I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!)

[jl2012]

2409f355c8910721fbbb5c54a01b8f9c692cfb292c3b4f7baf5b8151e44fef21 is the first accepted offer, this one received over GPG-email. Accepting it was a no-brainer: It made a clever and quite generous 10 BTC multi-signature donation the developers.  I've updated the message to  indicate bbeacff94c2d20df8eb4e5556b38977863b4548c79105b10da943cd2eecddd80:0 (also 1 BTC) as the new output of mine to spend.

Loaded: Slightly too slow, 1d7b37fa is now spent.  Compute and sign your very impressive transaction again with bbeacff.

 

Code:

0100000003c8e2c94e9683ca5ca81d5b971aa518b4cae10c3eff0dbc2128ecdc1e2f2bf675000000006c4930460221008d034bf2905e452fcb5ecd7b7893f9d76411655eeda82d04c07a6893811267ee0221009367bc19b2b4db1260faa3945948aec4dcd1d27ca1b3d652ec536bc3aa6f5f54012102f115baf06dd46062573d2b929e243bbc798db8c1fb6b04a324fe05063786d02affffffffd3161114e547413ac20be8f22a4bd3cfe8d7a04ae3bae9a744799414b77fcefd010000006b48304502204bd9b946262b949c7ff69d9f0c2fee4f8fd1f8c9a8c7f2e5c3443ed3deb9feaa0221009be613c94ce7356934c17eaa10811cfe693cbbf0e33ef6af74c1ef8eadbda2d0012102f115baf06dd46062573d2b929e243bbc798db8c1fb6b04a324fe05063786d02affffffff80ddcdeed23c94da105b10798c54b4637897386b55e5b48edf202d4cf9cfeabb0000000000ffffffff02286a7254a30300001976a914aa530a61909a9c2959b52415a211926a53ab37e088ac68b9e304000000001976a91465a034285ca12eebfbd533cb013f1394ee11d4f888ac00000000

Anyone else who wants to be associated with 40k BTC is welcome create a tx using the output of the above to 1B5kWfMmX1rKSwwHhwiiMxjfRRv5o7ZE4p

Just a gentle reminder to everyone: playing with raw tx could be very dangerous. You may end up in paying a huge amount of fee (eg. https://bitcointalk.org/index.php?topic=135665.0 ). Triple check before and after you sign anything. Quadruple or quintuple check if you are playing with 40k BTC

[gmaxwell]

Three anonymous-to-me parties collaborated to produce the transaction spending vout:6 on my last list of outputs (I got directed to a pastebin and asked to sign the content).

Another mystery transaction vout:4 was passed through multiple anonymous parties chinese-whisper style to me.

... and a new record: 50kBTC which spends vout:0.

[Ente]

I love it!

Ente

[giszmo]

Such traffic could be broken into multiple IRC messages to avoid need for pastebin. It could also do direct client to client communications.

Ideally it should be some meeting point over TOR so that there is no incentive to try to record IPs.  Though I'd prefer instead of opportunistically swapping that it rather had lots of people indicate an intent to swap, and then when you want to make a transaction, you'd jointly create a swap and pay transaction. This avoids bloating the blockchain with a bunch of pure swapping and would further improve privacy as you wouldn't know _which_ outputs were swapping and which were payments.  Payments to common anonymous donation addresses could even be merged.

This is an interesting idea.

Is there a legitimate usage for a bot like this besides confusing taint analysis?  I'm not sure if you guys really care at this point or even at all, but running software designed essentially to launder coins sounds like it could potentially get someone in trouble.

Call it money laundering and you repel people. Call it fungibility and people tend to support this basic nature bitcoin needs to be cash. If my bitcoins get deducted x% of their value when paying a governmental entity due to containing x% coins from their daily updated black list of transactions, I will think twice if bitcoin failed as a whole. Prevent that from happening means talking about the dangers of taint analysis.
I guess it will be kind of trivial to have some transaction merging being done with every payment once the network gets busier and I also think this should be done (opt out) by the client.
(BitcoinSpinner style A->B+A transactions definitely are a pain. After having done business with 10 or so people through my Android I get very much aware of it.)

Basically we could have 1 transaction per block but involving more entities to forge a transaction will make it more prone to people never signing it. Also the 1 transaction per block would lead to having the true transaction data being public but outside of the blockchain. Similarly some "agency" could heavily advertise to merge transactions with its transactions just to be able to gather intelligence for later taint analysis. Therefore the best strategy for now would be to seek signing partners only in very small groups of maybe not more than 2.

[gmaxwell]

Basically we could have 1 transaction per block but involving more entities to forge a transaction will make it more prone to people never signing it. Also the 1 transaction per block would lead to having the true transaction data being public but outside of the blockchain. Similarly some "agency" could heavily advertise to merge transactions with its transactions just to be able to gather intelligence for later taint analysis. Therefore the best strategy for now would be to seek signing partners only in very small groups of maybe not more than 2.

It's quite possible to have a cryptographic protocol which can safely and completely anonymously combine between parties.

