Bitcoin Forum
November 15, 2019, 07:19:54 AM *
News: Latest Bitcoin Core release: 0.18.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 [22] 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 »
  Print  
Author Topic: CoinJoin: Bitcoin privacy for the real world  (Read 291287 times)
okashira
Newbie
*
Offline Offline

Activity: 45
Merit: 0


View Profile
February 20, 2014, 11:28:30 PM
 #421

Yeah, but I'm just saying that it's pretty worthless if they store the logs.
And if they don't store the logs... well, that's probably illegal, at least in US and Russia Smiley

The only safe CoinJoin solution I see is p2p based, with some tricky encryption.

But still I think this will never beat services like bitcoinfog, assuming that they indeed remove the logs as they claim.
I mean: you deposit your money and withdraw ~98% of it, while your deposit is still unspent - destroying a log at this moment leaves absolutely no traces and it's actually a perfect "privacy for the real world".
Though it has two big disadvantages, over p2p coin mixing:
1) You need to trust the service to really destroy the logs
2) It doesn't come for free.

So I also find CoinJoin as a nice and possibly useful project, but IMHO centralizing it would just defeat the purpose.

Is that exactly what Darkcoin is doing? Decentralized and encrypted coinjoin.
The Bitcoin Forum is turning 10 years old! Join the community in sharing and exploring the notable posts made over the years.
1573802394
Hero Member
*
Offline Offline

Posts: 1573802394

View Profile Personal Message (Offline)

Ignore
1573802394
Reply with quote  #2

1573802394
Report to moderator
1573802394
Hero Member
*
Offline Offline

Posts: 1573802394

View Profile Personal Message (Offline)

Ignore
1573802394
Reply with quote  #2

1573802394
Report to moderator
ShadowOfHarbringer
Legendary
*
Offline Offline

Activity: 1470
Merit: 1002


Bringing Legendary Har® to you since 1952


View Profile
February 20, 2014, 11:34:44 PM
 #422

Yeah, but I'm just saying that it's pretty worthless if they store the logs.
And if they don't store the logs... well, that's probably illegal, at least in US and Russia Smiley

The only safe CoinJoin solution I see is p2p based, with some tricky encryption.

But still I think this will never beat services like bitcoinfog, assuming that they indeed remove the logs as they claim.
I mean: you deposit your money and withdraw ~98% of it, while your deposit is still unspent - destroying a log at this moment leaves absolutely no traces and it's actually a perfect "privacy for the real world".
Though it has two big disadvantages, over p2p coin mixing:
1) You need to trust the service to really destroy the logs
2) It doesn't come for free.

So I also find CoinJoin as a nice and possibly useful project, but IMHO centralizing it around a server would just defeat the purpose.
Not to mention that it would be dangerous for whoever runs this server.
Piotr_n, you seem to be an intelligent and experienced low level (C++ or lower) programmer.

Wouldn't it suit you better simply to write your own CoinJoin implementation instead of just talking about it ?

After studying your posts on these forums, I am fairly certain that you have the skill. The question is, whether you want to do something with it, or just keep discussing the topic ?

themgp
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
February 20, 2014, 11:48:05 PM
 #423

Yeah, but I'm just saying that it's pretty worthless if they store the logs.
And if they don't store the logs... well, that's probably illegal, at least in US and Russia Smiley

The only safe CoinJoin solution I see is p2p based, with some tricky encryption.

But still I think this will never beat services like bitcoinfog, assuming that they indeed remove the logs as they claim.
I mean: you deposit your money and withdraw ~98% of it, while your deposit is still unspent - destroying a log at this moment leaves absolutely no traces and it's actually a perfect "privacy for the real world".
Though it has two big disadvantages, over p2p coin mixing:
1) You need to trust the service to really destroy the logs
2) It doesn't come for free.

So I also find CoinJoin as a nice and possibly useful project, but IMHO centralizing it around a server would just defeat the purpose.
Not to mention that it would be dangerous for whoever runs this server.

The CoinJoin client I wrote, Coinmux https://github.com/michaelgpearce/coinmux is P2P and open source.  Its still in its early development phase though.  Having spent the last 10 years building web applications, building a true P2P application is definitely more difficult than building a server-side solution (which you have to trust).
piotr_n
Legendary
*
Offline Offline

Activity: 2016
Merit: 1054


aka tonikt


View Profile WWW
February 21, 2014, 12:04:34 AM
Last edit: February 21, 2014, 12:22:19 AM by piotr_n
 #424

After studying your posts on these forums, I am fairly certain that you have the skill. The question is, whether you want to do something with it, or just keep discussing the topic ?
Honestly, I just don't need it, so I don't really feel the urge to create such a thing.

