Fair comment and one of the most interesting points made so far. It's not the number of Masternodes you have to compromise, but how easily you can compromise them. e.g. an exploit could be found and suddenly you have the whole network and can trace the transactions. There are obviously other points to consider there, but I get the idea.

XMR relies on cryptography, DRK relies on secure Masternode code to protect anonymity at any given point in time (since mixing is off-chain).

You could draw parallels with BTC. People have been trying to break it for years, no joy. I'm sure people are trying to break DASH given the effort going into trolling it - will be interesting to see how it plays out.

Dash actually was broken, at least Darksend was. When it was first open sourced there was a bug that allowed you to "deanonymize" transactions. I don't think anyone is really actively trying to break it at this moment, honestly, the reward for doing so is pretty petty. If someone did break it, they would probably keep the info to themselves for the moment.

[majamina]

Dash actually was broken, at least Darksend was. When it was first open sourced there was a bug that allowed you to "deanonymize" transactions. I don't think anyone is really actively trying to break it at this moment, honestly, the reward for doing so is pretty petty. If someone did break it, they would probably keep the info to themselves for the moment.

so all the energy is just going into trolling?     well, i think there was a recent thread about someone claiming to have broken Darksend, which came to nothing?

as for reward, there may be a small bounty for finding DS exploits, but the big reward is surely the reputational downside for DASH, which may allow another anon-focused coin to take over DASH market cap.

[Joshuar]

Dash actually was broken, at least Darksend was. When it was first open sourced there was a bug that allowed you to "deanonymize" transactions. I don't think anyone is really actively trying to break it at this moment, honestly, the reward for doing so is pretty petty. If someone did break it, they would probably keep the info to themselves for the moment.

so all the energy is just going into trolling?     well, i think there was a recent thread about someone claiming to have broken Darksend, which came to nothing?

as for reward, there may be a small bounty for finding DS exploits, but the big reward is surely the reputational downside for DASH, which may allow another anon-focused coin to take over DASH market cap.

This was back in late 2014 and has nothing to do with the current threat by that guy about deanonymizing darksend, so before you go accusing others of trolling, at least do your research first, newbie.

https://www.cryptocoinsnews.com/darkcoin-finds-fixes-darksend-privacy-bug/

https://bitcointalk.org/index.php?topic=816141.0 - darkcoin exploit found in 2 hours by amateur (why open source matters for anon)

[toknormal]

do you have a specific vulnerability you want to bring to DRK's attention?  Sounds like more waffle and time wasting.

It is.