Warning: Very complicated cryptographic protocol below.
(fortunately this stuff just gets put in software and a user clicks the button)

To participate in this system you must first have a fidelity bond:

You construct a specially formed transaction that gives away some coins as fees in a way that proves you didn't receive them. A key committed to as part of doing this is your fidelity bond key.

People interested in forming an anonymous joint transaction join some broadcast communication channel (e.g. IRC over tor).

Every message they send is signed with their fidelity bond key.

They each put up coins they'd like to include and come to an agreement about the transaction. They each form a message about what output address they'd like to send the funds to,  and blind it, and send it to the group. They each advertise a key for blind signing.

The group then performs a group blind signature for each of the blinded messages.

The users unblind their messages, and advertise keys for a reencryption mix. A first user generates some padding messages and their real unblinded token, permutes and encrypts them all, and advertises the result (In reality, he may need to do this many times, for a zero knowledge proof that he isn't screwing it up). Then a next user takes the result, adds their own blinded message, permutes the set, and reencrypts it all, and so on.

After cycling through all users several times, they decrypt, and the result is a randomly ordered set of output address messages which have all been signed by the whole group, but they cannot tell which users authored which. A transaction is created conforming to the agreed inputs and outputs, and all users sign.

If any any point a user refuses to sign in order to jam the process their misbehavior can be proven to anyone who cares to know by showing them the signed messages from a failed round. After seeing a proof they blacklist the misbehaving fidelity bond key, and so DOS attacking this can be made expensive.

I've omitted a lot of complex details (secure group random number agreement for consensus, constructing the ZKPs to show that someone isn't jamming the mix, etc) and waved my hands at things (like group blind signatures)... but its clear to me that it's certainly possible to construct such a thing. The engineering would be quite hard, as this kind of very lock-stepy everything proven algorithm is quite fragile compared to even Bitcoin. So, I don't expected it any time soon— but I'm happy to know that it's possible if it ever actually is needed.  In reality, I expect few are going to try to gum up this sort of thing, so in practice people could get away with much simpler protocols.

[dooglus]

Okay, new coins (sorry for the delay, to get a txn that paid the same address several times I had to write it entirely by hand):

The following tiny patch allows me to send to the same address multiple times from the reference client:

Code:

diff --git a/src/qt/walletmodel.cpp b/src/qt/walletmodel.cpp
index 9d5a2c0..76bb446 100644
--- a/src/qt/walletmodel.cpp
+++ b/src/qt/walletmodel.cpp
@@ -151,7 +151,7 @@ WalletModel::SendCoinsReturn WalletModel::sendCoins(const QList<SendCoinsRecipie
 
     if(recipients.size() > setAddress.size())
     {
-        return DuplicateAddress;
+        // return DuplicateAddress;
     }
 
     if(total > getBalance())

[mb300sd]

Okay, new coins (sorry for the delay, to get a txn that paid the same address several times I had to write it entirely by hand):

Do you mind sharing what tool you used to do that? bitcoind doesn't allow the duplicate in createrawtransaction

[gmaxwell]

Okay, new coins (sorry for the delay, to get a txn that paid the same address several times I had to write it entirely by hand):

Do you mind sharing what tool you used to do that? bitcoind doesn't allow the duplicate in createrawtransaction

I literally wrote the transaction hex by hand— the format of a transaction is all byte aligned, and it's not actually too hard to just type one in. (Obviously I didn't sign or convert the addresses to hex160 by hand, but I just copied them from createrawtransaction output and used the regular signrawtransaction command). This comic is relevant.

While I'm here— c3962bbe60d5a22a67e6814b28342e3affdc07357cae2e9abab3f2bc01f251eb  is a 1000 BTC transaction someone sent to me.

[dooglus]

Do you mind sharing what tool you used to do that? bitcoind doesn't allow the duplicate in createrawtransaction

Deleting these 2 lines from the source allows createrawtransaction to make transactions with duplicate output addresses:

Code:

diff --git a/src/rpcrawtransaction.cpp b/src/rpcrawtransaction.cpp
index 9531b12..4e13881 100644
--- a/src/rpcrawtransaction.cpp
+++ b/src/rpcrawtransaction.cpp
@@ -288,8 +288,6 @@ Value createrawtransaction(const Array& params, bool fHelp)
         if (!address.IsValid())
             throw JSONRPCError(RPC_INVALID_ADDRESS_OR_KEY, string("Invalid Bitcoin address: ")+s.name_);
 
-        if (setAddress.count(address))
-            throw JSONRPCError(RPC_INVALID_PARAMETER, string("Invalid parameter, duplicated address: ")+s.name_);
         setAddress.insert(address);
 
         CScript scriptPubKey;

[gmaxwell]

Another email received transaction a511bea3b5dc09609c4853d817cde909fdcdc06cc9558500f155ca821d0d511b, spends vout:8

[WiW]

Can someone please explain all this to the layman?

[dooglus]

Can someone please explain all this to the layman?

I can try.  How's this?

To send bitcoins you make a transaction.  Every transaction takes coins from one or more addresses (the transaction's inputs) and sends them to one or more addresses (its outputs).

