Bitcoin Forum
October 12, 2024, 11:17:39 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 [17] 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 »
  Print  
Author Topic: CoinJoin: Bitcoin privacy for the real world  (Read 294626 times)
mmeijeri
Hero Member
*****
Offline Offline

Activity: 714
Merit: 500

Martijn Meijering


View Profile
December 15, 2013, 10:38:51 PM
 #321

Couldn't you just eject all but one of the partial transactions that use the same addresses from the current CoinJoin operation, maybe based on the lowest value of some appropriate hash?

ROI is not a verb, the term you're looking for is 'to break even'.
phillipsjk
Legendary
*
Offline Offline

Activity: 1008
Merit: 1001

Let the chips fall where they may.


View Profile WWW
December 16, 2013, 08:28:31 AM
 #322

Couldn't you just eject all but one of the partial transactions that use the same addresses from the current CoinJoin operation, maybe based on the lowest value of some appropriate hash?
Who does the rejecting, and why should they be trusted?

I think an implication of GMaxwell's work-arounds is that such outputs can't be merged (which I think would be the ideal case).

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
mmeijeri
Hero Member
*****
Offline Offline

Activity: 714
Merit: 500

Martijn Meijering


View Profile
December 16, 2013, 08:58:28 AM
Last edit: December 16, 2013, 10:09:22 AM by mmeijeri
 #323

Who does the rejecting, and why should they be trusted?

If it's an algorithmic decision, it doesn't matter, does it? But it was just something that popped into my mind, it's not a well thought out proposal.

ROI is not a verb, the term you're looking for is 'to break even'.
phillipsjk
Legendary
*
Offline Offline

Activity: 1008
Merit: 1001

Let the chips fall where they may.


View Profile WWW
December 16, 2013, 09:17:21 AM
 #324

The vulnerability is that the participants don't communicate their intentions with each other for fear of losing their privacy. (Address re-use has privacy implications on its own).

Algorithms are written by people. So they can be made to do thing you don't want. GMaxwell was making suggestions describing how people can share their intentions, without losing their privacy.

Edit: if we solve e-voting (as a side-effect), that would be a big achievement on its own.

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
mmeijeri
Hero Member
*****
Offline Offline

Activity: 714
Merit: 500

Martijn Meijering


View Profile
December 16, 2013, 09:21:43 AM
 #325

Algorithms are written by people. So they can be made to do thing you don't want.

Not if it's part of a protocol.

Quote
GMaxwell was making suggestions describing how people can share their intentions, without losing their privacy.

Sure, I'm not saying his suggestion wouldn't be superior, just that this might be a quick initial fix. If there aren't other problems with it that is. There very well might be.

ROI is not a verb, the term you're looking for is 'to break even'.
phillipsjk
Legendary
*
Offline Offline

Activity: 1008
Merit: 1001

Let the chips fall where they may.


View Profile WWW
December 16, 2013, 09:23:46 AM
 #326

Algorithms are written by people. So they can be made to do thing you don't want.

Not if it's part of a protocol.


The protocol would have to describe how the participants become aware of the conflicting outputs (and how cheating by the mixer is prevented).

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
piotr_n
Legendary
*
Offline Offline

Activity: 2055
Merit: 1359


aka tonikt


View Profile WWW
December 16, 2013, 04:40:47 PM
Last edit: December 16, 2013, 05:30:51 PM by piotr_n
 #327

I really don't understand all the applause and excitement on how "CoinJoin" is supposed to increase the users' privacy.

Are you kidding me?
This is not any new technology - personally I would not even call it an invention...
IMHO, it is rather a legal advise to use a plausible deniability in a possible cases against you.

At first it had been assumed (by some incompetent people) that all the inputs of a single transaction must always come from the same wallet (thus the same person).
What the author of the OP has invented is literally nothing - he only stated that technically inputs of a single transaction might just as well come from a completely different wallets - and this gives anyone a plausible deniability in any legal case (against him) that would be based on the assumption that all the inputs of a certain transaction came from his wallet.

In reality, assuming that you never disclose the content of your wallet (and if you did, CoinJoin won't help you anyway), you do not even need to find other parties to conduct CoinJoin!
You can just as well "CoinJoin" your own coins, as long as you are going to claim that they weren't all yours - and there will be no distinguishable difference whatsoever, from a CoinJoin tx made by a multiple parties.

