Bitcoin Forum
October 01, 2022, 09:35:18 PM *
News: Latest Bitcoin Core release: 23.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: 1 2 3 [All]
  Print  
Author Topic: Blind Bitcoin Transfers  (Read 14897 times)
duncant (OP)
Newbie
*
Offline Offline

Activity: 53
Merit: 0


View Profile
June 06, 2011, 09:27:41 PM
 #1

As several of you have already found out, I'm currently running a cryptographically anonymous bitcoin mixer at https://blindbitcoin.com. I was planning on keeping this whole thing under wraps for a bit longer, but since people have already discovered it, I may as well make this announcement.

The site is still a "beta" service, so please be patient while I get all the kinks worked out.
None of the existing functionality is going to go away, nor am I going to break compatibility with the way the site currently runs. Most of what I'm going to be doing over the next few weeks is bug-fixing, and cleaning up the code. I'll release my source via the link on my site tomorrow (6/7/2011) morning around 9AM EST.

Right now the site charges a 0.02BTC commission. This is how much it costs my system to transfer bitcoins internally paying a transaction fee of 0.01BTC per KB. Once I've got all the bugs worked out, I plan to charge a 0.75% commission on new transfers. Transfers already made and tokens already issued will not be subject to this new charge.

A few people have emailed me about my use of the OpenCoin protocol. I don't actually use the OpenCoin protocol as it is written. I found their paper to be very interesting and I used a few modifications that they suggested to Chaum's original protocol.

Who am I?: My name is Duncan Townsend. I am a student at the Massachusetts Institute of Technology. I started writing my website because I found David Chaum's blind signing protocol absolutely fascinating and I saw its application to bitcoin. I don't consider myself particularly well-qualified to implement crypto, so I haven't actually implemented any cryptography in the course of writing my site. All the cryptography (with the exceptions of what I mention here: https://blindbitcoin.com/security.html) was taken from someone else's published cryptography library.

I'd like to hear from the community what they would like to see in the way of explanation or features. I'll be checking this thread all day, so post anything you've got here.
1664660118
Hero Member
*
Offline Offline

Posts: 1664660118

View Profile Personal Message (Offline)

Ignore
1664660118
Reply with quote  #2

1664660118
Report to moderator
1664660118
Hero Member
*
Offline Offline

Posts: 1664660118

View Profile Personal Message (Offline)

Ignore
1664660118
Reply with quote  #2

1664660118
Report to moderator
1664660118
Hero Member
*
Offline Offline

Posts: 1664660118

View Profile Personal Message (Offline)

Ignore
1664660118
Reply with quote  #2

1664660118
Report to moderator
If you want to be a moderator, report many posts with accuracy. You will be noticed.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 3920
Merit: 2347


Eadem mutata resurgo


View Profile
June 06, 2011, 10:06:19 PM
 #2


Following this thread.

Nice clean looking site btw.

Sottilde
Newbie
*
Offline Offline

Activity: 10
Merit: 0


View Profile
June 06, 2011, 10:20:05 PM
 #3

Loving the site.  Great job, it looks great and I'm sure there are some users with a need for this service.
Oldminer
Legendary
*
Offline Offline

Activity: 1022
Merit: 1001



View Profile
June 06, 2011, 10:27:04 PM
 #4

Nice. Do you intend to make it Android friendly too? BTW I hate the captcha - I find the 1+1 challenges much easier.

If you like my post please feel free to give me some positive rep https://bitcointalk.org/index.php?action=trust;u=18639
Tip me BTC: 1FBmoYijXVizfYk25CpiN8Eds9J6YiRDaX
Findeton
Full Member
***
Offline Offline

Activity: 126
Merit: 100


View Profile
June 06, 2011, 10:31:48 PM
 #5

I'm sure people will find this service useful.  Cool

Bitcoin Weekly, bitcoin analysis and commentary

14DD7MhRXuw3KDuyUuXvAsRcK4KXTT36XA
duncant (OP)
Newbie
*
Offline Offline

Activity: 53
Merit: 0


View Profile
June 06, 2011, 10:58:36 PM
 #6

@mother_of_another: Thanks! I put a lot of work into that. Do you have any comments on usability/aesthetics?

@Oldtimer: Yes I do plan to make the site mobile friendly. I was unaware that it did not work on Android phones, but that is now on my TODO list. Thank you! Sorry about the captcha, I'm seriously considering replacing it with a different part of my API, but right now my number 1 priority is getting my code into a state that I can release tomorrow morning.
TiagoTiago
Hero Member
*****
Offline Offline

Activity: 616
Merit: 500


Firstbits.com/1fg4i :)


View Profile
June 07, 2011, 12:30:59 AM
 #7

I hope this time the tumbler implementation gets the approval of the people that understand the stuff, from what i've read previous attempts had severe flaws that made them not all that helpful with anonnymizing coins

(I dont always get new reply notifications, pls send a pm when you think it has happened)

Wanna gimme some BTC/BCH for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX Smiley

The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!