If the solution was easy I would have probably done it even when not needing it, but in such case someone else would have already done it before me. The problem is that it doesn't seem so much straight forward. At the other hand providing feedback on the forum is easy - this I can do by the way of having another beer before sleep, nothing hard about it Smiley

Still I believe it can be done and since it can be done, someone will do it one day - it is just a matter of time.
But to design it well, you first need to define what kind of privacy this technology is supposed to target.
I mean you can identify a different kind of threads.
The first one is of course that all the internet traffic is recorded.
The second: that the peers with who you are sharing your transaction may (and surely will, after you launch the project) be malicious - e.g I can imagine a network of bots flooding the p2p system with many txs to themselves, just to learn about your transactions.
A third... probably also something.

But if you just want to do a "p2p CoinJoin", without caring about any of these things, then you might just as well look for people to share your tx with at IRC; you all make a joined tx and each party signs manually its part. There already is a software that can do it - not only mine, for what I know.

Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.
PGP fingerprint: AB9E A551 E262 A87A 13BB  9059 1BE7 B545 CDF3 FD0E
Cryddit
Legendary
*
Offline Offline

Activity: 910
Merit: 1042


View Profile
February 21, 2014, 12:38:10 AM
 #425


It's possible to implement coinjoin that can be trusted, even if nobody deletes the logs.  You can secure it against the ability to associate inputs or outputs with each other, or with IP addresses, to an opponent using blockchain evidence, server logs, or realtime packet sniffing. 

The "tricky cryptography" is a stream cipher with multiple keys, each key being known to exactly two participants  (aka, a dc-net).  There is a requirement that there must be more than one honest participant in the "join" whose stream key is unknown to the opponent.   An opponent listening to packet traffic can associate inputs/outputs with any participant whose key that opponent has compromised, so if there is only one honest participant whose key is uncompromised, the opponent can associate inputs/outputs with that participant by process of elimination.

I'll implement it if nobody else has by the time I get around to it, but it isn't my highest priority right now; I have a higher-paying bounty to pursue in programming, which is (arguably) even more important to Bitcoin in terms of adoption and remaining decentralized, and that is to limit the size of the blockchain download needed to run a full node.



maaku
Legendary
*
expert
Offline Offline

Activity: 905
Merit: 1001


View Profile
February 21, 2014, 02:00:10 AM
 #426

Cryddit, did you read the op? Blind signatures require no honest nodes.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
Cryddit
Legendary
*
Offline Offline

Activity: 910
Merit: 1042


View Profile
February 21, 2014, 09:21:21 AM
 #427

Cryddit, did you read the op? Blind signatures require no honest nodes.

True.  But Blind signatures alone are not sufficient to implement reliably untraceable coinmixing.

In the solution with blind signatures, you still have someone listening to the packet traffic able to associate inputs and outputs with particular IP addresses - and therefore with each other. 
ShadowOfHarbringer
Legendary
*
Offline Offline

Activity: 1470
Merit: 1002


Bringing Legendary Har® to you since 1952


View Profile
February 21, 2014, 09:53:52 AM
 #428

After studying your posts on these forums, I am fairly certain that you have the skill. The question is, whether you want to do something with it, or just keep discussing the topic ?
Honestly, I just don't need it, so I don't really feel the urge to create such a thing.
(...)
Still I believe it can be done and since it can be done, someone will do it one day
Ok then, so you prefer to sit and wait for someone to do it for you.

Wow
So laziness
Much not giving fuck
Such a shame
Wow

maaku
Legendary
*
expert
Offline Offline

Activity: 905
Merit: 1001


View Profile
February 21, 2014, 10:36:08 AM
 #429

In the solution with blind signatures, you still have someone listening to the packet traffic able to associate inputs and outputs with particular IP addresses - and therefore with each other. 

Yes, you need an anonymous network. But we have solutions for that...

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
Cryddit
Legendary
*
Offline Offline

Activity: 910
Merit: 1042


View Profile
February 21, 2014, 06:38:25 PM
 #430


The extant solution for anonymous networks (Tor) requires extra steps that many users won't do, many of those who do will get wrong, and many of those who get wrong won't be aware that they've got wrong.  It is subject to attacks where the compromises of a few selected machines outside your control (your route and exit nodes) can cause your privacy to be sacrificed even if every other node in the mix is honest.  And it is subject to traffic rerouting in transit on the backbone, which is known to be done by at least one sophisticated attacker specifically in response to the fact that it is Tor traffic in the first place. That attacker, and presumably others, specifically reroutes Tor traffic through attack sites which use browser flaws to compromise the machines that originate the traffic.

