I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!)

[gmaxwell]

Ever since I was a wee lad I've had a dream .... a dream of being incorrectly assessed as impossibly rich by brain-dead automated analysis.  Now with your help I can be!

Here is how it works:  A lot of people mistakenly assume that when a transaction spends from multiple addresses all those addresses are owned by the same party.  This is commonly the case, but it doesn't have to be so: people can cooperate to author a transaction in a secure and trustless manner.   We can make it a lot easier for people making this mistake to discover their folly by making there be a single address that seems linked to everything.

So I'm generously offering to link my forum signature address with the universe. Here is where you come in:  I need someone to provide the universe.  

Here is how it works: You write a transaction that spends some of your coins, and one of my 1GMaxweLLbo8mdXvnnC19Wt2wigiYUKgEB coins:

d127a741660be02c01855c679ff8de7755bb6c2b2ceaa4848e02b14f4f0aae59:1   value 1 BTC

You send your coins back to a (new) address of yours and you my 1BTC back to me at 1GMaxweLLbo8mdXvnnC19Wt2wigiYUKgEB.

You sign this transaction— but it's not valid until both of us sign it. You send it to me (via PM, anonymous gpg encrypted email, or a post in this thread) and if I like your proposed transaction I'll sign it and announce it.  If you think your proposal is especially attractive— e.g. you're going to link me to a 100,000 BTC coin,  maybe you don't send all of that 1 BTC back to me, and maybe I'll still accept your offer (but someone else may offer a linkage just as good for less, so bid wisely!).  The most attractive offers will be involve very high value coins, or from well known public addresses and will either give me all my coin back, or even more.

After I accept whatever offer I accept, I'll post a new coin of mine for people to attempt to spend.. and we'll keep it up until people who think simplistic 'taint' analysis works get a clue.

To actually do this in bitcoin-qt/bitcoind  open up the console (in the GUI, help->debug->console) and run

listunspent you'll get output that looks like this:

Code:

listunspent

    {
        "txid" : "5e43cca439b784b8dd96035bde4573f16c0d884e1c4ba70a9fc58738af444e73",
        "vout" : 2,
        "scriptPubKey" : "76a91465a034285ca12eebfbd533cb013f1394ee11d4f888ac",
        "amount" : 0.01456000,
        "confirmations" : 28622
    },

These are your unspent coins. You can look up the txids to see which addresses they were paid to.

Now create a transaction spending the coin you picked and mine: (I'll use the above coin, but you should replace the txid, vout, and amount with something from your listunspent)

Code:

createrawtransaction '[{"txid":"5e43cca439b784b8dd96035bde4573f16c0d884e1c4ba70a9fc58738af444e73","vout":2}, {"txid":"d127a741660be02c01855c679ff8de7755bb6c2b2ceaa4848e02b14f4f0aae59",
","vout":1}]' '{"1AywL2iC7ywJCTtXb8G49WeWgEL9qCBh61":0.01456000,"1GMaxweLLbo8mdXvnnC19Wt2wigiYUKgEB":1.0}'

You'd replace 1AywL2iC7ywJCTtXb8G49WeWgEL9qCBh61 with an address of yours. And the 0.01456 with the amount of that coin— or less if you intend on giving away some of that money as fees or giving it to me to support this fun project.  (if you're going to give or try taking from me adjust the amount of 1GMaxweLLbo8mdXvnnC19Wt2wigiYUKgEB).. In any case the value of my input is 1 BTC, the sum of outputs must be equal to or less than the inputs— any unaccounted for coin is fees.

You leave the second txid/vout alone (or replace it with one from later in this thread)— thats my coin that you'll be spending.  If you want to be advanced about it you can spend several of your coins, or even get a couple friends to each chip in a coin.

This will result in a long hex string, like:

Code:

0100000002734e44af3887c59f0aa74b1c4e880d6cf17345de5b0396ddb884b739a4cc435e0200000000ffffffffb58749a8dfc5502647062e6d0105f65b8c7c58252f0853b7260bd01ffa377b1d0000000000ffffffff0280371600000000001976a9146d7dc6d75d78ce7fa9de7cac2c7f0248fec47c0c88ac00e1f505000000001976a91465a034285ca12eebfbd533cb013f1394ee11d4f888ac00000000

You can feed it to decode rawtransaction to see if you like it:

Code:

decoderawtransaction 0100000002734e44af3887c59f0aa74b1c4e880d6cf17345de5b0396ddb884b739a4cc435e0200000000ffffffffb58749a8dfc5502647062e6d0105f65b8c7c58252f0853b7260bd01ffa377b1d0000000000ffffffff0280371600000000001976a9146d7dc6d75d78ce7fa9de7cac2c7f0248fec47c0c88ac00e1f505000000001976a91465a034285ca12eebfbd533cb013f1394ee11d4f888ac00000000

{
    "txid" : "e8e0ebd096171479b060ba7f3e009955f72fb64b8eac51d17f76ee175d99d212",
    "version" : 1,
    "locktime" : 0,
    "vin" : [
        {
            "txid" : "5e43cca439b784b8dd96035bde4573f16c0d884e1c4ba70a9fc58738af444e73",
            "vout" : 2,
            "scriptSig" : {
                "asm" : "",
                "hex" : ""
            },
            "sequence" : 4294967295
        },
        {
            "txid" : "1d7b37fa1fd00b26b753082f25587c8c5bf605016d2e06472650c5dfa84987b5",
            "vout" : 0,
            "scriptSig" : {
                "asm" : "",
                "hex" : ""
            },
            "sequence" : 4294967295
        }
    ],
    "vout" : [
        {
            "value" : 0.01456000,
            "n" : 0,
            "scriptPubKey" : {
                "asm" : "OP_DUP OP_HASH160 6d7dc6d75d78ce7fa9de7cac2c7f0248fec47c0c OP_EQUALVERIFY OP_CHECKSIG",
                "hex" : "76a9146d7dc6d75d78ce7fa9de7cac2c7f0248fec47c0c88ac",
                "reqSigs" : 1,
                "type" : "pubkeyhash",
                "addresses" : [
                    "1AywL2iC7ywJCTtXb8G49WeWgEL9qCBh61"
                ]
            }
        },
        {
            "value" : 1.00000000,
            "n" : 1,
            "scriptPubKey" : {
                "asm" : "OP_DUP OP_HASH160 65a034285ca12eebfbd533cb013f1394ee11d4f8 OP_EQUALVERIFY OP_CHECKSIG",
                "hex" : "76a91465a034285ca12eebfbd533cb013f1394ee11d4f888ac",
                "reqSigs" : 1,
                "type" : "pubkeyhash",
                "addresses" : [
                    "1GMaxweLLbo8mdXvnnC19Wt2wigiYUKgEB"
                ]
            }
        }
    ]
}

Be sure to carefully add up the values of all the inputs (including the 1 BTC from me) and all the outputs and make sure you're not giving away more in fee than you want to.

If it looks good to you (it's paying you and me the right amounts) you do a signrawtransaction on it:

Code:

signrawtransaction 0100000002734e44af3887c59f0aa74b1c4e880d6cf17345de5b0396ddb884b739a4cc435e0200000000ffffffffb58749a8dfc5502647062e6d0105f65b8c7c58252f0853b7260bd01ffa377b1d0000000000ffffffff0280371600000000001976a9146d7dc6d75d78ce7fa9de7cac2c7f0248fec47c0c88ac00e1f505000000001976a91465a034285ca12eebfbd533cb013f1394ee11d4f888ac00000000

If your wallet is locked you may need to run

Code:

walletpassphrase yourpassphrasegoeshere 300

to unlock it for 300 seconds.

And send me the result that comes out of signrawtransaction.  If I like your proposal, I'll sign it, announce it, and when it's confirmed I'll post a new txid for other people to spend with me.

A coin can only be spent once— so as people use up these coins, I'm creating new ones and updating this message.  See down thread where I also list a bunch more available for spending.

[1713488429]

1713488429

[1713488429]

1713488429

[casascius]

I find this as interesting as you do.

I hope it leads to people discovering how they can do a "fungibility project".  You know, a project that increases the fungibility of all bitcoins.  One that auto-swaps coins with strangers in IRC using this very same flow you've got going here.

[gmaxwell]

One that auto-swaps coins with strangers in IRC using this very same flow you've got going here.

I've actually done this manually a few times with a few different people— well, IRC messages are too short for most transactions. but encrypted pastebins work.  I thought it would be fun to get more people involved.

[Luke-Jr]

One that auto-swaps coins with strangers in IRC using this very same flow you've got going here.

I've actually done this manually a few times with a few different people— well, IRC messages are too short for most transactions. but encrypted pastebins work.  I thought it would be fun to get more people involved.

