Bitcoin Forum
December 11, 2024, 12:30:59 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 [10] 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 »
  Print  
Author Topic: CoinJoin: Bitcoin privacy for the real world  (Read 294664 times)
maaku
Legendary
*
expert
Offline Offline

Activity: 905
Merit: 1012


View Profile
November 05, 2013, 11:09:04 PM
 #181

Yes, the facilitator gains no extra information about the transaction than is observable from the outside, if blind signing is used (see gmaxwell's posts at the beginning of this thread).

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
Anon136
Legendary
*
Offline Offline

Activity: 1722
Merit: 1217



View Profile
November 05, 2013, 11:49:33 PM
 #182

thanks for clearing that up maaku.

*tangent warning* blind signatures are amazing. some people talk about how the future will be saved from tyranny through peaceful parenting. others through the political system. some through revolution. but my money is on the efforts of people like yourself and gmaxwell. idk if you ever stop to think about this, but just the hand full of you guys working on these sorts of technologies might be responsible for saving the entire human species from extinction or worse. i know that sounds dramatic but i really think its hard to overstate the importance of this sort of research.

Rep Thread: https://bitcointalk.org/index.php?topic=381041
If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited?
Trader Steve
Hero Member
*****
Offline Offline

Activity: 836
Merit: 1007


"How do you eat an elephant? One bit at a time..."


View Profile
November 06, 2013, 12:16:05 AM
 #183

thanks for clearing that up maaku.

*tangent warning* blind signatures are amazing. some people talk about how the future will be saved from tyranny through peaceful parenting. others through the political system. some through revolution. but my money is on the efforts of people like yourself and gmaxwell. idk if you ever stop to think about this, but just the hand full of you guys working on these sorts of technologies might be responsible for saving the entire human species from extinction or worse. i know that sounds dramatic but i really think its hard to overstate the importance of this sort of research.

+1
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 3920
Merit: 2349


Eadem mutata resurgo


View Profile
November 06, 2013, 02:35:08 AM
 #184

Good stuff piuk ... someone needed to get the ball rolling and centralised 'trusted' CoinJoin is better than none.

Will be interested to see the statistics of how many people voluntarily choose to keep tx private when it is not so stigmatised and a simple, easy to use on/off toggle.

gmaxwell (OP)
Moderator
Legendary
*
expert
Offline Offline

Activity: 4284
Merit: 8816



View Profile WWW
November 13, 2013, 09:44:01 PM
Last edit: November 14, 2013, 12:09:33 AM by gmaxwell
 #185

Is destroying user's financial privacy and Bitcoin's fungiblity the next big business for someone to get rich quick on?

http://www.forbes.com/sites/kashmirhill/2013/11/13/sanitizing-bitcoin-coin-validation/

It doesn't have to be, but preventing this future requires substantial movement in the default behavior of everyday Bitcoin users, not just a minority of people with special interests.
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1013



View Profile
November 13, 2013, 09:54:06 PM
 #186

Does the protocol have any way for participants to negotiate on output size restrictions?

Either make all the outputs the exact same size, or maybe restrict them to something like integer (positive and negative) powers of two?
oakpacific
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1000


View Profile
November 14, 2013, 07:03:25 AM
 #187

Does the protocol have any way for participants to negotiate on output size restrictions?

Either make all the outputs the exact same size, or maybe restrict them to something like integer (positive and negative) powers of two?

I am thinking that if all the inputs and outputs are of the same size, there is no need for the server to know the mapping?

https://tlsnotary.org/ Fraud proofing decentralized fiat-Bitcoin trading.
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1013



View Profile
November 14, 2013, 07:06:22 AM
 #188

I am thinking that if all the inputs and outputs are of the same size, there is no need for the server to know the mapping?
That's fine for a theoretical exercise, but in the real world you're going to have a wallet with outputs of random sizes.

Then you're going to need to spend them on a real purchase, also of a random size.

For the protocol to be usable there's got to be a way to deal with that.
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1013



View Profile
November 14, 2013, 07:09:28 AM
 #189

For this to work, there can not be an unambiguous mapping of input balances to output balances.

One way I can see to avoid that is a convention where outputs are always a standard size (integer powers of two, for example).

You put in a few random sized inputs, and get back several outputs of standard sizes so there's no way to tell which one belongs to what inputs.
maaku
Legendary
*
expert
Offline Offline

Activity: 905
Merit: 1012


View Profile
November 14, 2013, 07:20:20 AM
 #190

justusranvier, I'm not sure I follow. Mixing is only occurring within a single transaction. Within that transaction, some subset of the outputs must be same-sized. But I do not think there is any reason that all transactions must use the same (set of) output sizes...