Do you like mmmBananas?!
duncant (OP)
Newbie
*
Offline Offline

Activity: 53
Merit: 0


View Profile
June 07, 2011, 02:19:51 AM
 #8

@TiagoTiago: Do you have a link to a discussion on how to best anonymize bitcoins? I've been sending all the bitcoins in my service to a single address (address, not account) from where they are eventually sent out when they are needed. I assumed that this was the "correct" way to do it because the address is the finest granularity one could observe. Thanks!
gongcheng
Member
**
Offline Offline

Activity: 84
Merit: 10


View Profile
June 07, 2011, 02:32:30 AM
 #9

Mark this, I believe it will be useful.

However, right now the source code is not available, so I can't trust you.

duncant (OP)
Newbie
*
Offline Offline

Activity: 53
Merit: 0


View Profile
June 07, 2011, 02:39:37 AM
 #10

@gongcheng: Thank you for your healthy skepticism. You can examine the client-side code in your browser and verify its correctness. The full source will be available by tomorrow (6/7/11) at 9AM EST.
duncant (OP)
Newbie
*
Offline Offline

Activity: 53
Merit: 0


View Profile
June 07, 2011, 08:20:04 AM
 #11

I have posted my source code here: https://blindbitcoin.com/blind-bitcoin.tar.gz the detached signature is here: https://blindbitcoin.com/blind-bitcoin.tar.gz.asc

Enjoy!
tehcodez
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
June 07, 2011, 12:59:17 PM
 #12

+1 to duncant and his service. I had a problem getting at a blinded token, and he worked with me and restored my btc. Looking forward to his progress.
bitlotto
Hero Member
*****
Offline Offline

Activity: 672
Merit: 500


BitLotto - best odds + best payouts + cheat-proof


View Profile WWW
June 07, 2011, 02:35:58 PM
 #13

Fantastic! I've been wondering how long till something like this comes about.
Most of it was over my head though. Huh
Could the user wait a long time to redeem the coins? Or do you normally do it right away? If I say, kept the token somewhere safe I could redeem it sometime in the future or would it expire eventually?

*Next Draw Feb 1*  BitLotto: monthly raffle (0.25 BTC per ticket) Completely transparent and impossible to manipulate who wins. TOR
TOR2WEB
Donations to: 1JQdiQsjhV2uJ4Y8HFtdqteJsZhv835a8J are appreciated.
matonis
Sr. Member
****
Offline Offline

Activity: 303
Merit: 250



View Profile WWW
June 07, 2011, 03:58:59 PM
 #14

+1 to duncant.  Nice planned implementation. I think I'm the one who found it over the weekend and tweeted it. Sorry to blow your cover, secret squirrel, but things are starting to move fast now. I also posted it to mikegogulski on the Bitcoin Laundry thread where it is being discussed here,  http://forum.bitcoin.org/index.php?topic=6891.0


Founding Director, Bitcoin Foundation
I also cover the bitcoin economy for Forbes, American Banker, PaymentsSource, and CoinDesk.
duncant (OP)
Newbie
*
Offline Offline

Activity: 53
Merit: 0


View Profile
June 07, 2011, 08:15:45 PM
 #15

@tehcodez: sorry you had a problem. As of this morning, I believe that I've fixed the problem that people were running into. Also, I implemented the session-recovery feature, so everything should be very robust. I'm glad I could be of service.

@bitlotto: Yes, right now the way the system is configured, you can wait up to 53 days to redeem the coins. You can also redeem them right away. I'm going to increase the amount of time that you can hold onto your tokens once I fix the last of the bugs. You should protect your tokens just like your bitcoin wallet. Anyone who gets that token can redeem it, and tokens can only be redeemed once.

@matonis: No hard feelings, everything is mostly ready to go. I'd have liked to get a little more of the explanation finished, but I'll just push out those changes as I finish them. Thanks for the kind words and the publicity!

I just read how Bitcoin Laundry's payout works. This seems like a very useful system. I'm going to look into the possibility of paying out for tokens over a period of time in random payments instead of all at once.

Once everything is stable, I'll make an announcement for anyone who's interested.

TiagoTiago
Hero Member
*****
Offline Offline

Activity: 616
Merit: 500


Firstbits.com/1fg4i :)


View Profile
June 07, 2011, 10:38:52 PM
 #16

@TiagoTiago: Do you have a link to a discussion on how to best anonymize bitcoins? I've been sending all the bitcoins in my service to a single address (address, not account) from where they are eventually sent out when they are needed. I assumed that this was the "correct" way to do it because the address is the finest granularity one could observe. Thanks!

