Bitcoin Forum
December 14, 2017, 06:57:40 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 4 5 »  All
  Print  
Author Topic: I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!)  (Read 22103 times)
jl2012
Legendary
*
Offline Offline

Activity: 1750


View Profile
January 29, 2013, 04:46:27 AM
 #21

2409f355c8910721fbbb5c54a01b8f9c692cfb292c3b4f7baf5b8151e44fef21 is the first accepted offer, this one received over GPG-email. Accepting it was a no-brainer: It made a clever and quite generous 10 BTC multi-signature donation the developers.  I've updated the message to  indicate bbeacff94c2d20df8eb4e5556b38977863b4548c79105b10da943cd2eecddd80:0 (also 1 BTC) as the new output of mine to spend.

Loaded: Slightly too slow, 1d7b37fa is now spent.  Compute and sign your very impressive transaction again with bbeacff. Smiley


 
Code:
0100000003c8e2c94e9683ca5ca81d5b971aa518b4cae10c3eff0dbc2128ecdc1e2f2bf675000000006c4930460221008d034bf2905e452fcb5ecd7b7893f9d76411655eeda82d04c07a6893811267ee0221009367bc19b2b4db1260faa3945948aec4dcd1d27ca1b3d652ec536bc3aa6f5f54012102f115baf06dd46062573d2b929e243bbc798db8c1fb6b04a324fe05063786d02affffffffd3161114e547413ac20be8f22a4bd3cfe8d7a04ae3bae9a744799414b77fcefd010000006b48304502204bd9b946262b949c7ff69d9f0c2fee4f8fd1f8c9a8c7f2e5c3443ed3deb9feaa0221009be613c94ce7356934c17eaa10811cfe693cbbf0e33ef6af74c1ef8eadbda2d0012102f115baf06dd46062573d2b929e243bbc798db8c1fb6b04a324fe05063786d02affffffff80ddcdeed23c94da105b10798c54b4637897386b55e5b48edf202d4cf9cfeabb0000000000ffffffff02286a7254a30300001976a914aa530a61909a9c2959b52415a211926a53ab37e088ac68b9e304000000001976a91465a034285ca12eebfbd533cb013f1394ee11d4f888ac00000000

Anyone else who wants to be associated with 40k BTC is welcome create a tx using the output of the above to 1B5kWfMmX1rKSwwHhwiiMxjfRRv5o7ZE4p


Just a gentle reminder to everyone: playing with raw tx could be very dangerous. You may end up in paying a huge amount of fee (eg. https://bitcointalk.org/index.php?topic=135665.0 ). Triple check before and after you sign anything. Quadruple or quintuple check if you are playing with 40k BTC

Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY)
LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC)
PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
1513234660
Hero Member
*
Offline Offline

Posts: 1513234660

View Profile Personal Message (Offline)

Ignore
1513234660
Reply with quote  #2

1513234660
Report to moderator
1513234660
Hero Member
*
Offline Offline

Posts: 1513234660

View Profile Personal Message (Offline)

Ignore
1513234660
Reply with quote  #2

1513234660
Report to moderator
1513234660
Hero Member
*
Offline Offline

Posts: 1513234660

View Profile Personal Message (Offline)

Ignore
1513234660
Reply with quote  #2

1513234660
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1513234660
Hero Member
*
Offline Offline

Posts: 1513234660

View Profile Personal Message (Offline)

Ignore
1513234660
Reply with quote  #2

1513234660
Report to moderator
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2366



View Profile
January 29, 2013, 05:18:34 AM
 #22

Three anonymous-to-me parties collaborated to produce the transaction spending vout:6 on my last list of outputs (I got directed to a pastebin and asked to sign the content).

Another mystery transaction vout:4 was passed through multiple anonymous parties chinese-whisper style to me.

... and a new record: 50kBTC which spends vout:0.

Bitcoin will not be compromised
Ente
Legendary
*
Offline Offline

Activity: 2076



View Profile
January 29, 2013, 09:57:46 AM
 #23

I love it!

Ente
giszmo
Legendary
*
Offline Offline

Activity: 1568


¡ɥɔʇɐʍ ʇsnɾ &#7


View Profile WWW
January 29, 2013, 12:15:47 PM
 #24

Such traffic could be broken into multiple IRC messages to avoid need for pastebin. It could also do direct client to client communications.
Ideally it should be some meeting point over TOR so that there is no incentive to try to record IPs.  Though I'd prefer instead of opportunistically swapping that it rather had lots of people indicate an intent to swap, and then when you want to make a transaction, you'd jointly create a swap and pay transaction. This avoids bloating the blockchain with a bunch of pure swapping and would further improve privacy as you wouldn't know _which_ outputs were swapping and which were payments.  Payments to common anonymous donation addresses could even be merged.
This is an interesting idea.

