CoinJoin: Bitcoin privacy for the real world

[maaku]

@solex, I don't know if it's ever been articulated. That and the fact that the coins haven't moved was basically my gripe, not a specific jab at @nanobit (although, this is open-source software developed by volunteers: asking for time estimates is bad form).

[themgp]

There is now 42 BTC donated: https://blockchain.info/address/3M8XGFBKwkf7miBzpkU3x2DoWwAVrD1mhk

Was the plan to pay 100% to the author of the first complete implementation, or for piece-work in progress?

I'd be curious to know what a "complete" implementation is.  I'm guessing no one other than the owners of the donated BTC can say for sure... and AFAIK, they haven't said yet.

[solex]

I'd be curious to know what a "complete" implementation is.  I'm guessing no one other than the owners of the donated BTC can say for sure... and AFAIK, they haven't said yet.

The OP mentions "complete", which I imagine would be a coinjoin implementation which would be considered by Core Dev worthy of inclusion in the reference client (needing cosmetic, standardizing and/or translation changes or only). Now this may remain a theoretical assessment if the goal is to see 3rd party implementations such as blockchain.info's.

Coinmux *seems* very good, and must be a front-runner, subject to informed criticism such as the input from Cryddit.

@solex, I don't know if it's ever been articulated. That and the fact that the coins haven't moved was basically my gripe, not a specific jab at @nanobit (although, this is open-source software developed by volunteers: asking for time estimates is bad form).

Agreed.

[themgp]

I'd be curious to know what a "complete" implementation is.  I'm guessing no one other than the owners of the donated BTC can say for sure... and AFAIK, they haven't said yet.

The OP mentions "complete", which I imagine would be a coinjoin implementation which would be considered by Core Dev worthy of inclusion in the reference client (needing cosmetic, standardizing and/or translation changes or only). Now this may remain a theoretical assessment if the goal is to see 3rd party implementations such as blockchain.info's.

Coinmux *seems* very good, and must be a front-runner, subject to informed criticism such as the input from Cryddit.

@solex, I don't know if it's ever been articulated. That and the fact that the coins haven't moved was basically my gripe, not a specific jab at @nanobit (although, this is open-source software developed by volunteers: asking for time estimates is bad form).

Agreed.

I'll not take the "seems" statement as an insult.   Coinmux has got quite a way to go from where it is now to where i envision it when finished.  And if "complete" means that the implementation is merged into the reference client, i'll never get there as i did not write it in C/C++ (and i'd probably end up writing some pretty shitty C/C++ anyway).

[solex]

I'll not take the "seems" statement as an insult.   Coinmux has got quite a way to go from where it is now to where i envision it when finished.  And if "complete" means that the implementation is merged into the reference client, i'll never get there as i did not write it in C/C++ (and i'd probably end up writing some pretty shitty C/C++ anyway).

My IT experience is not in the area which means I can determine for sure how good it is. It sounds good!! :-)
Shouldn't have to be ready for merging, or in c++, and that's why I mentioned translating. It is the prototype which matters.

[nanobit]

Could someone kindly give a status update on when will we have a real-world, usable CoinJoin (besides the implementation on Blockchain.info)? This thread is huge, and I'm sure many casual readers would like to see a tl;dr to learn will this result in a usable client soon, or what's the plan?

I found the thread when reading this article from 7 months ago. What has happened since?
http://bitcoinmagazine.com/6630/trustless-bitcoin-anonymity-here-at-last/

I'm still actively working on the implementation I have started Coinmux.  I have taken a break for the last month after spending 3+ months working on it nights and weekends. Hopefully there is a Bitcoin God that wants to offer me a job to work on it full time.

Themgp, that looks really interesting! I'm sure others wish you could work on it full time, too!
How far away is it from being usable for an average Bitcointalker?

[gmaxwell]

Was the plan to pay 100% to the author of the first complete implementation, or for piece-work in progress?

Any payouts would need to be discussed with the other signers, but my thinking had been to pay most of it to to the most substantive complete and usable implementation, and partial amounts to smaller efforts (e.g. people who built toy tools and things only a developer could love).  I had also planned on doing the payout itself as a coinjoin, and using a small bit of the funds to pay people to join into the coinjoin.

[themgp]

Could someone kindly give a status update on when will we have a real-world, usable CoinJoin (besides the implementation on Blockchain.info)? This thread is huge, and I'm sure many casual readers would like to see a tl;dr to learn will this result in a usable client soon, or what's the plan?

I found the thread when reading this article from 7 months ago. What has happened since?
http://bitcoinmagazine.com/6630/trustless-bitcoin-anonymity-here-at-last/

I'm still actively working on the implementation I have started Coinmux.  I have taken a break for the last month after spending 3+ months working on it nights and weekends. Hopefully there is a Bitcoin God that wants to offer me a job to work on it full time.