Why bother encrypting it?

[gmaxwell]

Why bother encrypting it?

The only reason is privacy— making a joint transaction hides ownership but if the pastebin is made public that sort of undoes the effect.  For a fun project like this it may not matter to you— e.g. my 1GMaxwell address is very public.  But if you don't want people to know that you own 100,000 BTC then you wouldn't want to post the txn under your name. If you send it to me anonymously then even I won't know.

[meowmeowbrowncow]

gmaxwell and his tx pyramid schemes...

[wachtwoord]

Thanks for the howto

I have a few questions:

* What exactly is the meaning of the Vout (Value out?) integer? In the input part of the transaction you specify the vout of your input based on the output of 'listunspend' so I guessed it was a local (wallet specific) identifier however we also specify the vout of your input (as 0) and if this was the case there would be no way to know that. Finally, for the decoded transaction we see that the output after the transaction is signed, broadcasted and added to a block, is also called vout to make it a little more confusing

* Each output in the vout of the decoded raw transaction has an array of addresses (in the example the arrays of both outputs have length 1). Does specifying multiple addresses in this array create a multi sig output? If not, what would it mean?

* Finally, I have never been able to find a quick and easy explanation/howto/whatever of all (or at least the most important) OP Codes. If this exists somewhere I'd love a link.

Thanks, this is very interesting.

[gmaxwell]

* What exactly is the meaning of the Vout (Value out?) integer?

A transaction can have multiple outputs— e.g. when you send some coin to someone and send the rest back in change, or when you pay multiple parties at once. Vout is just an index— in createrawtransaction it indicates which of potentially multiple outputs are being spent.  In the decode you see the indexes of the newly created outputs.

* Each output in the vout of the decoded raw transaction has an array of addresses (in the example the arrays of both outputs have length 1). Does specifying multiple addresses in this array create a multi sig output? If not, what would it mean?

Yes, if threre are multiple addresses there its a multisig output.

* Finally, I have never been able to find a quick and easy explanation/howto/whatever of all (or at least the most important) OP Codes. If this exists somewhere I'd love a link.

If you mean script OPcodes: https://en.bitcoin.it/wiki/Script  if you mean the console commands— run help or help <command>.

[Sukrim]

How to become MtGox: Send e.g. 1 Bitcent to a completely new address, then send half of that + some other change from one of your other addresses to one of your regular ones (or another new oine) and let the other half bitcent be imported to MtGox via the import private key feature. This would make it seem as if MtGox (who probably swipe that half Bitcent asap, most likely together with some other coins) now also owns all of your other addresses...

This should work anywhere that lets you import private keys and subsequently transfers coins off these keys.

Anyways, I guess by doing stuff as you proposed, you just make it a bit harder again, but not impossible to still cluster addresses.

[Loaded]

I'll bite.

0100000003c8e2c94e9683ca5ca81d5b971aa518b4cae10c3eff0dbc2128ecdc1e2f2bf67500000 0006c493046022100b1c9911292829374b5e2f82f60060738026714a91de56a38e5d208032348ac 53022100b214c658dd9951dbe9b9f62a2d7ec31370587fc0d09a27788b16d41acd2a7099012102f 115baf06dd46062573d2b929e243bbc798db8c1fb6b04a324fe05063786d02affffffffd3161114 e547413ac20be8f22a4bd3cfe8d7a04ae3bae9a744799414b77fcefd010000006c4930460221008 94c0a5fb790c7de900c6ee74c82fbf946f2409a015f0969e9ce7aaac1a00ae902210099f7d383ef 8dc56346fe2259f9ab94fdef90d568960ad6e0ac70a43f0d980ff3012102f115baf06dd46062573 d2b929e243bbc798db8c1fb6b04a324fe05063786d02affffffffb58749a8dfc5502647062e6d01 05f65b8c7c58252f0853b7260bd01ffa377b1d0000000000ffffffff02286a7254a30300001976a 914aa530a61909a9c2959b52415a211926a53ab37e088ac68b9e304000000001976a91465a03428 5ca12eebfbd533cb013f1394ee11d4f888ac00000000

[gmaxwell]

2409f355c8910721fbbb5c54a01b8f9c692cfb292c3b4f7baf5b8151e44fef21 is the first accepted offer, this one received over GPG-email. Accepting it was a no-brainer: It made a clever and quite generous 10 BTC multi-signature donation the developers.  I've updated the message to  indicate bbeacff94c2d20df8eb4e5556b38977863b4548c79105b10da943cd2eecddd80:0 (also 1 BTC) as the new output of mine to spend.

