Bitcoin Forum
October 22, 2017, 12:30:08 PM *
News: Latest stable version of Bitcoin Core: 0.15.0.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 [10] 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 »
  Print  
Author Topic: CoinJoin: Bitcoin privacy for the real world  (Read 262858 times)
maaku
Legendary
*
expert
Offline Offline

Activity: 905


View Profile
November 05, 2013, 11:09:04 PM
 #181

Yes, the facilitator gains no extra information about the transaction than is observable from the outside, if blind signing is used (see gmaxwell's posts at the beginning of this thread).

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
1508675408
Hero Member
*
Offline Offline

Posts: 1508675408

View Profile Personal Message (Offline)

Ignore
1508675408
Reply with quote  #2

1508675408
Report to moderator
1508675408
Hero Member
*
Offline Offline

Posts: 1508675408

View Profile Personal Message (Offline)

Ignore
1508675408
Reply with quote  #2

1508675408
Report to moderator
1508675408
Hero Member
*
Offline Offline

Posts: 1508675408

View Profile Personal Message (Offline)

Ignore
1508675408
Reply with quote  #2

1508675408
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1508675408
Hero Member
*
Offline Offline

Posts: 1508675408

View Profile Personal Message (Offline)

Ignore
1508675408
Reply with quote  #2

1508675408
Report to moderator
1508675408
Hero Member
*
Offline Offline

Posts: 1508675408

View Profile Personal Message (Offline)

Ignore
1508675408
Reply with quote  #2

1508675408
Report to moderator
Anon136
Legendary
*
Offline Offline

Activity: 1288



View Profile
November 05, 2013, 11:49:33 PM
 #182

thanks for clearing that up maaku.

*tangent warning* blind signatures are amazing. some people talk about how the future will be saved from tyranny through peaceful parenting. others through the political system. some through revolution. but my money is on the efforts of people like yourself and gmaxwell. idk if you ever stop to think about this, but just the hand full of you guys working on these sorts of technologies might be responsible for saving the entire human species from extinction or worse. i know that sounds dramatic but i really think its hard to overstate the importance of this sort of research.

Rep Thread: https://bitcointalk.org/index.php?topic=381041
If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited?
Trader Steve
Hero Member
*****
Offline Offline

Activity: 832


"How do you eat an elephant? One bit at a time..."


View Profile
November 06, 2013, 12:16:05 AM
 #183

thanks for clearing that up maaku.

*tangent warning* blind signatures are amazing. some people talk about how the future will be saved from tyranny through peaceful parenting. others through the political system. some through revolution. but my money is on the efforts of people like yourself and gmaxwell. idk if you ever stop to think about this, but just the hand full of you guys working on these sorts of technologies might be responsible for saving the entire human species from extinction or worse. i know that sounds dramatic but i really think its hard to overstate the importance of this sort of research.

+1
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 2408



View Profile
November 06, 2013, 02:35:08 AM
 #184

Good stuff piuk ... someone needed to get the ball rolling and centralised 'trusted' CoinJoin is better than none.

Will be interested to see the statistics of how many people voluntarily choose to keep tx private when it is not so stigmatised and a simple, easy to use on/off toggle.

gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2324



View Profile
November 13, 2013, 09:44:01 PM
 #185

Is destroying user's financial privacy and Bitcoin's fungiblity the next big business for someone to get rich quick on?

http://www.forbes.com/sites/kashmirhill/2013/11/13/sanitizing-bitcoin-coin-validation/

It doesn't have to be, but preventing this future requires substantial movement in the default behavior of everyday Bitcoin users, not just a minority of people with special interests.

Bitcoin will not be compromised
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
November 13, 2013, 09:54:06 PM
 #186

Does the protocol have any way for participants to negotiate on output size restrictions?

Either make all the outputs the exact same size, or maybe restrict them to something like integer (positive and negative) powers of two?
oakpacific
Hero Member
*****
Offline Offline

Activity: 798


View Profile
November 14, 2013, 07:03:25 AM
 #187

Does the protocol have any way for participants to negotiate on output size restrictions?

Either make all the outputs the exact same size, or maybe restrict them to something like integer (positive and negative) powers of two?

I am thinking that if all the inputs and outputs are of the same size, there is no need for the server to know the mapping?

https://tlsnotary.org/ Fraud proofing decentralized fiat-Bitcoin trading.
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
November 14, 2013, 07:06:22 AM
 #188

I am thinking that if all the inputs and outputs are of the same size, there is no need for the server to know the mapping?
That's fine for a theoretical exercise, but in the real world you're going to have a wallet with outputs of random sizes.

Then you're going to need to spend them on a real purchase, also of a random size.

For the protocol to be usable there's got to be a way to deal with that.
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
November 14, 2013, 07:09:28 AM
 #189

For this to work, there can not be an unambiguous mapping of input balances to output balances.

One way I can see to avoid that is a convention where outputs are always a standard size (integer powers of two, for example).