There was some discussion on the topic in that thread about Bitcoin safety for illegal trading and stuff for example, i think i was called somthing along the lines of "how safe is Bitcoin for illegal busyness" or somthing, not sure exactly; lemme know if you can't find it on the forum and i'll see if i find it in my inbox (been following that discussion)

(I dont always get new reply notifications, pls send a pm when you think it has happened)

Wanna gimme some BTC/BCH for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX Smiley

The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!

Do you like mmmBananas?!
winnetou
Sr. Member
****
Offline Offline

Activity: 361
Merit: 250


View Profile
June 12, 2011, 03:59:04 PM
 #17

+1

I can confirm that it is working, tried it with a 3-number sum of coins.
fergalish
Sr. Member
****
Offline Offline

Activity: 440
Merit: 250


View Profile
June 17, 2011, 12:56:07 PM
 #18

Nice site. Nice service.

You should consider allowing people to conduct transaction with the mixer of only a single size, e.g. 5BTC.  Otherwise an attacker could try some statistical analysis to identify coins in with coins out.  With a single transfer size, there will be no way to associate input size with output size.

Next, you really should check out the legalities of this.  If you offered such a service with paper money, your most obvious clients would be organised crime and you'd probably be classified as a money launderer.  I had been thinking of setting up a bitcoin mixer, but got turned off once I thought of this issue.
bittersweet
Full Member
***
Offline Offline

Activity: 222
Merit: 100



View Profile
June 17, 2011, 12:59:30 PM
 #19

I didn't try it out, but the service looks promising. Nice work.

My Bitcoin address: 1DjTsAYP3xR4ymcTUKNuFa5aHt42q2VgSg
Bezza
Newbie
*
Offline Offline

Activity: 14
Merit: 0



View Profile
June 17, 2011, 01:40:25 PM
 #20

Great work Duncan.
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 3920
Merit: 2347


Eadem mutata resurgo


View Profile
June 17, 2011, 01:44:05 PM
 #21

Few questions;

- how do we know that the s/ware running on the web server is the same s/ware represented by the posted source code? (seems like this throws up an interesting technical problem of an "untrusted" server being verified to be running trusted source, maybe it has been solved elswhere?)

- can you list any relevant technical stats that are not revealing but may serve to build trust in the integrity of the servers operation? .... throughput, total tokens blinded, issued, redeemed, faults, etc

Quote
If you offered such a service with paper money, your most obvious clients would be organised crime and you'd probably be classified as a money launderer.  I had been thinking of setting up a bitcoin mixer, but got turned off once I thought of this issue.

I disagree with this statement. Due to the public record of transactions of bitcoin, the most basic of transaction privacy can only be achieved by blinding services or "laundering" (perjorative, vague term anyway) ... the "most obvious client" is everyone who desires privacy for their individual transactions. Who amongst us would actually say "I prefer less privacy" when it concerns their own private transactions?

Simply put, privacy is not just for criminals, because the medium of exchange, bitcoin, is a fully open public transaction record, everybody needs blinding in this scenario.

duncant (OP)
Newbie
*
Offline Offline

Activity: 53
Merit: 0


View Profile
June 17, 2011, 06:29:09 PM
 #22

@fergalish: I'll do you one better. By Sunday, I'll have rolled out a new pay-out system that should resist statistical analysis of the block chain. I'm doing some testing on it right now, to make sure that it's actually as difficult to analyze as I want it to be. You'll be able to pay in as much as you want, but how I pay out will be the anonymizing part.

@noone: There's no way I can make you trust that the code I'm running on the server is what I'm distributing. However, this is not a requirement for the system to be trustworthy and secure. You only have to trust that the client code functions as advertised. It is easy (well maybe not easy, but possible) to review the client code in your browser before running it. The worst that I could do to a client running functionally correct code is run off with their money.

I'll post technical stats once I finish the new pay-out system. Actually, once I finish the pay-out system and make sure there aren't any bugs, I'll declare the technical part of the service finished. Then I'll start work on making a mobile-friendly version of the site.

I agree with noone on the privacy point, but just to have my bases covered, I'm saving up (poor, starving student, and all that) for a legal consultation. If it turns out that this sort of thing is a huge liability, I'll find somebody who wants to deal with it and hand over all my source and non-source assets to them so that the site doesn't go away.

Simply put, privacy is not just for criminals, because the medium of exchange, bitcoin, is a fully open public transaction record, everybody needs blinding in this scenario.

This is an awesome quote. Do you mind if I use it in the future?
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 3920
Merit: 2347


Eadem mutata resurgo


View Profile
June 17, 2011, 11:22:28 PM
 #23

Quote
This is an awesome quote. Do you mind if I use it in the future?

Don't mind, attributable to no one.