Tor was a good design once; but the attacks on it are in place, sophisticated, only getting worse, and not easily detectable from the originating node.  So I think that its usefulness is closer to its end than to its beginning.  While Tor may still be good more than 90% of the time, I'm not willing to trust it in the long run. Nor am I willing to trust that people using it can keep their machines from getting compromised by reroutes to attack sites which are using zero-day exploits against their browsers.  Most of them don't even fully disable scripts and cookies in their Tor browser sessions.

The dc-net solution requires you to trust only that there exists at least one other node (ANY participating node) that is not compromised; that's a strictly stronger guarantee than Tor.  If it's built into the protocol then it involves no steps that many users will not do, nor steps that users will attempt but do wrongly.  It is not dependent on the security of machines other than those directly participating, and does not expose machines to attack via a browser as Tor in normal use generally does.

Further, its guarantees are orthogonal to those provided by a (properly functioning) Tor network;  With Tor alone, (if the critical path machines and your own remain uncompromised) you can't associate nodes with IP addresses, but if you're sniffing packet traffic you can associate inputs and outputs with particular nodes.  With the DC-net alone, you can't associate inputs or outputs with particular nodes, but if you're sniffing packet traffic you can produce a list of the IP addresses of the nodes.   So I claim the proper solution is to implement the DC-net as the "fundamental" basis of the protocol, and then let people use it over Tor if they want the extra layer of obfuscation and can correctly use Tor.   That way, even if they fail at configuring Tor, or get unlucky with their Tor network routing, or fail in keeping their own machines secure while using Tor, they still have some fundamental amount of protection.  And if they use Tor correctly, they get additional protection that the DC-net alone could not provide.


randomguy7
Hero Member
*****
Offline Offline

Activity: 528
Merit: 500


View Profile
February 21, 2014, 08:22:53 PM
 #431

After studying your posts on these forums, I am fairly certain that you have the skill. The question is, whether you want to do something with it, or just keep discussing the topic ?
Honestly, I just don't need it, so I don't really feel the urge to create such a thing.
(...)
Still I believe it can be done and since it can be done, someone will do it one day
Ok then, so you prefer to sit and wait for someone to do it for you.

Wow
So laziness
Much not giving fuck
Such a shame
Wow

Wtf maybe you should contribute something on your own (code, money) instead of telling other people which type of unpaid work they should do for you in their free time.
hozer
Sr. Member
****
Offline Offline

Activity: 271
Merit: 250


View Profile WWW
February 22, 2014, 01:40:49 AM
 #432

After studying your posts on these forums, I am fairly certain that you have the skill. The question is, whether you want to do something with it, or just keep discussing the topic ?
Honestly, I just don't need it, so I don't really feel the urge to create such a thing.
(...)
Still I believe it can be done and since it can be done, someone will do it one day
Ok then, so you prefer to sit and wait for someone to do it for you.

Wow
So laziness
Much not giving fuck
Such a shame
Wow

Wtf maybe you should contribute something on your own (code, money) instead of telling other people which type of unpaid work they should do for you in their free time.

My thoughts exactly. If you are serious about anonymity and privacy, PAY FOR IT. Cause you have this big problem of how do you test it to make sure it's working. I'm sure the EFF or some other non-profit could be found to hold some money to pay for development and testing.
ShadowOfHarbringer
Legendary
*
Offline Offline

Activity: 1470
Merit: 1002


Bringing Legendary Har® to you since 1952


View Profile
February 22, 2014, 01:43:02 PM
 #433

After studying your posts on these forums, I am fairly certain that you have the skill. The question is, whether you want to do something with it, or just keep discussing the topic ?
Honestly, I just don't need it, so I don't really feel the urge to create such a thing.
(...)
Still I believe it can be done and since it can be done, someone will do it one day
Ok then, so you prefer to sit and wait for someone to do it for you.

Wow
So laziness
Much not giving fuck
Such a shame
Wow

Wtf maybe you should contribute something on your own (code, money) instead of telling other people which type of unpaid work they should do for you in their free time.
WTF, I already did. Look at my sig, genius.

And that is NOT what I am talking about. I am actually criticising piotr_n for coming to this thread and complaining, instead of coding it himself.
And (as he confirmed himself) he could actually do it, he just does not care.