CoinJoin does not create any additional privacy - it is actually less private than regular translations, since the process involves letting other people to know which coins are yours.
At best, it only gives you a reason to claim in court that not all the inputs were yours. The core of the "solution" here is a legal advise based on a technical properties of the bitcoin protocol.

So, not that I want to scare him, but as much as gmaxwell did not want to offend his big brother by helping to develop a software that would enable CoinJoin, he actually already did the most important part of the job by giving all the people the excuse that is the core of the invention here.

Therefore, since I am not so afraid of his brother, let me promptly point it out once again and remember: whenever anyone tells you that they traced your coins by "joined inputs" - just deny it and say that it was a CoinJoin transaction and not all the inputs were yours. Especially if it wasn't a CoinJoin transaction. Smiley

Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.
PGP fingerprint: AB9E A551 E262 A87A 13BB  9059 1BE7 B545 CDF3 FD0E
waxwing
Sr. Member
****
Offline Offline

Activity: 469
Merit: 253


View Profile
December 16, 2013, 05:35:10 PM
 #328

Good point piotr_n. It makes you think about the game-theoretic infinite regresses going on here. I would really appreciate it if some people write plausible code into wallets for CoinJoin, because next time I am in despotic country X and the local thugs are rubberhosing my private keys out of me, I'd like them to be slightly less convinced that both those inputs were mine Smiley

PGP fingerprint 2B6FC204D9BF332D062B 461A141001A1AF77F20B (use email to contact)
piotr_n
Legendary
*
Offline Offline

Activity: 2055
Merit: 1359


aka tonikt


View Profile WWW
December 16, 2013, 05:40:32 PM
 #329

Good point piotr_n. It makes you think about the game-theoretic infinite regresses going on here. I would really appreciate it if some people write plausible code into wallets for CoinJoin, because next time I am in despotic country X and the local thugs are rubberhosing my private keys out of me, I'd like them to be slightly less convinced that both those inputs were mine Smiley
If it makes you feel better my Gocoin already supports it, though I won't be going into details because as I said: it's pretty useless and all we need to make it even more plausible is a software that can do it, not the people to do it with, nor actually doing it.

Actually even the satoshi client supports it, ever since they added the create/sign raw transaction APIs.

So if you will ever need a court witness to demonstrate how easy it is to make a CoinJoin transaction, you know how to find me. Smiley

Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.
PGP fingerprint: AB9E A551 E262 A87A 13BB  9059 1BE7 B545 CDF3 FD0E
phillipsjk
Legendary
*
Offline Offline

Activity: 1008
Merit: 1001

Let the chips fall where they may.


View Profile WWW
December 16, 2013, 05:58:29 PM
 #330

Are you kidding me?
This is not any new technology - personally I would not even call it an invention...
IMHO, it is rather a legal advise to use a plausible deniability in a possible cases against you.

...

CoinJoin does not create any additional privacy - it is actually less private than regular translations, since the process involves letting other people to know which coins are yours.
At best, it only gives you a reason to claim in court that not all the inputs were yours. The core of the "solution" here is a legal advise based on a technical properties of the bitcoin protocol.

Privacy is not only for plausible deniability in a legal case against you: as waxwing alluded to, it is also designed to give plausible deniability if local thugs figure out you frequent a Bitcoin accepting shop and likely have a fat wallet.

I am not convinced doing coinjoin transactions with yourself gives the same deniability. You would first have to split your funds (a good idea anyway with the relentless climb in value), then mix them. However, without other parties, the spitting and mixing with no external links will look obvious on a graph of transactions.

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
kjj
Legendary
*
Offline Offline

Activity: 1302
Merit: 1026



View Profile
December 16, 2013, 06:00:55 PM
 #331

IMHO, it is rather a legal advise to use a plausible deniability in a possible legal cases against you.

...

CoinJoin does not give you any additional anonymity. At best, it only gives you a reason to claim in court that not all the inputs were yours. The core of the "solution" here is a legal advise based on a technical properties of the bitcoin protocol.

Coinjoin will be worthless in court.  Your case is not going to prosecution when the sole evidence is a bitcoin transaction.  Instead, that transaction is going to be used as the basis for collecting gobs and gobs of further evidence.  At that point, the coinjoin isn't going to help you in court, it is going to hurt you, since it will be evidence that you knew what you were doing was wrong and tried to bury the evidence.

