Blind Bitcoin Transfers

[marcus_of_augustus]

Few questions;

- how do we know that the s/ware running on the web server is the same s/ware represented by the posted source code? (seems like this throws up an interesting technical problem of an "untrusted" server being verified to be running trusted source, maybe it has been solved elswhere?)

- can you list any relevant technical stats that are not revealing but may serve to build trust in the integrity of the servers operation? .... throughput, total tokens blinded, issued, redeemed, faults, etc

If you offered such a service with paper money, your most obvious clients would be organised crime and you'd probably be classified as a money launderer.  I had been thinking of setting up a bitcoin mixer, but got turned off once I thought of this issue.

I disagree with this statement. Due to the public record of transactions of bitcoin, the most basic of transaction privacy can only be achieved by blinding services or "laundering" (perjorative, vague term anyway) ... the "most obvious client" is everyone who desires privacy for their individual transactions. Who amongst us would actually say "I prefer less privacy" when it concerns their own private transactions?

Simply put, privacy is not just for criminals, because the medium of exchange, bitcoin, is a fully open public transaction record, everybody needs blinding in this scenario.

[1714320557]

1714320557

[1714320557]

1714320557

[1714320557]

1714320557

[1714320557]

1714320557

[duncant]

@fergalish: I'll do you one better. By Sunday, I'll have rolled out a new pay-out system that should resist statistical analysis of the block chain. I'm doing some testing on it right now, to make sure that it's actually as difficult to analyze as I want it to be. You'll be able to pay in as much as you want, but how I pay out will be the anonymizing part.

@noone: There's no way I can make you trust that the code I'm running on the server is what I'm distributing. However, this is not a requirement for the system to be trustworthy and secure. You only have to trust that the client code functions as advertised. It is easy (well maybe not easy, but possible) to review the client code in your browser before running it. The worst that I could do to a client running functionally correct code is run off with their money.

I'll post technical stats once I finish the new pay-out system. Actually, once I finish the pay-out system and make sure there aren't any bugs, I'll declare the technical part of the service finished. Then I'll start work on making a mobile-friendly version of the site.

I agree with noone on the privacy point, but just to have my bases covered, I'm saving up (poor, starving student, and all that) for a legal consultation. If it turns out that this sort of thing is a huge liability, I'll find somebody who wants to deal with it and hand over all my source and non-source assets to them so that the site doesn't go away.

Simply put, privacy is not just for criminals, because the medium of exchange, bitcoin, is a fully open public transaction record, everybody needs blinding in this scenario.

This is an awesome quote. Do you mind if I use it in the future?

[marcus_of_augustus]

This is an awesome quote. Do you mind if I use it in the future?

Don't mind, attributable to no one.

[TierNolan]

Duncant, you say on your site that "The payout schedule for this service is not secure against analysis of the bitcoin chain." 

Is that a reference to the problem that occurs when you have to few customers and/or to many different sizes of coin, or is it something else?

[duncant]

Duncant, you say on your site that "The payout schedule for this service is not secure against analysis of the bitcoin chain." 

Is that a reference to the problem that occurs when you have to few customers and/or to many different sizes of coin, or is it something else?

The problem is that there are too many unique transaction sizes. I've had a fix to this problem in the pipeline for the last few weeks (see my last post), but what with the MtGox hack and my day job's machines all deciding to crash, I haven't gotten the chance to work on it solidly.

As you may have noticed, I've taken the site down for the weekend to get this and a few other bugs fixed. Everything will be back (and better) on Monday. The warning message that you quote will be gone because I'll have fixed that flaw.

Also, for anybody who's interested. I've consulted off-the-record with a few lawyers about the legality of this sort of thing. They're all of the opinion that this certainly does not constitute money laundering because bitcoin isn't "really money" in the eyes of the law. It could, possibly, be consider smuggling, but that is unlikely considering that no physical goods are exchanged.

[marcus_of_augustus]

Duncant, you say on your site that "The payout schedule for this service is not secure against analysis of the bitcoin chain." 