When analysing the blockchain to try to work out which addresses belong to which users, people tend to assume that all the input addresses belong to the same wallet, because that is usually the case.

What gmaxwell is doing in this thread is using advanced 'raw transaction' bitcoin commands to collaborate with people to create transactions in which he owns the address of one of the inputs and the other person owns the address of the other input.  In this way he confuses people doing naive blockchain analysis.

In the first such transaction, he contributed 1 BTC from his well-known address and forum user 'loaded' contributed 40,000 BTC.  This makes it look at first glance as if gmaxwell has control of 40,001 BTC.

[dserrano5]

What I don't understand is the following:

You sign this transaction— but it's not valid until both of us sign it. You send it to me […] and if I like your proposed transaction I'll sign it and announce it.  If you think your proposal is especially attractive […].  The most attractive offers will be involve […]

After I accept whatever offer I accept, […]

If the point is confusing those analyzing the blockchain, then why do we have to make attractive offers? I was definitely going to try until I read that.

[dooglus]

If the point is confusing those analyzing the blockchain, then why do we have to make attractive offers? I was definitely going to try until I read that.

I guess he didn't want to promise to sign transactions from everyone.  What if too many people responded?  He's going to chose the 'best' ones in some way.  Each of his 1 BTC outputs can only be spent once after all.  It appears the demand has been less than overwhelming, so I expect he's just signed all the transactions he has received.

[WiW]

Perhaps it would be better I try to explain in laymanish what I did understand and someone correct me.

Originally I figured he just meant that if you have X bitcoin and he has X bitcoin, together you can mix the bitcoin and redistribute them in such a way that multiple inputs and an obfuscated list of multiple outputs removes the ability to trace the output address to the original input address...

Say we both have a single bitcoin. We put it in a shared wallet (which we both sign) with a list of respective output wallets. After both bitcoins have been collected, we both sign the transaction to distribute each bitcoin to each wallet. Someone looking from the outside wouldn't know which wallet is whose (in this case they'd have a 50-50 chance of guessing). Of course, when there are more than two involved, I understand there is some way to ensure that each participating member doesn't know which output wallet is whose - but I don't understand how.

Another thing I don't understand is that if all participating members have to sign the outgoing transaction, wouldn't that be a system prone to abuse? I'd put my bitcoin in the pool, but if there are 1,000 other participants I can just forget my bitcoin and never agree to sign a txn that would free those bitcoins and everyone loses.

So where in all this did I misunderstand?

[Steve]

Is there a legitimate usage for a bot like this besides confusing taint analysis?  I'm not sure if you guys really care at this point or even at all, but running software designed essentially to launder coins sounds like it could potentially get someone in trouble.

This capability is essential for Bitcoin.  I can think of very few companies that would like the thought of anyone, especially their competitors, being able to obtain intelligence regarding their financial transactions via blockchain analysis.  While it might be useful for criminals trying to hide illegal activity, it's table stakes for any corporation wanting to use Bitcoin in a substantial way.  Not only does this capability need to be available, its use needs to be easy and widespread.

[gmaxwell]

If the point is confusing those analyzing the blockchain, then why do we have to make attractive offers? I was definitely going to try until I read that.

If multiple people sign for the same output I can only accept one.  After the first couple collisions I ended up listing a bunch of outputs to make collisions less likely.

[Red Emerald]

Is there a legitimate usage for a bot like this besides confusing taint analysis?  I'm not sure if you guys really care at this point or even at all, but running software designed essentially to launder coins sounds like it could potentially get someone in trouble.

This capability is essential for Bitcoin.  I can think of very few companies that would like the thought of anyone, especially their competitors, being able to obtain intelligence regarding their financial transactions via blockchain analysis.  While it might be useful for criminals trying to hide illegal activity, it's table stakes for any corporation wanting to use Bitcoin in a substantial way.  Not only does this capability need to be available, its use needs to be easy and widespread.

Sounds good to me.

[n8rwJeTt8TrrLKPa55eU]

Is there a legitimate usage for a bot like this besides confusing taint analysis?  I'm not sure if you guys really care at this point or even at all, but running software designed essentially to launder coins sounds like it could potentially get someone in trouble.

This capability is essential for Bitcoin.  I can think of very few companies that would like the thought of anyone, especially their competitors, being able to obtain intelligence regarding their financial transactions via blockchain analysis.  While it might be useful for criminals trying to hide illegal activity, it's table stakes for any corporation wanting to use Bitcoin in a substantial way.  Not only does this capability need to be available, its use needs to be easy and widespread.

This is a great point, not often mentioned.  It's not just individuals or druggies who need privacy.

[pc]

If multiple people sign for the same output I can only accept one.  After the first couple collisions I ended up listing a bunch of outputs to make collisions less likely.

Couldn't we use some of the more interesting signature types (ANYONECANPAY or something like that)? People could sign a transaction with their one input they're putting in, their output to themselves that they care about, 1 BTC to you, and you then just add your 1 BTC input from any transaction you want.