Themgp, that looks really interesting! I'm sure others wish you could work on it full time, too!
How far away is it from being usable for an average Bitcointalker?

The main problem right now is getting an available set of users to do a CoinJoin - the idea doesn't work if no one is using it.  I think if i had a few weeks of solid work on Coinmux, it would be something where a user with a general understanding of bitcoin addresses and public/private keys that wanted to increase their privacy would want to use it.  Hopefully I can find the time soon.

[spooderman]

Excellent work. Thank you for this.

As a computer n00b I will not be contributing code, but as an early adopter I can contribute some btc.

Thank you.

[caedes]

Some coinjoin news from darkwallet:

The alpha version of the coinjoin is just barely working but is allowing us to test the basic usability concepts, we're polishing it during next days, and the wallet is going to take some time to come out of alpha/beta, nonetheless people is playing with it both in testnet and mainnet.

https://blockchain.info/tx/c38aac9910f327700e0f199972eed8ea7c6b1920e965f9cb48a92973e7325046
https://blockchain.info/tx/85f5f2b2e57535b42a30596f8d2a048b0b0c426f953e54dd96c72a77a21a6468

Some description about this:

https://wiki.unsystem.net/index.php/DarkWallet/Alpha#Mixing

More technical details:

The coinjoin now is simple two people coinjoin, as such we just make sure the 2 parties are the only ones who know the outputs correspondence, no need to hide from each other.

This is accomplished by talking over an unsecured channel where each peer publishes their pubkey with coinjoin announces, then others will answer doing ecdh, the initiator will choose one and they will continue talking to each other till they reach an agreement.

Our usability goes like this:

Anyone can set (a branch or pocket in) their wallet in "mixing" state, meaning it will be listening for coinjoin offers to mix available funds into new addresses.

For people sending, the wallet always tries to mix by announcing a coinjoin for the send value. If it can't mix it will send anyways in 60 seconds (at the moment).

Our idea is that this simple form of coinjoin can take off then we can add more complex coinjoin announcements or protocols. It is fully integrated in the normal workings of the wallet and it should work with other features like above you can see a coinjoin that went together with a stealth since the user is just sending stealth.

It seems to work pretty all right as long as at least a few wallets are mixing, and even if the current implementation is almost the simplest trustless mixing implementation i hope you can appretiate the potential.

Also looking forward to implement more advanced forms of coinjoin although our focus now would be to finish off what we have so it will be solid and easily extendable as a platform for development of other protocols. Also to note other wallets or tools can definitely join the same lobby and join together with darkwallets, but there is none yet, we plan to at least make one such simple tool.

Please feedback

[maaku]

Is there a central server involved in your implementation? I'm not trying to spread FUD, it's just there is conflicting information out there on the net. What you describe here sounds like it is p2p. Where are the announce messages posted?

[Gyrsur]

Some coinjoin news from darkwallet:

...

Please feedback

how much is libbitcoin (Bitcoin core implementation of Dark Wallet as I understand so far) compatible to "Bitcoin Core" the reference implementation of the Bitcoin protocol?

as I understood central servers are necessary like the Electrum central servers. are they Open Source software? where can I find this implementation? until now the client is Open Source but is the server code also available?

EDIT: found some information for myself.

https://wiki.unsystem.net/index.php/DarkWallet/Alpha#Server

https://wiki.unsystem.net/index.php/Obelisk

http://libbitcoin.dyne.org/obelisk/

https://wiki.unsystem.net/index.php/Obelisk/Servers

https://wiki.unsystem.net/index.php/DarkWallet/Gateway

https://github.com/darkwallet/gateway

https://github.com/libbitcoin

[caedes]

Is there a central server involved in your implementation? I'm not trying to spread FUD, it's just there is conflicting information out there on the net. What you describe here sounds like it is p2p. Where are the announce messages posted?

The clients meet in a lobby, that right now is the gateway they connect for other services. This works as an irc room. We're not making security assumptions there and the clients encrypt for the channel (useless for public announcement channel like this case) and then for the peer (using curve25519 dh).

What there is not is a pool, all mixing is coinjoin and the funds would never leave the client till signed together with someone.

Clients are sharing public keys and will engage in private communications after the initial announce, for now always through the "chat". Nothing is cleartext and the server has no role other as work like a broadcast medium with channel selection.

The gateway servers are now isolated but the plan soon is have them federate over a tuple space (probably through python entangled) (so anyone can join through tuple space instead of the websocket channel)

The clients can later choose other transports, as our protocol is purely logical.

[caedes]

how much is libbitcoin (Bitcoin core implementation of Dark Wallet as I understand so far) compatible to "Bitcoin Core" the reference implementation of the Bitcoin protocol?

as I understood central servers are necessary like the Electrum central servers. are they Open Source software? where can I find this implementation? until now the client is Open Source but is the server code also available?