Is that a reference to the problem that occurs when you have to few customers and/or to many different sizes of coin, or is it something else?

The problem is that there are too many unique transaction sizes. I've had a fix to this problem in the pipeline for the last few weeks (see my last post), but what with the MtGox hack and my day job's machines all deciding to crash, I haven't gotten the chance to work on it solidly.

As you may have noticed, I've taken the site down for the weekend to get this and a few other bugs fixed. Everything will be back (and better) on Monday. The warning message that you quote will be gone because I'll have fixed that flaw.

Also, for anybody who's interested. I've consulted off-the-record with a few lawyers about the legality of this sort of thing. They're all of the opinion that this certainly does not constitute money laundering because bitcoin isn't "really money" in the eyes of the law. It could, possibly, be consider smuggling, but that is unlikely considering that no physical goods are exchanged.

I don't see how it could be. It is a purely mathematical process performed on some electronic data. Are we going to outlaw any electronic maths next? Is that the realm of insanity the totalitarians are taking us into? Money needs to be free or it no longer functions as money, and all society suffers for it.

[markm]

I'd suggest consulting on the record with a lawyer who has significant professional standing to lose.

Almost any "front" can be used to launder money, even an actual laundromat.

I am not a lawyer, but if I used my laundromat to launder money I would not expect to get off by saying "but laundry is not real money" nor "but all I was doing was smuggling real money into the laundromat and out again, not actually putting it in the washing machine!"

-MarkM-

[duncant]

I'd suggest consulting on the record with a lawyer who has significant professional standing to lose.

Almost any "front" can be used to launder money, even an actual laundromat.

I am not a lawyer, but if I used my laundromat to launder money I would not expect to get off by saying "but laundry is not real money" nor "but all I was doing was smuggling real money into the laundromat and out again, not actually putting it in the washing machine!"

-MarkM-

Oh, absolutely. I'm still looking for a lawyer who is comfortable with both IT law and financial law to give me an on the record consultation.

To go back to your actual laundromat analogy: consider if a criminal buy a bunch of dirty clothes at Goodwill with his dirty money and then washes them at a laundromat. He sells them to someone who is unaware of the origin of the clothes because they are now clean and whiter (assume the criminal used bleach ). The laundromat would not be "on the hook" for money laundering because they never handled "actual money". I believe this is analogous to bitcoin anonymizers.

[hashcoin]

I agree this is really dumb from a liability perspective and you are asking for trouble IMO.  If you are at The Institute and don't want to spend money on a lawyer, I would strongly suggest you consider talking to Ron Rivest.  He is not a lawyer, but I think he will be able to give you very very helpful advice.  First he is very familiar with anonymous e-cash, as he's studied and published on it.  He's also started two crypto-based micropayment companies (peppercoin and another) so he is likely quite familiar with the relevant laws.  Third, and most importantly, he has first-hand experience in dealing with situations where ugrads get themselves into a world of shit (see charliecard incident).

Now, to be a huge asshole and maybe motivate you more, I'll say frankly I'm not impressed with this.  I bet I could take a uniform random ugrad in CSAIL, hand them a basic description of blind sigs, and they would produce what you did.  Here is what would impress me: do this without any liability by not requiring trust even for you to not run with the money (i.e., let people do this entirely p2p without trusting anyone).  Seriously, think about it before you read the next paragraph, and if you realize how to do it great.  If not I probably wouldn't either when I was a ugrad, so here's how to do it.  Unlike blind sigs, even with this description there is quite alot of work to go from idea to reality.

---

What you are basically providing is a protocol where N people can submit bitcoins to an address under your control, and then you will spend them back to N different addresses without knowing the mapping.  First observe people don't need you at all for this, because bitcoin supports multi-in, multi-out TX.  So N people can do this without you.