TierNolan
Legendary
*
Offline Offline

Activity: 1232
Merit: 1014


View Profile
July 01, 2011, 05:24:44 PM
 #24

Duncant, you say on your site that "The payout schedule for this service is not secure against analysis of the bitcoin chain." 

Is that a reference to the problem that occurs when you have to few customers and/or to many different sizes of coin, or is it something else?

1LxbG5cKXzTwZg9mjL3gaRE835uNQEteWF
duncant (OP)
Newbie
*
Offline Offline

Activity: 53
Merit: 0


View Profile
July 02, 2011, 03:54:21 AM
 #25

Duncant, you say on your site that "The payout schedule for this service is not secure against analysis of the bitcoin chain." 

Is that a reference to the problem that occurs when you have to few customers and/or to many different sizes of coin, or is it something else?

The problem is that there are too many unique transaction sizes. I've had a fix to this problem in the pipeline for the last few weeks (see my last post), but what with the MtGox hack and my day job's machines all deciding to crash, I haven't gotten the chance to work on it solidly.

As you may have noticed, I've taken the site down for the weekend to get this and a few other bugs fixed. Everything will be back (and better) on Monday. The warning message that you quote will be gone because I'll have fixed that flaw.

Also, for anybody who's interested. I've consulted off-the-record with a few lawyers about the legality of this sort of thing. They're all of the opinion that this certainly does not constitute money laundering because bitcoin isn't "really money" in the eyes of the law. It could, possibly, be consider smuggling, but that is unlikely considering that no physical goods are exchanged.
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 3920
Merit: 2347


Eadem mutata resurgo


View Profile
July 02, 2011, 06:16:28 AM
 #26

Duncant, you say on your site that "The payout schedule for this service is not secure against analysis of the bitcoin chain." 

Is that a reference to the problem that occurs when you have to few customers and/or to many different sizes of coin, or is it something else?

The problem is that there are too many unique transaction sizes. I've had a fix to this problem in the pipeline for the last few weeks (see my last post), but what with the MtGox hack and my day job's machines all deciding to crash, I haven't gotten the chance to work on it solidly.

As you may have noticed, I've taken the site down for the weekend to get this and a few other bugs fixed. Everything will be back (and better) on Monday. The warning message that you quote will be gone because I'll have fixed that flaw.

Also, for anybody who's interested. I've consulted off-the-record with a few lawyers about the legality of this sort of thing. They're all of the opinion that this certainly does not constitute money laundering because bitcoin isn't "really money" in the eyes of the law. It could, possibly, be consider smuggling, but that is unlikely considering that no physical goods are exchanged.

I don't see how it could be. It is a purely mathematical process performed on some electronic data. Are we going to outlaw any electronic maths next? Is that the realm of insanity the totalitarians are taking us into? Money needs to be free or it no longer functions as money, and all society suffers for it.

markm
Legendary
*
Offline Offline

Activity: 2870
Merit: 1075



View Profile WWW
July 02, 2011, 07:38:55 AM
 #27

I'd suggest consulting on the record with a lawyer who has significant professional standing to lose.

Almost any "front" can be used to launder money, even an actual laundromat.

I am not a lawyer, but if I used my laundromat to launder money I would not expect to get off by saying "but laundry is not real money" nor "but all I was doing was smuggling real money into the laundromat and out again, not actually putting it in the washing machine!"

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
duncant (OP)
Newbie
*
Offline Offline

Activity: 53
Merit: 0


View Profile
July 02, 2011, 03:55:44 PM
 #28

I'd suggest consulting on the record with a lawyer who has significant professional standing to lose.

Almost any "front" can be used to launder money, even an actual laundromat.

I am not a lawyer, but if I used my laundromat to launder money I would not expect to get off by saying "but laundry is not real money" nor "but all I was doing was smuggling real money into the laundromat and out again, not actually putting it in the washing machine!"

-MarkM-


Oh, absolutely. I'm still looking for a lawyer who is comfortable with both IT law and financial law to give me an on the record consultation.

To go back to your actual laundromat analogy: consider if a criminal buy a bunch of dirty clothes at Goodwill with his dirty money and then washes them at a laundromat. He sells them to someone who is unaware of the origin of the clothes because they are now clean and whiter (assume the criminal used bleach Tongue). The laundromat would not be "on the hook" for money laundering because they never handled "actual money". I believe this is analogous to bitcoin anonymizers.
hashcoin
Full Member
***
Offline Offline

Activity: 373
Merit: 101


View Profile
July 02, 2011, 05:27:16 PM
 #29

I agree this is really dumb from a liability perspective and you are asking for trouble IMO.  If you are at The Institute and don't want to spend money on a lawyer, I would strongly suggest you consider talking to Ron Rivest.  He is not a lawyer, but I think he will be able to give you very very helpful advice.  First he is very familiar with anonymous e-cash, as he's studied and published on it.  He's also started two crypto-based micropayment companies (peppercoin and another) so he is likely quite familiar with the relevant laws.  Third, and most importantly, he has first-hand experience in dealing with situations where ugrads get themselves into a world of shit (see charliecard incident).

