I agree this is really dumb from a liability perspective and you are asking for trouble IMO. If you are at The Institute and don't want to spend money on a lawyer, I would strongly suggest you consider talking to Ron Rivest. He is not a lawyer, but I think he will be able to give you very very helpful advice. First he is very familiar with anonymous e-cash, as he's studied and published on it. He's also started two crypto-based micropayment companies (peppercoin and another) so he is likely quite familiar with the relevant laws. Third, and most importantly, he has first-hand experience in dealing with situations where ugrads get themselves into a world of shit (see charliecard incident).

Now, to be a huge asshole and maybe motivate you more, I'll say frankly I'm not impressed with this. I bet I could take a uniform random ugrad in CSAIL, hand them a basic description of blind sigs, and they would produce what you did. Here is what would impress me: do this without any liability by not requiring trust even for you to not run with the money (i.e., let people do this entirely p2p without trusting

*anyone*). Seriously, think about it before you read the next paragraph, and if you realize how to do it great. If not I probably wouldn't either when I was a ugrad, so here's how to do it. Unlike blind sigs, even with this description there is quite alot of work to go from idea to reality.

---

What you are basically providing is a protocol where N people can submit bitcoins to an address under your control, and then you will spend them back to N different addresses without knowing the mapping. First observe people don't need you at all for this, because bitcoin supports multi-in, multi-out TX. So N people can do this without you.

Attempt 1: N people who want to mix coins get together and build a TX. We get together in a circle and, starting from a blank piece of paper, pass it around the circle, each step adding our input and our output to a random location. After it has been passed around once, it gets passed around again. This time, assuming my input and output is still there, I sign the tx and pass it on. If everyone signs it, it is broadcast and we're done.

Problem: This is entirely secure from outsiders, but leaks information to other participants. E.g. if you are first in the circle and I'm second, I know your input/output mapping. Similarly if you're last and I'm second-to-last.

Corrrect solution: Realize what you have is basically a protocol for N+1 participants, where one is a trusted third party to do the input/output mapping. There exists a generic transformation, called

Secure Multi-party Computation that takes such a protocol and

*eliminates the trusted particpant* to yield a cryptographically sound protocol performable by the N parties. More precisely, for any function f, N people can compute f(x1,...,xN) without revealing their xi. At the end each party only learns about others' input by what is revealed from f() itself.

So here the setting is xi = (input_i, output_i, secretkey_i, random_i) where input/output are desired addresses, secretkey is the ECDSA key for the input, and random_i is enough random bits to specify a random permutation perm_i on [N]. The output is the following TX, signed by

*all* parties. Let perm = perm1 o perm2 o perm3 o ... o permN. Note that

*if even a single person* chooses his permutation at random, then perm is a uniformly random permutation.

inputs: input1, input2, .. inputN.

outputs: output_perm(1), ..., output_perm(N)

Note at the end, all I learn is the inputs, outputs, and that in the overall perm my input was matched to my output. In particular, the input:output mapping is a random permutation conditioned on knowing the value at one point.

Now

**that** would impress me, and many others too. In particular existing MPC protocols are likely not practical. You will likely need to do some work studying the work on 2PC that has been done since the 80s to make it practical. AFAIK not much has been done since the original defn in [Yao 82] to make general MPC practical.

It's also possible that there's a way to make the paper-passing protocol secure with many more rounds that involve adding garbage addresses and removing other peoples, only to have them add a new one back later. It seems tricky to get privacy and get something like this to eventually converge, but I can't rule it out entirely so wouldn't dismiss it yet.

Since MPC relies on at least one server being honest anyway, could this proposal be simplified by having each participant send their bitcoins to a pool controlled by unanimous consent of the mix operators, prior to the computation? They could use the keys they sent with to sign the pieces of (output_i, random_i) sent to each of the servers to prove they are valid. They could receive a locked transaction signed by all the servers which will return their coins in the event that unanimous consent is not reached by the servers to distribute the coins. Thus, the only way for participants to lose their coins is for all of the mix operators to collude.

Also because we're relying on at least one server being honest, do we really need a random_i from each of the mix participants? Could we get away with just having one from each of the servers?

I have no idea how the MPC is done from here, though. But here's an interesting paper

describing a recent successful implementation of MPC with three servers and over 1000 participants in an real world auction.

I question if this kind of machinery is necessary for a mix, though. Couldn't the same result be achieved by the mix operators doing the above pooling, and selecting a server to issue untraceable, unlinkable digital cash in exchange for the bitcoins? The participants could then break their digital cash up into standardized sizes that maximize the size of the anonymity set, and then redeem the pieces to separate bitcoin addresses. Of course the server would have to run as a Tor hidden service in order to obfuscate participants' IP addresses.