Loaded: Slightly too slow, 1d7b37fa is now spent.  Compute and sign your very impressive transaction again with bbeacff.

[Loaded]

2409f355c8910721fbbb5c54a01b8f9c692cfb292c3b4f7baf5b8151e44fef21 is the first accepted offer, this one received over GPG-email. Accepting it was a no-brainer: It made a clever and quite generous 10 BTC multi-signature donation the developers.  I've updated the message to  indicate bbeacff94c2d20df8eb4e5556b38977863b4548c79105b10da943cd2eecddd80:0 (also 1 BTC) as the new output of mine to spend.

Loaded: Slightly too slow, 1d7b37fa is now spent.  Compute and sign your very impressive transaction again with bbeacff.

 

Code:

0100000003c8e2c94e9683ca5ca81d5b971aa518b4cae10c3eff0dbc2128ecdc1e2f2bf675000000006c4930460221008d034bf2905e452fcb5ecd7b7893f9d76411655eeda82d04c07a6893811267ee0221009367bc19b2b4db1260faa3945948aec4dcd1d27ca1b3d652ec536bc3aa6f5f54012102f115baf06dd46062573d2b929e243bbc798db8c1fb6b04a324fe05063786d02affffffffd3161114e547413ac20be8f22a4bd3cfe8d7a04ae3bae9a744799414b77fcefd010000006b48304502204bd9b946262b949c7ff69d9f0c2fee4f8fd1f8c9a8c7f2e5c3443ed3deb9feaa0221009be613c94ce7356934c17eaa10811cfe693cbbf0e33ef6af74c1ef8eadbda2d0012102f115baf06dd46062573d2b929e243bbc798db8c1fb6b04a324fe05063786d02affffffff80ddcdeed23c94da105b10798c54b4637897386b55e5b48edf202d4cf9cfeabb0000000000ffffffff02286a7254a30300001976a914aa530a61909a9c2959b52415a211926a53ab37e088ac68b9e304000000001976a91465a034285ca12eebfbd533cb013f1394ee11d4f888ac00000000

Anyone else who wants to be associated with 40k BTC is welcome create a tx using the output of the above to 1B5kWfMmX1rKSwwHhwiiMxjfRRv5o7ZE4p

[gmaxwell]

Code:

0100000003c8e2c94e9

69d9d66aae4812b6cf156f32267b773fb2118db696bb847ebd3454a198b59fbd

I've handled pricy assets before, but perhaps thats the most I've ever had move on a single keypress. Very cool.  I'll have more outputs up in a minute.

Okay, new coins (sorry for the delay, to get a txn that paid the same address several times I had to write it entirely by hand):

txout: d127a741660be02c01855c679ff8de7755bb6c2b2ceaa4848e02b14f4f0aae59   vout: 0 1BTC
txout: d127a741660be02c01855c679ff8de7755bb6c2b2ceaa4848e02b14f4f0aae59   vout: 1 1BTC
txout: d127a741660be02c01855c679ff8de7755bb6c2b2ceaa4848e02b14f4f0aae59   vout: 2 1BTC
txout: d127a741660be02c01855c679ff8de7755bb6c2b2ceaa4848e02b14f4f0aae59   vout: 3 1BTC
txout: d127a741660be02c01855c679ff8de7755bb6c2b2ceaa4848e02b14f4f0aae59   vout: 4 1BTC
txout: d127a741660be02c01855c679ff8de7755bb6c2b2ceaa4848e02b14f4f0aae59   vout: 5 1BTC
txout: d127a741660be02c01855c679ff8de7755bb6c2b2ceaa4848e02b14f4f0aae59   vout: 6 1BTC
txout: d127a741660be02c01855c679ff8de7755bb6c2b2ceaa4848e02b14f4f0aae59   vout: 7 1BTC
txout: d127a741660be02c01855c679ff8de7755bb6c2b2ceaa4848e02b14f4f0aae59   vout: 8 1BTC
txout: d127a741660be02c01855c679ff8de7755bb6c2b2ceaa4848e02b14f4f0aae59   vout: 9 1BTC

Pick one which is unspent (either look at d127a741 on a block explorer  or on Bitcoin-qt 0.8 (development version) run
gettxout d127a741660be02c01855c679ff8de7755bb6c2b2ceaa4848e02b14f4f0aae59 n

[FreeMoney]

I <3 bitcoin

[casascius]

One that auto-swaps coins with strangers in IRC using this very same flow you've got going here.