Now, to be a huge asshole and maybe motivate you more, I'll say frankly I'm not impressed with this.  I bet I could take a uniform random ugrad in CSAIL, hand them a basic description of blind sigs, and they would produce what you did.  Here is what would impress me: do this without any liability by not requiring trust even for you to not run with the money (i.e., let people do this entirely p2p without trusting anyone).  Seriously, think about it before you read the next paragraph, and if you realize how to do it great.  If not I probably wouldn't either when I was a ugrad, so here's how to do it.  Unlike blind sigs, even with this description there is quite alot of work to go from idea to reality.

---

What you are basically providing is a protocol where N people can submit bitcoins to an address under your control, and then you will spend them back to N different addresses without knowing the mapping.  First observe people don't need you at all for this, because bitcoin supports multi-in, multi-out TX.  So N people can do this without you.

Attempt 1:  N people who want to mix coins get together and build a TX.  We get together in a circle and, starting from a blank piece of paper, pass it around the circle, each step adding our input and our output to a random location.  After it has been passed around once, it gets passed around again.  This time, assuming my input and output is still there, I sign the tx and pass it on.  If everyone signs it, it is broadcast and we're done.

Problem: This is entirely secure from outsiders, but leaks information to other participants.  E.g. if you are first in the circle and I'm second, I know your input/output mapping.  Similarly if you're last and I'm second-to-last.

Corrrect solution:  Realize what you have is basically a protocol for N+1 participants, where one is a trusted third party to do the input/output mapping.  There exists a generic transformation, called Secure Multi-party Computation that takes such a protocol and eliminates the trusted particpant to yield a cryptographically sound protocol performable by the N parties.  More precisely, for any function f, N people can compute f(x1,...,xN) without revealing their xi.  At the end each party only learns about others' input by what is revealed from f() itself.

So here the setting is xi = (input_i, output_i, secretkey_i, random_i) where input/output are desired addresses, secretkey is the ECDSA key for the input, and random_i is enough random bits to specify a random permutation perm_i on [N].  The output is the following TX, signed by all parties.  Let perm = perm1 o perm2 o perm3 o ... o permN.  Note that if even a single person chooses his permutation at random, then perm is a uniformly random permutation.

inputs: input1, input2, .. inputN.
outputs: output_perm(1), ..., output_perm(N)

Note at the end, all I learn is the inputs, outputs, and that in the overall perm my input was matched to my output.  In particular, the input:output mapping is a random permutation conditioned on knowing the value at one point.

Now that would impress me, and many others too.  In particular existing MPC protocols are likely not practical.  You will likely need to do some work studying the work on 2PC that has been done since the 80s to make it practical.  AFAIK not much has been done since the original defn in [Yao 82] to make general MPC practical.

It's also possible that there's a way to make the paper-passing protocol secure with many more rounds that involve adding garbage addresses and removing other peoples, only to have them add a new one back later.  It seems tricky to get privacy and get something like this to eventually converge, but I can't rule it out entirely so wouldn't dismiss it yet.
TierNolan
Legendary
*
Offline Offline

Activity: 1232
Merit: 1014


View Profile
July 02, 2011, 05:55:26 PM
 #30

Seriously, think about it before you read the next paragraph, and if you realize how to do it great.  If not I probably wouldn't either when I was a ugrad, so here's how to do it.  Unlike blind sigs, even with this description there is quite alot of work to go from idea to reality.

I assume that the point is that Chaum's scheme is for offline cash payments??  His system detects double payments after the fact.

Since bitcoin is inherently online, there is a lot of redundancy in the system.

1LxbG5cKXzTwZg9mjL3gaRE835uNQEteWF
mouse
Newbie
*
Offline Offline

Activity: 56
Merit: 0



View Profile
July 02, 2011, 06:15:33 PM
 #31

What you are basically providing is a protocol where N people can submit bitcoins to an address under your control, and then you will spend them back to N different addresses without knowing the mapping.  First observe people don't need you at all for this, because bitcoin supports multi-in, multi-out TX.  So N people can do this without you.

This is an intersting idea. I'm assuming that to make the coins anonymous, a set denomination needs to be used, and the coin mixing process need to repeated multiple times, preferrably with different, new members, over the network.

I can't really help the OP with this problem, but I hope someone tackles and implements this. Doing a cursory glance there appears to be quite a lot of new work on MPC. e.g.
Secure multi-party computation over networks, Nishitani Y, Igarashi Y 2000
duncant (OP)
Newbie
*
Offline Offline

Activity: 53
Merit: 0


View Profile
July 02, 2011, 06:58:52 PM
 #32

I bet I could take a uniform random ugrad in CSAIL, hand them a basic description of blind sigs, and they would produce what you did.