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
oakpacific
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1000


View Profile
November 14, 2013, 07:29:13 AM
 #191

I am thinking that if all the inputs and outputs are of the same size, there is no need for the server to know the mapping?
That's fine for a theoretical exercise, but in the real world you're going to have a wallet with outputs of random sizes.

Then you're going to need to spend them on a real purchase, also of a random size.

For the protocol to be usable there's got to be a way to deal with that.

But it would work for drug dealers trying to cash out, right?

https://tlsnotary.org/ Fraud proofing decentralized fiat-Bitcoin trading.
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1013



View Profile
November 14, 2013, 07:31:58 AM
 #192

justusranvier, I'm not sure I follow. Mixing is only occurring within a single transaction. Within that transaction, some subset of the outputs must be same-sized. But I do not think there is any reason that all transactions must use the same (set of) output sizes...
If there's only one solution to the question of "which combinations of inputs add up to the individual output values" then the mixing isn't effective.

If I put in 5.2543 BTC worth of inputs and you put in 2.6098 BTC worth of inputs and we create a Coinjoin transaction it's possible for there to be only one combination of inputs which add up to each output. In that case the mixing could be trivially reversed, unless I'm missing something fundamental about CoinJoin.
jedunnigan
Sr. Member
****
Offline Offline

Activity: 279
Merit: 250


View Profile
November 14, 2013, 08:49:54 AM
 #193

One way I can see to avoid that is a convention where outputs are always a standard size (integer powers of two, for example).

I like this idea, although enforcing it network-wide might have other implications (or maybe not, I'm not sure). A script could be written to easily condense a users outputs prior to a CJ tx, so gmaxwell's original design can be followed:
Quote
To use this to increase privacy, the N users would agree on a uniform output size and provide inputs amounting to at least that size.

I think Peter Todd wrote something that cleans out dust, you could just rework that to accomplish the above methinks.
gmaxwell (OP)
Moderator
Legendary
*
expert
Offline Offline

Activity: 4284
Merit: 8816



View Profile WWW
November 14, 2013, 10:36:38 AM
 #194

Even when the inputs can be trivially separated, a party trying to do automated analysis still gets their taint tracking degraded by widespread CJ usage since they won't be able to assume cases where two separable inputs happened was an indication that the two inputs were owned by the same party. Obviously, perfect output indistinguishably is best, but even when the outputs are fully distinguishable (and everywhere in between) there is value too.

In other news, there is a Bitcoin-QT issue for this now:
https://github.com/bitcoin/bitcoin/issues/3226
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1013



View Profile
November 14, 2013, 10:41:52 AM
 #195

Obviously, perfect output indistinguishably is best, but even when the outputs are fully distinguishable (and everywhere in between) there is value too.
Why not right now encourage a standard that will more often result in the superior case?

I'm not particularly thrilled with merely degrading taint calculations when analytic capability is only going to improve over time.
oakpacific
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1000


View Profile
November 14, 2013, 10:52:04 AM
 #196

I am thinking if we should conduct some field tests: get some people to use Coinjoin, and publish their transactions, others will employ every method they can come up with to try to determine which address has sent to which.

https://tlsnotary.org/ Fraud proofing decentralized fiat-Bitcoin trading.
maaku
Legendary
*
expert
Offline Offline

Activity: 905
Merit: 1012


View Profile
November 14, 2013, 05:01:52 PM
 #197

Obviously, perfect output indistinguishably is best, but even when the outputs are fully distinguishable (and everywhere in between) there is value too.
Why not right now encourage a standard that will more often result in the superior case?

I'm not particularly thrilled with merely degrading taint calculations when analytic capability is only going to improve over time.

I'm not really sure I follow. From my analysis there is zero benefit to mandating common output sizes across multiple transactions. gmaxwell, am I mistaken?

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
Carlton Banks
Legendary
*
Offline Offline

Activity: 3430
Merit: 3080



View Profile
November 14, 2013, 05:42:40 PM
 #198

How do you stop the greenlisting authority from saying to you "that's a suspiciously high porportion of multi-output transactions going to your green address, BANNED"?

How do you stop the greenlisting authority from contacting the blacklisting authority and saying to them "Caught another one. Blacklist all these addresses from these transactions. Still remaining unpsent inputs? Too bad."?

Vires in numeris
maaku
Legendary
*
expert
Offline Offline

Activity: 905
Merit: 1012


View Profile
November 14, 2013, 05:52:50 PM
 #199

Carlton, you don't reuse addresses. That was your mistake.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
dserrano5
Legendary
*
Offline Offline

Activity: 1974
Merit: 1030



View Profile
November 14, 2013, 06:20:42 PM
 #200

As I just said in another thread, we achieve that by automatically "blacklisting" all addresses.
Pages: « 1 2 3 4 5 6 7 8 9 [10] 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!