I cannot code CoinJoin anyway, too complex for my skill level.

therealbigcoin
Sr. Member
****
Offline Offline

Activity: 735
Merit: 251


View Profile
March 02, 2014, 04:58:35 PM
 #434

Is this the thing darkcoin will implement?
philipmicklon
Full Member
***
Offline Offline

Activity: 176
Merit: 100


View Profile
March 02, 2014, 06:52:53 PM
 #435

Is this the thing darkcoin will implement?
Yes, I believe this is the general idea behind the darksend feature. But the darksend feature hasn't been rolled out yet.
gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2870
Merit: 2606



View Profile
March 03, 2014, 01:46:22 AM
 #436

The extant solution for anonymous networks (Tor) requires extra steps that many users won't do,
Tor is actually quite easy to bundle, and some other programs (like torchat) already do. I'd assume that someday there would be bitcoin clients offered with bundled tor.
themgp
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
March 03, 2014, 01:52:39 AM
 #437

The extant solution for anonymous networks (Tor) requires extra steps that many users won't do,
Tor is actually quite easy to bundle, and some other programs (like torchat) already do. I'd assume that someday there would be bitcoin clients offered with bundled tor.

I was looking at Orchid (a Tor library) today and saw Mike Hearn's name on a github pull request: https://github.com/subgraph/Orchid/pull/9 with the comment: "I need this fix for bitcoinj."
AnonyMint
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500


View Profile
March 03, 2014, 02:16:13 AM
 #438

The dc-net solution requires you to trust only that there exists at least one other node (ANY participating node) that is not compromised; that's a strictly stronger guarantee than Tor

My understanding of dc-nets is it is impractical to stop denial-of-service. Generally speaking the stronger the anonymity of the mixing, the more difficult to deal with denial-of-service.

I have more comments about what actually works for anonymity at another thread.

unheresy.com - Prodigiously Elucidating the Profoundly ObtuseTHIS FORUM ACCOUNT IS NO LONGER ACTIVE
therealbigcoin
Sr. Member
****
Offline Offline

Activity: 735
Merit: 251


View Profile
March 03, 2014, 07:42:22 AM
 #439

The extant solution for anonymous networks (Tor) requires extra steps that many users won't do,
Tor is actually quite easy to bundle, and some other programs (like torchat) already do. I'd assume that someday there would be bitcoin clients offered with bundled tor.

I was looking at Orchid (a Tor library) today and saw Mike Hearn's name on a github pull request: https://github.com/subgraph/Orchid/pull/9 with the comment: "I need this fix for bitcoinj."

how about security? I think most exit nodes are under nsa controll, how could that improved?
AnonyMint
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500


View Profile
March 11, 2014, 08:55:57 AM
 #440

Comments please on my technical statement herein?

Yes, I think CoinJoin should be a very good start.  But do any really decentralised and fully working implementations of CoinJoin exist already?  I don't think so and would be interested to know if they are.

I'm not aware of any either but don't let that deter you from using one of the already existing solutions even if they aren't perfect.

A decentralized CoinJoin will have difficulty forming transactions (including unequal or equal transaction amounts) that look like this if anyone can join:

https://blockchain.info/tx/e4abb15310348edc606e597effc81697bfce4b6de7598347f17c2befd4febf3b?show_adv=true

A sharedcoin transaction will look something like this: https://blockchain.info/tx/e4abb15310348edc606e597effc81697bfce4b6de7598347f17c2befd4febf3b (picked at random). As you can see multiple inputs and outputs make the determining the actual sender and receiver more difficult.

The server does not need to keep any logs and transactions are only kept in memory for a short time. However If the server was compromised or under subpoena it could be force...

Because the way it must work is the users sign the transaction first with their requested outputs, then in the second round they sign their payments as inputs to the transaction. If the payment inputs are less than the total, then the transaction is invalid. There is no way to determine who cheated and rate limit them. Thus the saboteur can stomp on every attempt to create a CoinJoin transaction and destroy the decentralized system.

DarkCoin says they can solve this by charging a fee, but you will see I originally proposed that idea in the CoinJoin thread and the requirement is all the participants must be permanently identified and then must use divide-and-conquer to whittle down to who was the saboteur. But identification defeats the mixing!

Thus I have not yet seen a workable decentralized CoinJoin that can scale. And I don't expect one.

unheresy.com - Prodigiously Elucidating the Profoundly ObtuseTHIS FORUM ACCOUNT IS NO LONGER ACTIVE
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 [22] 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!