You put in a few random sized inputs, and get back several outputs of standard sizes so there's no way to tell which one belongs to what inputs.
maaku
Legendary
*
expert
Offline Offline

Activity: 905


View Profile
November 14, 2013, 07:20:20 AM
 #190

justusranvier, I'm not sure I follow. Mixing is only occurring within a single transaction. Within that transaction, some subset of the outputs must be same-sized. But I do not think there is any reason that all transactions must use the same (set of) output sizes...

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
oakpacific
Hero Member
*****
Offline Offline

Activity: 798


View Profile
November 14, 2013, 07:29:13 AM
 #191

I am thinking that if all the inputs and outputs are of the same size, there is no need for the server to know the mapping?
That's fine for a theoretical exercise, but in the real world you're going to have a wallet with outputs of random sizes.

Then you're going to need to spend them on a real purchase, also of a random size.

For the protocol to be usable there's got to be a way to deal with that.

But it would work for drug dealers trying to cash out, right?

https://tlsnotary.org/ Fraud proofing decentralized fiat-Bitcoin trading.
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
November 14, 2013, 07:31:58 AM
 #192

justusranvier, I'm not sure I follow. Mixing is only occurring within a single transaction. Within that transaction, some subset of the outputs must be same-sized. But I do not think there is any reason that all transactions must use the same (set of) output sizes...
If there's only one solution to the question of "which combinations of inputs add up to the individual output values" then the mixing isn't effective.

If I put in 5.2543 BTC worth of inputs and you put in 2.6098 BTC worth of inputs and we create a Coinjoin transaction it's possible for there to be only one combination of inputs which add up to each output. In that case the mixing could be trivially reversed, unless I'm missing something fundamental about CoinJoin.
jedunnigan
Sr. Member
****
Offline Offline

Activity: 280


View Profile
November 14, 2013, 08:49:54 AM
 #193

One way I can see to avoid that is a convention where outputs are always a standard size (integer powers of two, for example).

I like this idea, although enforcing it network-wide might have other implications (or maybe not, I'm not sure). A script could be written to easily condense a users outputs prior to a CJ tx, so gmaxwell's original design can be followed:
Quote
To use this to increase privacy, the N users would agree on a uniform output size and provide inputs amounting to at least that size.

I think Peter Todd wrote something that cleans out dust, you could just rework that to accomplish the above methinks.
gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2324



View Profile
November 14, 2013, 10:36:38 AM
 #194

Even when the inputs can be trivially separated, a party trying to do automated analysis still gets their taint tracking degraded by widespread CJ usage since they won't be able to assume cases where two separable inputs happened was an indication that the two inputs were owned by the same party. Obviously, perfect output indistinguishably is best, but even when the outputs are fully distinguishable (and everywhere in between) there is value too.

In other news, there is a Bitcoin-QT issue for this now:
https://github.com/bitcoin/bitcoin/issues/3226

Bitcoin will not be compromised
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
November 14, 2013, 10:41:52 AM
 #195

Obviously, perfect output indistinguishably is best, but even when the outputs are fully distinguishable (and everywhere in between) there is value too.
Why not right now encourage a standard that will more often result in the superior case?

I'm not particularly thrilled with merely degrading taint calculations when analytic capability is only going to improve over time.
oakpacific
Hero Member
*****
Offline Offline

Activity: 798


View Profile
November 14, 2013, 10:52:04 AM
 #196

I am thinking if we should conduct some field tests: get some people to use Coinjoin, and publish their transactions, others will employ every method they can come up with to try to determine which address has sent to which.

https://tlsnotary.org/ Fraud proofing decentralized fiat-Bitcoin trading.
maaku
Legendary
*
expert
Offline Offline

Activity: 905


View Profile
November 14, 2013, 05:01:52 PM
 #197

Obviously, perfect output indistinguishably is best, but even when the outputs are fully distinguishable (and everywhere in between) there is value too.
Why not right now encourage a standard that will more often result in the superior case?

I'm not particularly thrilled with merely degrading taint calculations when analytic capability is only going to improve over time.

I'm not really sure I follow. From my analysis there is zero benefit to mandating common output sizes across multiple transactions. gmaxwell, am I mistaken?

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
Carlton Banks
Legendary
*
Offline Offline

Activity: 1792



View Profile
November 14, 2013, 05:42:40 PM
 #198

How do you stop the greenlisting authority from saying to you "that's a suspiciously high porportion of multi-output transactions going to your green address, BANNED"?

How do you stop the greenlisting authority from contacting the blacklisting authority and saying to them "Caught another one. Blacklist all these addresses from these transactions. Still remaining unpsent inputs? Too bad."?

Vires in numeris
maaku
Legendary
*
expert
Offline Offline

Activity: 905


View Profile
November 14, 2013, 05:52:50 PM
 #199

Carlton, you don't reuse addresses. That was your mistake.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
dserrano5
Legendary
*
Offline Offline

Activity: 1848



View Profile
November 14, 2013, 06:20:42 PM
 #200

As I just said in another thread, we achieve that by automatically "blacklisting" all addresses.

Pages: « 1 2 3 4 5 6 7 8 9 [10] 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!