Is there a legitimate usage for a bot like this besides confusing taint analysis?  I'm not sure if you guys really care at this point or even at all, but running software designed essentially to launder coins sounds like it could potentially get someone in trouble.

Call it money laundering and you repel people. Call it fungibility and people tend to support this basic nature bitcoin needs to be cash. If my bitcoins get deducted x% of their value when paying a governmental entity due to containing x% coins from their daily updated black list of transactions, I will think twice if bitcoin failed as a whole. Prevent that from happening means talking about the dangers of taint analysis.
I guess it will be kind of trivial to have some transaction merging being done with every payment once the network gets busier and I also think this should be done (opt out) by the client.
(BitcoinSpinner style A->B+A transactions definitely are a pain. After having done business with 10 or so people through my Android I get very much aware of it.)

Basically we could have 1 transaction per block but involving more entities to forge a transaction will make it more prone to people never signing it. Also the 1 transaction per block would lead to having the true transaction data being public but outside of the blockchain. Similarly some "agency" could heavily advertise to merge transactions with its transactions just to be able to gather intelligence for later taint analysis. Therefore the best strategy for now would be to seek signing partners only in very small groups of maybe not more than 2.

gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2366



View Profile
January 29, 2013, 04:24:58 PM
 #25

Basically we could have 1 transaction per block but involving more entities to forge a transaction will make it more prone to people never signing it. Also the 1 transaction per block would lead to having the true transaction data being public but outside of the blockchain. Similarly some "agency" could heavily advertise to merge transactions with its transactions just to be able to gather intelligence for later taint analysis. Therefore the best strategy for now would be to seek signing partners only in very small groups of maybe not more than 2.
It's quite possible to have a cryptographic protocol which can safely and completely anonymously combine between parties.

Warning: Very complicated cryptographic protocol below.
(fortunately this stuff just gets put in software and a user clicks the button)

To participate in this system you must first have a fidelity bond:

You construct a specially formed transaction that gives away some coins as fees in a way that proves you didn't receive them. A key committed to as part of doing this is your fidelity bond key.

People interested in forming an anonymous joint transaction join some broadcast communication channel (e.g. IRC over tor).

Every message they send is signed with their fidelity bond key.

They each put up coins they'd like to include and come to an agreement about the transaction. They each form a message about what output address they'd like to send the funds to,  and blind it, and send it to the group. They each advertise a key for blind signing.

The group then performs a group blind signature for each of the blinded messages.

The users unblind their messages, and advertise keys for a reencryption mix. A first user generates some padding messages and their real unblinded token, permutes and encrypts them all, and advertises the result (In reality, he may need to do this many times, for a zero knowledge proof that he isn't screwing it up). Then a next user takes the result, adds their own blinded message, permutes the set, and reencrypts it all, and so on.

After cycling through all users several times, they decrypt, and the result is a randomly ordered set of output address messages which have all been signed by the whole group, but they cannot tell which users authored which. A transaction is created conforming to the agreed inputs and outputs, and all users sign.

If any any point a user refuses to sign in order to jam the process their misbehavior can be proven to anyone who cares to know by showing them the signed messages from a failed round. After seeing a proof they blacklist the misbehaving fidelity bond key, and so DOS attacking this can be made expensive.

I've omitted a lot of complex details (secure group random number agreement for consensus, constructing the ZKPs to show that someone isn't jamming the mix, etc) and waved my hands at things (like group blind signatures)... but its clear to me that it's certainly possible to construct such a thing. The engineering would be quite hard, as this kind of very lock-stepy everything proven algorithm is quite fragile compared to even Bitcoin. So, I don't expected it any time soon— but I'm happy to know that it's possible if it ever actually is needed.  In reality, I expect few are going to try to gum up this sort of thing, so in practice people could get away with much simpler protocols.

Bitcoin will not be compromised
dooglus
Legendary
*
Offline Offline

Activity: 2366



View Profile
January 29, 2013, 07:43:16 PM
 #26

Okay, new coins (sorry for the delay, to get a txn that paid the same address several times I had to write it entirely by hand):

The following tiny patch allows me to send to the same address multiple times from the reference client:

Code:
diff --git a/src/qt/walletmodel.cpp b/src/qt/walletmodel.cpp
index 9d5a2c0..76bb446 100644
--- a/src/qt/walletmodel.cpp
+++ b/src/qt/walletmodel.cpp
@@ -151,7 +151,7 @@ WalletModel::SendCoinsReturn WalletModel::sendCoins(const QList<SendCoinsRecipie
 
     if(recipients.size() > setAddress.size())
     {
-        return DuplicateAddress;
+        // return DuplicateAddress;
     }
 
     if(total > getBalance())