No bet. I am a "random ugrad in CSAIL" and I've been called a great many things worse than that.

Thanks for the suggestion to see Prof. Rivest.

I was not aware of Secure Multi-Party Communication. This is just a side project of mine, I'm more of an AI guy than a crypto guy. I think if someone were to implement the scheme you describe, it would have to be either as an extension to the bitcoin client or in the bitcoin client itself. If I have the opportunity (read: time), though, I'll definitely work on this. Thanks a bunch for the suggestion. It seems like the "right way" to do bitcoin anonymizing.
hashcoin
Full Member
***
Offline Offline

Activity: 373
Merit: 101


View Profile
July 02, 2011, 08:13:02 PM
 #33

This would indeed need separate client software (once you do p2p instead of centralized, you need your own software.  what a shame! If only it were as easy to launch new p2p software as it were to start a website.  Hmm....), but I was not thinking including in bitcoin since this is something highly specialized.  Presumably this would be something like the TOR network for bitcoin: a separate p2p client for mixnets.

Secure MPC is quite interesting and in general you can think of it as the "big hammer" or perhaps more like the "nuclear bomb" of cryptography.  Every sophisticated crypto protocol we know of (anonymous e-cash, secure electronic voting, zerk-knowledge proof) is infact a special case of secure MPC.  The problem is because its so general it's not practical yet, so while we knew how to do these things using MPC, to do them in real life typically one needs to come up with a special case solution.  However, taking a protocol, doing the secure MPC transformation on it, and then simplifying from there can be good.   In particular a hot-potato scheme where a list is passed around and when it gets to you, you shuffle the outputs, replace your output with a new one, and pass it on could possibly be a starting point.   In particular this scheme protects the last K from the K+1'st-to-last.

Also I wouldn't consider being called a "random CSAIL ugrad" a bad thing, I was just trying to motivate you to make a better system that actually protects you  Tongue
duncant (OP)
Newbie
*
Offline Offline

Activity: 53
Merit: 0


View Profile
July 29, 2011, 04:30:18 PM
 #34

Hey all. My site is currently down while I figure out a bug that somebody was able to exploit to insert erroneous pay-outs into my scheduler.

Rest assured that I have the bitcoins to honor legitimate pay-outs and that business will resume as soon as I find the bug.
duncant (OP)
Newbie
*
Offline Offline

Activity: 53
Merit: 0


View Profile
July 29, 2011, 07:28:25 PM
 #35

Scratch that on the business resuming.

I have decided that the liability of running a site like this is just too great and the monetary benefit is too small.

I will continue to honor unredeemed tokens and existing scheduled pay-outs, but I will not be accepting new transactions.

I anyone wants to carry on this site, I can help you get everything up and running.

--Duncan
Trader Steve
Hero Member
*****
Offline Offline

Activity: 836
Merit: 1007


"How do you eat an elephant? One bit at a time..."


View Profile
July 29, 2011, 07:51:56 PM
 #36

Duncan,

Thanks for putting this together. Hopefully someone will take it and run with it. People deserve privacy in their personal affairs.

Trader Steve
thefussydutchman
Full Member
***
Offline Offline

Activity: 142
Merit: 100

BTC- Its not a bubble.


View Profile
July 29, 2011, 10:52:31 PM
 #37

Site says closed for good?
duncant (OP)
Newbie
*
Offline Offline

Activity: 53
Merit: 0


View Profile
July 29, 2011, 10:55:31 PM
 #38

Yeah, I think so. The potential liability of somebody finding an exploit and stealing from my customers, plus the potential legal liability is too much to shoulder for the amount of money that I could potentially make on that sort of thing.

It makes me very sad to have to close the site, especially after I've put in n-hundred hours of work on it, but I think this is the best option.

I'll reiterate: if anyone wants to take over operating the site, I will give any and all assistance I can. I really don't want to see this site die, even if I can't run it anymore.
Vod
Legendary
*
Offline Offline

Activity: 3458
Merit: 2934


Licking my boob since 1970


View Profile WWW
July 29, 2011, 11:11:25 PM
 #39

Yeah, I think so. The potential liability of somebody finding an exploit and stealing from my customers, plus the potential legal liability is too much to shoulder for the amount of money that I could potentially make on that sort of thing.

It makes me very sad to have to close the site, especially after I've put in n-hundred hours of work on it, but I think this is the best option.

I'll reiterate: if anyone wants to take over operating the site, I will give any and all assistance I can. I really don't want to see this site die, even if I can't run it anymore.