We need massive large scale joining for two reasons.  One, if joining is routine, then you doing it isn't going to be evidence of wrongdoing anymore.

Two is to muddy the waters for mass surveillance.  Right now, it is nearly trivial to trace transactions back and forth until it lands on a discoverable point.  Assume for the moment that the NSA has total visibility into some exchange's HTTPS traffic and can see every deposit address they provide to users.  When your chain of transactions lands on one of those addresses, the FBI knows they just need to request the customer info for whichever account uses that address, and they've got you.

Now imagine the world with coinjoin.  Your coins break up and land in a dozen joint transactions.  From there, each one hits a dozen more, and a dozen more, and so on.  Now there are thousands or millions of things to track, and almost all of them will not be yours.

17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs.  You should too.
piuk
Hero Member
*****
expert
Offline Offline

Activity: 910
Merit: 1005



View Profile WWW
December 20, 2013, 12:17:37 AM
 #332

Sharedcoin transactions on blockchain.info lowered to 0.0001 BTC per repetition. On average 1.8 unique participants are joining in together each transaction, so over several repetitions there is a very good chance your transaction will be directly mixed with other users not just the sharedcoin server.

When did that happen? That's a major change that deserves a large announcement. Are they using BIP32 to derive the new addresses?

It's just for Sharedcoin transactions and not BIP32 yet but I hope that will be available soon.

justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1013



View Profile
December 20, 2013, 12:21:57 AM
 #333

It's just for Sharedcoin transactions and not BIP32 yet but I hope that will be available soon.
That blockchain.info encourages address reuse is really the only significant complaint I have with your service.

Fixing that would be a great thing for privacy.
Trader Steve
Hero Member
*****
Offline Offline

Activity: 836
Merit: 1007


"How do you eat an elephant? One bit at a time..."


View Profile
December 20, 2013, 12:41:43 AM
 #334

Sharedcoin transactions on blockchain.info lowered to 0.0001 BTC per repetition. On average 1.8 unique participants are joining in together each transaction, so over several repetitions there is a very good chance your transaction will be directly mixed with other users not just the sharedcoin server.

When did that happen? That's a major change that deserves a large announcement. Are they using BIP32 to derive the new addresses?

It's just for Sharedcoin transactions and not BIP32 yet but I hope that will be available soon.

Great service!
andytoshi
Full Member
***
Offline Offline

Activity: 179
Merit: 151

-


View Profile
December 23, 2013, 02:42:52 AM
 #335

For those willing to futz around with raw transactions, I have a simple centralized coinjoiner available here:

https://www.wpsoftware.net/coinjoin/

Basically, once you submit a transaction this opens a 15-minute window for others to submit a transaction. After the 15 minutes are up, the transactions are merged and everybody signs the merged transaction. Once all the signatures are received, the joiner submits the transaction.

Thanks very much to my testers, in particular gmaxwell and midnightmagic, for their excellent suggestions and bug-finding.
Sarchar
Member
**
Offline Offline

Activity: 88
Merit: 10


View Profile
December 28, 2013, 09:06:39 AM
 #336

Would this strategy work?

Take N>3 coin joiners wishing to mix their coins and give them an order: A to B to C to D to E and back to A, forming a circle.

A is responsible for creating the first transaction. We proceed in rounds, each person receives the transaction from the person before them and forwards it to the next guy, where E returns it to A to form a circle.

Each person, upon receiving the transaction does the following:

If the received transaction is completely signed, then either forward the transaction onto the next guy or broadcast it to the bitcoin network. Forward randomly so the next in line can't figure out who signed last.

Otherwise, randomly add unspent inputs (from the blockchain utxo set) to the transaction and then add some random outputs. The inputs and outputs don't need to be owned by the person adding them, but eventually you need to include your final inputs and outputs. Next, select a few inputs added in a previous round and remove them (in the first round there will be nothing to remove). Do the same for outputs. Don't remove inputs or outputs that others added because they will assume you're trying to cheat and leave.  In a later round, say 2 or 3, optionally sign one of your real inputs. If a successive person changes the tx again, you'll have to resign in another, later round.