Just-Dice                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   Play or Invest                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   1% House Edge
mb300sd
Legendary
*
Offline Offline

Activity: 1260

Drunk Posts


View Profile WWW
January 30, 2013, 04:15:02 AM
 #27


Okay, new coins (sorry for the delay, to get a txn that paid the same address several times I had to write it entirely by hand):

Do you mind sharing what tool you used to do that? bitcoind doesn't allow the duplicate in createrawtransaction

1D7FJWRzeKa4SLmTznd3JpeNU13L1ErEco
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2366



View Profile
January 30, 2013, 09:22:51 PM
 #28

Okay, new coins (sorry for the delay, to get a txn that paid the same address several times I had to write it entirely by hand):
Do you mind sharing what tool you used to do that? bitcoind doesn't allow the duplicate in createrawtransaction

I literally wrote the transaction hex by hand— the format of a transaction is all byte aligned, and it's not actually too hard to just type one in. (Obviously I didn't sign or convert the addresses to hex160 by hand, but I just copied them from createrawtransaction output and used the regular signrawtransaction command). This comic is relevant.

While I'm here— c3962bbe60d5a22a67e6814b28342e3affdc07357cae2e9abab3f2bc01f251eb  is a 1000 BTC transaction someone sent to me.

Bitcoin will not be compromised
dooglus
Legendary
*
Offline Offline

Activity: 2366



View Profile
January 30, 2013, 09:56:12 PM
 #29

Do you mind sharing what tool you used to do that? bitcoind doesn't allow the duplicate in createrawtransaction

Deleting these 2 lines from the source allows createrawtransaction to make transactions with duplicate output addresses:

Code:
diff --git a/src/rpcrawtransaction.cpp b/src/rpcrawtransaction.cpp
index 9531b12..4e13881 100644
--- a/src/rpcrawtransaction.cpp
+++ b/src/rpcrawtransaction.cpp
@@ -288,8 +288,6 @@ Value createrawtransaction(const Array& params, bool fHelp)
         if (!address.IsValid())
             throw JSONRPCError(RPC_INVALID_ADDRESS_OR_KEY, string("Invalid Bitcoin address: ")+s.name_);
 
-        if (setAddress.count(address))
-            throw JSONRPCError(RPC_INVALID_PARAMETER, string("Invalid parameter, duplicated address: ")+s.name_);
         setAddress.insert(address);
 
         CScript scriptPubKey;

Just-Dice                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   Play or Invest                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   1% House Edge
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2366



View Profile
February 01, 2013, 04:25:13 PM
 #30

Another email received transaction a511bea3b5dc09609c4853d817cde909fdcdc06cc9558500f155ca821d0d511b, spends vout:8

Bitcoin will not be compromised
WiW
Sr. Member
****
Offline Offline

Activity: 277


"The public is stupid, hence the public will pay"


View Profile
February 02, 2013, 05:51:53 AM
 #31

Can someone please explain all this to the layman?
dooglus
Legendary
*
Offline Offline

Activity: 2366



View Profile
February 02, 2013, 06:45:59 AM
 #32

Can someone please explain all this to the layman?

I can try.  How's this?

Quote
To send bitcoins you make a transaction.  Every transaction takes coins from one or more addresses (the transaction's inputs) and sends them to one or more addresses (its outputs).

When analysing the blockchain to try to work out which addresses belong to which users, people tend to assume that all the input addresses belong to the same wallet, because that is usually the case.

What gmaxwell is doing in this thread is using advanced 'raw transaction' bitcoin commands to collaborate with people to create transactions in which he owns the address of one of the inputs and the other person owns the address of the other input.  In this way he confuses people doing naive blockchain analysis.

In the first such transaction, he contributed 1 BTC from his well-known address and forum user 'loaded' contributed 40,000 BTC.  This makes it look at first glance as if gmaxwell has control of 40,001 BTC.

Just-Dice                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   Play or Invest                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   1% House Edge
dserrano5
Legendary
*
Offline Offline

Activity: 1848



View Profile
February 02, 2013, 10:40:29 AM
 #33

What I don't understand is the following:

You sign this transaction— but it's not valid until both of us sign it. You send it to me […] and if I like your proposed transaction I'll sign it and announce it.  If you think your proposal is especially attractive […].  The most attractive offers will be involve […]

After I accept whatever offer I accept, […]

If the point is confusing those analyzing the blockchain, then why do we have to make attractive offers? I was definitely going to try until I read that.

dooglus
Legendary
*
Offline Offline

Activity: 2366



View Profile
February 02, 2013, 05:27:08 PM
 #34

If the point is confusing those analyzing the blockchain, then why do we have to make attractive offers? I was definitely going to try until I read that.