I've actually done this manually a few times with a few different people— well, IRC messages are too short for most transactions. but encrypted pastebins work.  I thought it would be fun to get more people involved.

I am thinking of this as a program that runs all day and night and promiscuously finds random swapping partners, repeatedly swapping coins as soon as they meet a minimum threshold for confirmations. I suppose if such an application wants a dependency on a pastebin site that doesn't mind being polluted with transient traffic and doesn't require a captcha, it would work.

Such traffic could be broken into multiple IRC messages to avoid need for pastebin. It could also do direct client to client communications.

[gmaxwell]

Such traffic could be broken into multiple IRC messages to avoid need for pastebin. It could also do direct client to client communications.

Ideally it should be some meeting point over TOR so that there is no incentive to try to record IPs.  Though I'd prefer instead of opportunistically swapping that it rather had lots of people indicate an intent to swap, and then when you want to make a transaction, you'd jointly create a swap and pay transaction. This avoids bloating the blockchain with a bunch of pure swapping and would further improve privacy as you wouldn't know _which_ outputs were swapping and which were payments.  Payments to common anonymous donation addresses could even be merged.

[Red Emerald]

Such traffic could be broken into multiple IRC messages to avoid need for pastebin. It could also do direct client to client communications.

Ideally it should be some meeting point over TOR so that there is no incentive to try to record IPs.  Though I'd prefer instead of opportunistically swapping that it rather had lots of people indicate an intent to swap, and then when you want to make a transaction, you'd jointly create a swap and pay transaction. This avoids bloating the blockchain with a bunch of pure swapping and would further improve privacy as you wouldn't know _which_ outputs were swapping and which were payments.  Payments to common anonymous donation addresses could even be merged.

This is an interesting idea.

Is there a legitimate usage for a bot like this besides confusing taint analysis?  I'm not sure if you guys really care at this point or even at all, but running software designed essentially to launder coins sounds like it could potentially get someone in trouble.

[gmaxwell]

This is an interesting idea.
Is there a legitimate usage for a bot like this besides confusing taint analysis?  I'm not sure if you guys really care at this point or even at all, but running software designed essentially to launder coins sounds like it could potentially get someone in trouble.

Welll the application is that websites like blockchain.info post analysis for everyone to see— screwing up the privacy of Bitcoin in practice.  I don't have much need for anonymity, but not having everyone from your nosy neighbors to random thieves knowing all your financial activity is both a matter of human dignity and basic safety.  The basic design of Bitcoin should be reasonably private if used right, but people frequently reuse addresses and do other things that gum it up.

Making joint payments can reclaim some of that privacy (but I'm far from convinced that it would thwart serious forensic analysis) and also reduce the total number of transactions being made. 

Besides, there are already many mixers:  But the issue with them is that they're centralized services. When you deposit your coins there is a risk the operator will steal them (or get them stolen). They charge fees... and the operator may be spying and recording all the linkages anyways. With those kinds of properties they're services which are less useful for casual privacy— and only really attractive to the kind of nefarious activity which I don't endorse.

Joint transactions can also be used to have people securely pool funds to pay for common work.  E.g. "I'll post pics with a shoe on my head if y'all raise 10 BTC" and other neat things especially when you factor in the other scriptsig types.

[hackjealousy]

I am thinking of this as a program that runs all day and night and promiscuously finds random swapping partners, repeatedly swapping coins as soon as they meet a minimum threshold for confirmations. I suppose if such an application wants a dependency on a pastebin site that doesn't mind being polluted with transient traffic and doesn't require a captcha, it would work.

Such traffic could be broken into multiple IRC messages to avoid need for pastebin. It could also do direct client to client communications.

This is essentially: http://blog.ezyang.com/2012/07/secure-multiparty-bitcoin-anonymization/

[gmaxwell]

This is essentially: http://blog.ezyang.com/2012/07/secure-multiparty-bitcoin-anonymization/

Yes, it's not new— In fact, I made the first one of these transactions in 2011.  But it's also not widely known.... not widely used enough that people attempting taint analysis get big obvious failures that make them question their premises.