Duncan, with your generic message on, I can't tell much about the technology.  What language and database did you use?  What compensation are you looking at in exchange for transfer of the service?

vod.fan - coming soon!  Free image hosting and URL shortening
clubcrypto.live coming soon!  Work and play at home - earn crypto and video game NFTs
duncant (OP)
Newbie
*
Offline Offline

Activity: 53
Merit: 0


View Profile
July 29, 2011, 11:33:20 PM
 #40

Yeah, I think so. The potential liability of somebody finding an exploit and stealing from my customers, plus the potential legal liability is too much to shoulder for the amount of money that I could potentially make on that sort of thing.

It makes me very sad to have to close the site, especially after I've put in n-hundred hours of work on it, but I think this is the best option.

I'll reiterate: if anyone wants to take over operating the site, I will give any and all assistance I can. I really don't want to see this site die, even if I can't run it anymore.

Duncan, with your generic message on, I can't tell much about the technology.  What language and database did you use?  What compensation are you looking at in exchange for transfer of the service?

The site is written in Python, using Twisted. The RSA parts of the site are written in C (via pycrypto) for speed and python calls out to it via the CPython C-extension api.

The database is MySQL, but you could easily port it to Postgres since the Twisted API for MySQL and Postgres is the same.

The client-side code is all javascript (obviously) and I use jQuery as well as jsbn (javascript bignum) and some other libraries that are GPL/BSD licensed.

If you're interested in running the site, shoot me a PM and we can work out compensation, etc.
willphase
Hero Member
*****
Offline Offline

Activity: 768
Merit: 500


View Profile
July 29, 2011, 11:36:34 PM
 #41

Subscribing... Am interested in hashcoin's ideas too...

Once I get back to a real computer I'll be able to type more (on my phone right now) but how does the protocol overcome the fact that the input amount for person x will match the output for person x. Am assuming that you could potentially have a set of fixed transaction rings that you join each one with a set btc amount? Then I suppose it would just be a matter for the software to split the btc amount down amongst each ring?

OP - sorry you had to close your site, bitcoin needs more people like you making solutions and services
.
Will

Vod
Legendary
*
Offline Offline

Activity: 3458
Merit: 2934


Licking my boob since 1970


View Profile WWW
July 29, 2011, 11:42:48 PM
 #42

If you're interested in running the site, shoot me a PM and we can work out compensation, etc.

I don't want to dissuade others, so I'm posting here that I'm not interested.  I think it's a great idea, but I don't have much experience with those technologies.   Sad   Good luck!

vod.fan - coming soon!  Free image hosting and URL shortening
clubcrypto.live coming soon!  Work and play at home - earn crypto and video game NFTs
hashcoin
Full Member
***
Offline Offline

Activity: 373
Merit: 101


View Profile
July 30, 2011, 01:14:29 AM
 #43

Subscribing... Am interested in hashcoin's ideas too...

Once I get back to a real computer I'll be able to type more (on my phone right now) but how does the protocol overcome the fact that the input amount for person x will match the output for person x. Am assuming that you could potentially have a set of fixed transaction rings that you join each one with a set btc amount? Then I suppose it would just be a matter for the software to split the btc amount down amongst each ring?

OP - sorry you had to close your site, bitcoin needs more people like you making solutions and services
.
Will


This is correct ofcourse -- everyone needs to put in the same amount.  Presumably there would be a number of  "mix clubs" runing at a time, each for different amounts.  Rather than discuss here I'll make a thread in dev section.
d'aniel
Sr. Member
****
Offline Offline

Activity: 461
Merit: 251


View Profile
August 03, 2011, 07:44:36 AM
 #44

I agree this is really dumb from a liability perspective and you are asking for trouble IMO.  If you are at The Institute and don't want to spend money on a lawyer, I would strongly suggest you consider talking to Ron Rivest.  He is not a lawyer, but I think he will be able to give you very very helpful advice.  First he is very familiar with anonymous e-cash, as he's studied and published on it.  He's also started two crypto-based micropayment companies (peppercoin and another) so he is likely quite familiar with the relevant laws.  Third, and most importantly, he has first-hand experience in dealing with situations where ugrads get themselves into a world of shit (see charliecard incident).

Now, to be a huge asshole and maybe motivate you more, I'll say frankly I'm not impressed with this.  I bet I could take a uniform random ugrad in CSAIL, hand them a basic description of blind sigs, and they would produce what you did.  Here is what would impress me: do this without any liability by not requiring trust even for you to not run with the money (i.e., let people do this entirely p2p without trusting anyone).  Seriously, think about it before you read the next paragraph, and if you realize how to do it great.  If not I probably wouldn't either when I was a ugrad, so here's how to do it.  Unlike blind sigs, even with this description there is quite alot of work to go from idea to reality.

---

What you are basically providing is a protocol where N people can submit bitcoins to an address under your control, and then you will spend them back to N different addresses without knowing the mapping.  First observe people don't need you at all for this, because bitcoin supports multi-in, multi-out TX.  So N people can do this without you.