I guess he didn't want to promise to sign transactions from everyone.  What if too many people responded?  He's going to chose the 'best' ones in some way.  Each of his 1 BTC outputs can only be spent once after all.  It appears the demand has been less than overwhelming, so I expect he's just signed all the transactions he has received.

Just-Dice                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   Play or Invest                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   1% House Edge
WiW
Sr. Member
****
Offline Offline

Activity: 277


"The public is stupid, hence the public will pay"


View Profile
February 02, 2013, 07:00:30 PM
 #35

Perhaps it would be better I try to explain in laymanish what I did understand and someone correct me.

Originally I figured he just meant that if you have X bitcoin and he has X bitcoin, together you can mix the bitcoin and redistribute them in such a way that multiple inputs and an obfuscated list of multiple outputs removes the ability to trace the output address to the original input address...

Say we both have a single bitcoin. We put it in a shared wallet (which we both sign) with a list of respective output wallets. After both bitcoins have been collected, we both sign the transaction to distribute each bitcoin to each wallet. Someone looking from the outside wouldn't know which wallet is whose (in this case they'd have a 50-50 chance of guessing). Of course, when there are more than two involved, I understand there is some way to ensure that each participating member doesn't know which output wallet is whose - but I don't understand how.

Another thing I don't understand is that if all participating members have to sign the outgoing transaction, wouldn't that be a system prone to abuse? I'd put my bitcoin in the pool, but if there are 1,000 other participants I can just forget my bitcoin and never agree to sign a txn that would free those bitcoins and everyone loses.

So where in all this did I misunderstand?
Steve
Hero Member
*****
Offline Offline

Activity: 868



View Profile WWW
February 03, 2013, 06:07:30 AM
 #36

Is there a legitimate usage for a bot like this besides confusing taint analysis?  I'm not sure if you guys really care at this point or even at all, but running software designed essentially to launder coins sounds like it could potentially get someone in trouble.
This capability is essential for Bitcoin.  I can think of very few companies that would like the thought of anyone, especially their competitors, being able to obtain intelligence regarding their financial transactions via blockchain analysis.  While it might be useful for criminals trying to hide illegal activity, it's table stakes for any corporation wanting to use Bitcoin in a substantial way.  Not only does this capability need to be available, its use needs to be easy and widespread.

(gasteve on IRC) Does your website accept cash? https://bitpay.com
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2366



View Profile
February 03, 2013, 04:11:14 PM
 #37

If the point is confusing those analyzing the blockchain, then why do we have to make attractive offers? I was definitely going to try until I read that.
If multiple people sign for the same output I can only accept one.  After the first couple collisions I ended up listing a bunch of outputs to make collisions less likely.

Bitcoin will not be compromised
Red Emerald
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
February 03, 2013, 05:13:09 PM
 #38

Is there a legitimate usage for a bot like this besides confusing taint analysis?  I'm not sure if you guys really care at this point or even at all, but running software designed essentially to launder coins sounds like it could potentially get someone in trouble.
This capability is essential for Bitcoin.  I can think of very few companies that would like the thought of anyone, especially their competitors, being able to obtain intelligence regarding their financial transactions via blockchain analysis.  While it might be useful for criminals trying to hide illegal activity, it's table stakes for any corporation wanting to use Bitcoin in a substantial way.  Not only does this capability need to be available, its use needs to be easy and widespread.
Sounds good to me.

n8rwJeTt8TrrLKPa55eU
Hero Member
*****
Offline Offline

Activity: 588



View Profile
February 04, 2013, 03:52:43 AM
 #39

Is there a legitimate usage for a bot like this besides confusing taint analysis?  I'm not sure if you guys really care at this point or even at all, but running software designed essentially to launder coins sounds like it could potentially get someone in trouble.
This capability is essential for Bitcoin.  I can think of very few companies that would like the thought of anyone, especially their competitors, being able to obtain intelligence regarding their financial transactions via blockchain analysis.  While it might be useful for criminals trying to hide illegal activity, it's table stakes for any corporation wanting to use Bitcoin in a substantial way.  Not only does this capability need to be available, its use needs to be easy and widespread.
This is a great point, not often mentioned.  It's not just individuals or druggies who need privacy.
pc
Sr. Member
****
Offline Offline

Activity: 253


View Profile
February 04, 2013, 06:22:15 PM
 #40

If multiple people sign for the same output I can only accept one.  After the first couple collisions I ended up listing a bunch of outputs to make collisions less likely.

Couldn't we use some of the more interesting signature types (ANYONECANPAY or something like that)? People could sign a transaction with their one input they're putting in, their output to themselves that they care about, 1 BTC to you, and you then just add your 1 BTC input from any transaction you want.
Pages: « 1 [2] 3 4 5 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!