Attempt 1:  N people who want to mix coins get together and build a TX.  We get together in a circle and, starting from a blank piece of paper, pass it around the circle, each step adding our input and our output to a random location.  After it has been passed around once, it gets passed around again.  This time, assuming my input and output is still there, I sign the tx and pass it on.  If everyone signs it, it is broadcast and we're done.

Problem: This is entirely secure from outsiders, but leaks information to other participants.  E.g. if you are first in the circle and I'm second, I know your input/output mapping.  Similarly if you're last and I'm second-to-last.

Corrrect solution:  Realize what you have is basically a protocol for N+1 participants, where one is a trusted third party to do the input/output mapping.  There exists a generic transformation, called Secure Multi-party Computation that takes such a protocol and eliminates the trusted particpant to yield a cryptographically sound protocol performable by the N parties.  More precisely, for any function f, N people can compute f(x1,...,xN) without revealing their xi.  At the end each party only learns about others' input by what is revealed from f() itself.

So here the setting is xi = (input_i, output_i, secretkey_i, random_i) where input/output are desired addresses, secretkey is the ECDSA key for the input, and random_i is enough random bits to specify a random permutation perm_i on [N].  The output is the following TX, signed by all parties.  Let perm = perm1 o perm2 o perm3 o ... o permN.  Note that if even a single person chooses his permutation at random, then perm is a uniformly random permutation.

inputs: input1, input2, .. inputN.
outputs: output_perm(1), ..., output_perm(N)

Note at the end, all I learn is the inputs, outputs, and that in the overall perm my input was matched to my output.  In particular, the input:output mapping is a random permutation conditioned on knowing the value at one point.

Now that would impress me, and many others too.  In particular existing MPC protocols are likely not practical.  You will likely need to do some work studying the work on 2PC that has been done since the 80s to make it practical.  AFAIK not much has been done since the original defn in [Yao 82] to make general MPC practical.

It's also possible that there's a way to make the paper-passing protocol secure with many more rounds that involve adding garbage addresses and removing other peoples, only to have them add a new one back later.  It seems tricky to get privacy and get something like this to eventually converge, but I can't rule it out entirely so wouldn't dismiss it yet.

[TierNolan]

Seriously, think about it before you read the next paragraph, and if you realize how to do it great.  If not I probably wouldn't either when I was a ugrad, so here's how to do it.  Unlike blind sigs, even with this description there is quite alot of work to go from idea to reality.

I assume that the point is that Chaum's scheme is for offline cash payments??  His system detects double payments after the fact.

Since bitcoin is inherently online, there is a lot of redundancy in the system.

[mouse]

What you are basically providing is a protocol where N people can submit bitcoins to an address under your control, and then you will spend them back to N different addresses without knowing the mapping.  First observe people don't need you at all for this, because bitcoin supports multi-in, multi-out TX.  So N people can do this without you.

This is an intersting idea. I'm assuming that to make the coins anonymous, a set denomination needs to be used, and the coin mixing process need to repeated multiple times, preferrably with different, new members, over the network.

I can't really help the OP with this problem, but I hope someone tackles and implements this. Doing a cursory glance there appears to be quite a lot of new work on MPC. e.g.
Secure multi-party computation over networks, Nishitani Y, Igarashi Y 2000

[duncant]

I bet I could take a uniform random ugrad in CSAIL, hand them a basic description of blind sigs, and they would produce what you did.

No bet. I am a "random ugrad in CSAIL" and I've been called a great many things worse than that.

Thanks for the suggestion to see Prof. Rivest.

I was not aware of Secure Multi-Party Communication. This is just a side project of mine, I'm more of an AI guy than a crypto guy. I think if someone were to implement the scheme you describe, it would have to be either as an extension to the bitcoin client or in the bitcoin client itself. If I have the opportunity (read: time), though, I'll definitely work on this. Thanks a bunch for the suggestion. It seems like the "right way" to do bitcoin anonymizing.