About how compatible it is, I can't really answer myself just that it should be following the bitcoin protocol and we don't have any "propietary" extensions or anything like that. Of course it's going to need heavy testing, auditing etc and we are open and wellcome anyone that helps on that.

About servers, yes the model is similar to electrum. Since the server is opensource you can install it in you server, and in the future there is nothing against you can just run it in you laptop or some parts of it, ie we have no long running assumption everyone *has to be connected to our lobby or to a server*.

We're soon releasing more installers and howtos about server configuratiojn or autonomous config by installing everything (or some part) in your computer.

Edit: A little detail here. DarkWallet itself is javascript and uses bitcoinjs-lib as its core bitcoin implementation. Then our "obelisk server" runs libbitcoin.

Edit2: We have a thread for discussing DarkWallet technicals: https://bitcointalk.org/index.php?topic=592493.0. Will be better if we leave this thread for coinjoin specifics and do any dw specifics there.

[caedes]

Also, to make it clear:

Our approach does depend that different wallets can find a common medium to broadcast for coinjoin announces.

Other than that, the technique doesn't depend on the server itself, our mechanics is like ctx: https://gist.github.com/luke-jr/5409899 but we don't do it over the bitcoin network.

So the clients, after having chosen a common place to announce, in our case our gateway lobby:

0. Some are listening for offers
1: Send announcements to start a join (now looking for a peer, but could look for more), with a pubkey (now its using the same one, but can be one per-announcement and will be).
2. Other peers answer over ecdh, they will both offer inputs outputs, sign and broadcast over the private encrypted channel.

We believe the base we have can now have more hardened approaches tested, we provide a framework. This is a medium where we can do cryptographers dinner, or dissent protocols. This is just the beginning but it's a minimum that should work for getting the whole thing running.

Our goal is now apply the minimum necessary improvements, so on release this will also be making some claims about privacy, it's not making them right now, we're just offering information about where we are, so together with you people we can make it best.

We also invite other's to join forces and implement their techniques on our platform.

Edit: Added more detailed information about how we do it right now at: https://wiki.unsystem.net/index.php/DarkWallet/CoinMixing#Alpha_mixer

[maaku]

@caedes, why not have a peer-to-peer broadcast-flood channel for announcing joint transaction availability? Maybe even reuse one that is already available, well maintained, and has known security properties, like say the bitcoin network itself? And then do direct connections to the followon stages?

[genjix]

@caedes, why not have a peer-to-peer broadcast-flood channel for announcing joint transaction availability? Maybe even reuse one that is already available, well maintained, and has known security properties, like say the bitcoin network itself? And then do direct connections to the followon stages?

We're waiting on a spec from Peter Todd.

[caedes]

@caedes, why not have a peer-to-peer broadcast-flood channel for announcing joint transaction availability? Maybe even reuse one that is already available, well maintained, and has known security properties, like say the bitcoin network itself? And then do direct connections to the followon stages?

Yes as genjix says we're waiting for specific proposal of how to approach it, when we designed the system that was the idea that we could use the bitcoin network to overcome some of the adversary problems.

[maaku]

Yeah okay. I'll see if I can find time to finish the half-written BIP I've already started.

[gmaxwell]

extremely interesting thread...what struck my eye was the slow validations which can cause a major clog with transactions when Dark Coin (based off of CoinJoin) gets bigger, right? The more coins transacted the slower the confirmations am I right in saying that?

No, not in a meaningful sense. Validation is very cheap. You do run into block size limits if you're trying to transact too much at once, but any privacy system is limited in its privacy by transaction volume.

"Dark Coin" really strikes me as pointless. The whole idea in coinjoin is that coinjoin is already part of the design of Bitcoin. There is no advantage in having a new and different system. If you're going to do something incompatible, losing Bitcoin's network effect in the process, then you can do something much stronger.

It also depresses me somewhat to see people talking about darkcoin (or even zerocoin/zerocash) when bytecoin has a privacy system with much better properties than CoinJoin (it's similar to CJ except you safely join with offline coin holders, and all users are participants), something made possible by the fact that it doesn't have to fit within the existing Bitcoin network, and it's completely practical, reasonably performant and deployed for some time now. But strangely, it's virtually unheard of...  Bytecoin's privacy properties are in some sense weaker than zerocoin's— since its like a supercharged coinjoin— but the cryptography is much stronger and much more efficient, so in practice I'd expect it to have better anonymity just due to it being much more practical (also as evidence to it existing as a deployed system).  ... so yea, if you actually are interested in privacy technology in a non-bitcoin system, Bytecoin seems to have pretty much nailed it.