Continue rounds until all fake inputs and outputs have been removed and the remaining inputs have been signed.

The obvious downsides include having to resign multiple times, the potential for lots of rounds, and not scaling well to large values of N. Any other thoughts?

gmaxwell (OP)
Moderator
Legendary
*
expert
Offline Offline

Activity: 4242
Merit: 8708



View Profile WWW
December 28, 2013, 04:04:59 PM
 #337

If the parties immediately before and after you in the loop are conspiring (or sibyls) then they can always tell which inputs/outputs you added, so this is less private than some of the schemes proposed, in which N-2 malicious parties in an N way join cannot tell the 2 honest parties apart, for all N>2 (assuming you have underlying anonymous communication).

Your protocol sounds somewhat similar to a reencryption mix, except a reencryption mix doesn't need the chaff because the values are encrypted. A problem with using them for CJ is that protocols to prove faithful operation (e.g. to catch a party trying to break it) are computation and bandwidth intensive. One of their upsides (also— somewhat the case for yours) is that they are not so dependent on an underlying anonymity network (also the case for a MPC sort).

I think another potential issue in your protocol is that someone can just keep changing inputs/outputs forever to jam it, and you can't tell who is doing it (well, not anymore than you can tell who is who absent a jammer).
NewLiberty
Legendary
*
Offline Offline

Activity: 1204
Merit: 1002


Gresham's Lawyer


View Profile WWW
December 28, 2013, 04:47:14 PM
 #338

For those willing to futz around with raw transactions, I have a simple centralized coinjoiner available here:

https://www.wpsoftware.net/coinjoin/

Basically, once you submit a transaction this opens a 15-minute window for others to submit a transaction. After the 15 minutes are up, the transactions are merged and everybody signs the merged transaction. Once all the signatures are received, the joiner submits the transaction.

Thanks very much to my testers, in particular gmaxwell and midnightmagic, for their excellent suggestions and bug-finding.
Brought forward

FREE MONEY1 Bitcoin for Silver and Gold NewLibertyDollar.com and now BITCOIN SPECIE (silver 1 ozt) shows value by QR
Bulk premiums as low as .0012 BTC "BETTER, MORE COLLECTIBLE, AND CHEAPER THAN SILVER EAGLES" 1Free of Government
Sarchar
Member
**
Offline Offline

Activity: 88
Merit: 10


View Profile
December 28, 2013, 04:48:08 PM
 #339

If the parties immediately before and after you in the loop are conspiring (or sibyls) then they can always tell which inputs/outputs you added, so this is less private than some of the schemes proposed, in which N-2 malicious parties in an N way join cannot tell the 2 honest parties apart, for all N>2 (assuming you have underlying anonymous communication).

I considered this, but there's the extra advantage that nobody knows for sure if a single entity in the loop is indeed a single entity.  Consider a figure 8, where node C is at the apex, and when he receives the transaction, it's passed around a similar set of other nodes and returning back to C, he forwards it on in the other loop.  You'd have to control a large number of nodes in such a network to be able to produce any real association.

Quote
Your protocol sounds somewhat similar to a reencryption mix, except a reencryption mix doesn't need the chaff because the values are encrypted. A problem with using them for CJ is that protocols to prove faithful operation (e.g. to catch a party trying to break it) are computation and bandwidth intensive. One of their upsides (also— somewhat the case for yours) is that they are not so dependent on an underlying anonymity network (also the case for a MPC sort).

Do you have any more information on how a reencryption mix works w.r.t. CoinJoin?

Quote
I think another potential issue in your protocol is that someone can just keep changing inputs/outputs forever to jam it, and you can't tell who is doing it (well, not anymore than you can tell who is who absent a jammer).

True - it's especially problematic as N goes larger.  Worst case, you have to assume everyone in the group is against you.  Limit yourself to a low number of rounds and try other peers if the # of rounds is exceeded.  You could theoretically build a list of trusted peers where previous successful CJs have been executed, too.  All this is just workaround for a fundamental problem, though.
Patel
Legendary
*
Offline Offline

Activity: 1321
Merit: 1007



View Profile WWW
January 04, 2014, 01:50:43 AM
 #340

Have any Bitcoin core developers said anything about adding CoinJoin into the protocol?

Bump for this thread because it is important for Bitcoin
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 [17] 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!