[hashcoin]

This would indeed need separate client software (once you do p2p instead of centralized, you need your own software.  what a shame! If only it were as easy to launch new p2p software as it were to start a website.  Hmm....), but I was not thinking including in bitcoin since this is something highly specialized.  Presumably this would be something like the TOR network for bitcoin: a separate p2p client for mixnets.

Secure MPC is quite interesting and in general you can think of it as the "big hammer" or perhaps more like the "nuclear bomb" of cryptography.  Every sophisticated crypto protocol we know of (anonymous e-cash, secure electronic voting, zerk-knowledge proof) is infact a special case of secure MPC.  The problem is because its so general it's not practical yet, so while we knew how to do these things using MPC, to do them in real life typically one needs to come up with a special case solution.  However, taking a protocol, doing the secure MPC transformation on it, and then simplifying from there can be good.   In particular a hot-potato scheme where a list is passed around and when it gets to you, you shuffle the outputs, replace your output with a new one, and pass it on could possibly be a starting point.   In particular this scheme protects the last K from the K+1'st-to-last.

Also I wouldn't consider being called a "random CSAIL ugrad" a bad thing, I was just trying to motivate you to make a better system that actually protects you  

[duncant]

Hey all. My site is currently down while I figure out a bug that somebody was able to exploit to insert erroneous pay-outs into my scheduler.

Rest assured that I have the bitcoins to honor legitimate pay-outs and that business will resume as soon as I find the bug.

[duncant]

Scratch that on the business resuming.

I have decided that the liability of running a site like this is just too great and the monetary benefit is too small.

I will continue to honor unredeemed tokens and existing scheduled pay-outs, but I will not be accepting new transactions.

I anyone wants to carry on this site, I can help you get everything up and running.

--Duncan

[Trader Steve]

Duncan,

Thanks for putting this together. Hopefully someone will take it and run with it. People deserve privacy in their personal affairs.

Trader Steve

[thefussydutchman]

Site says closed for good?

[duncant]

Yeah, I think so. The potential liability of somebody finding an exploit and stealing from my customers, plus the potential legal liability is too much to shoulder for the amount of money that I could potentially make on that sort of thing.

It makes me very sad to have to close the site, especially after I've put in n-hundred hours of work on it, but I think this is the best option.

I'll reiterate: if anyone wants to take over operating the site, I will give any and all assistance I can. I really don't want to see this site die, even if I can't run it anymore.

[Vod]

Yeah, I think so. The potential liability of somebody finding an exploit and stealing from my customers, plus the potential legal liability is too much to shoulder for the amount of money that I could potentially make on that sort of thing.

It makes me very sad to have to close the site, especially after I've put in n-hundred hours of work on it, but I think this is the best option.

I'll reiterate: if anyone wants to take over operating the site, I will give any and all assistance I can. I really don't want to see this site die, even if I can't run it anymore.

Duncan, with your generic message on, I can't tell much about the technology.  What language and database did you use?  What compensation are you looking at in exchange for transfer of the service?

[duncant]

Yeah, I think so. The potential liability of somebody finding an exploit and stealing from my customers, plus the potential legal liability is too much to shoulder for the amount of money that I could potentially make on that sort of thing.

It makes me very sad to have to close the site, especially after I've put in n-hundred hours of work on it, but I think this is the best option.

I'll reiterate: if anyone wants to take over operating the site, I will give any and all assistance I can. I really don't want to see this site die, even if I can't run it anymore.

Duncan, with your generic message on, I can't tell much about the technology.  What language and database did you use?  What compensation are you looking at in exchange for transfer of the service?

The site is written in Python, using Twisted. The RSA parts of the site are written in C (via pycrypto) for speed and python calls out to it via the CPython C-extension api.

The database is MySQL, but you could easily port it to Postgres since the Twisted API for MySQL and Postgres is the same.

The client-side code is all javascript (obviously) and I use jQuery as well as jsbn (javascript bignum) and some other libraries that are GPL/BSD licensed.

If you're interested in running the site, shoot me a PM and we can work out compensation, etc.