Attempt 1:  N people who want to mix coins get together and build a TX.  We get together in a circle and, starting from a blank piece of paper, pass it around the circle, each step adding our input and our output to a random location.  After it has been passed around once, it gets passed around again.  This time, assuming my input and output is still there, I sign the tx and pass it on.  If everyone signs it, it is broadcast and we're done.

Problem: This is entirely secure from outsiders, but leaks information to other participants.  E.g. if you are first in the circle and I'm second, I know your input/output mapping.  Similarly if you're last and I'm second-to-last.

Corrrect solution:  Realize what you have is basically a protocol for N+1 participants, where one is a trusted third party to do the input/output mapping.  There exists a generic transformation, called Secure Multi-party Computation that takes such a protocol and eliminates the trusted particpant to yield a cryptographically sound protocol performable by the N parties.  More precisely, for any function f, N people can compute f(x1,...,xN) without revealing their xi.  At the end each party only learns about others' input by what is revealed from f() itself.

So here the setting is xi = (input_i, output_i, secretkey_i, random_i) where input/output are desired addresses, secretkey is the ECDSA key for the input, and random_i is enough random bits to specify a random permutation perm_i on [N].  The output is the following TX, signed by all parties.  Let perm = perm1 o perm2 o perm3 o ... o permN.  Note that if even a single person chooses his permutation at random, then perm is a uniformly random permutation.

inputs: input1, input2, .. inputN.
outputs: output_perm(1), ..., output_perm(N)

Note at the end, all I learn is the inputs, outputs, and that in the overall perm my input was matched to my output.  In particular, the input:output mapping is a random permutation conditioned on knowing the value at one point.

Now that would impress me, and many others too.  In particular existing MPC protocols are likely not practical.  You will likely need to do some work studying the work on 2PC that has been done since the 80s to make it practical.  AFAIK not much has been done since the original defn in [Yao 82] to make general MPC practical.

It's also possible that there's a way to make the paper-passing protocol secure with many more rounds that involve adding garbage addresses and removing other peoples, only to have them add a new one back later.  It seems tricky to get privacy and get something like this to eventually converge, but I can't rule it out entirely so wouldn't dismiss it yet.
Since MPC relies on at least one server being honest anyway, could this proposal be simplified by having each participant send their bitcoins to a pool controlled by unanimous consent of the mix operators, prior to the computation?  They could use the keys they sent with to sign the pieces of (output_i, random_i) sent to each of the servers to prove they are valid.  They could receive a locked transaction signed by all the servers which will return their coins in the event that unanimous consent is not reached by the servers to distribute the coins.  Thus, the only way for participants to lose their coins is for all of the mix operators to collude.

Also because we're relying on at least one server being honest, do we really need a random_i from each of the mix participants?  Could we get away with just having one from each of the servers?

I have no idea how the MPC is done from here, though.  But here's an interesting paper http://eprint.iacr.org/2008/068 describing a recent successful implementation of MPC with three servers and over 1000 participants in an real world auction.

I question if this kind of machinery is necessary for a mix, though.  Couldn't the same result be achieved by the mix operators doing the above pooling, and selecting a server to issue untraceable, unlinkable digital cash in exchange for the bitcoins?  The participants could then break their digital cash up into standardized sizes that maximize the size of the anonymity set, and then redeem the pieces to separate bitcoin addresses.  Of course the server would have to run as a Tor hidden service in order to obfuscate participants' IP addresses.
AaronM
Member
**
Offline Offline

Activity: 76
Merit: 10


View Profile WWW
December 02, 2011, 01:10:08 AM
 #45

Hello, I noticed blindbitcoin.com is down. Has this been discontinued?

Spare some BTC for a biology student? 1DZcEUEo9rX7LQWcYzVR6Btqj2sMqRznbB
fivebells
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250


View Profile
December 02, 2011, 03:16:24 AM
 #46

DNS appears to be inaccurate (resolves to IP address 1.2.3.4.)
Akemashite Omedetou
Member
**
Offline Offline

Activity: 84
Merit: 13



View Profile WWW
December 03, 2011, 04:05:15 AM
 #47

As the TS has written in post #35, he is no longer running the service.

However, you may wanna check out our service: https://bitcointalk.org/index.php?topic=50037.0
We already superseed blindbitcoin in functionality, run through TOR, and have a couple of other advantages.
The Fog is not based on blindbitcoins however, and thus we don't share any of its bugs that may have led to discontinuation of its service.

(sorry for the shameless plugging, but it seemed like you were searching for a good working anon-service)

Bitcoin Fog: Secure Bitcoin Anonymization

---
Creedy: Die! Die! Why won't you die?... Why won't you die?
V: Beneath this mask there is more than flesh. Beneath this mask there is an idea, Mr. Creedy, and ideas are bulletproof.
Pages: 1 2 3 [All]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!