Bitcoin Forum
December 11, 2017, 02:18:51 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 [25] 26 27 28 29 30 31 32 33 34 35 »
  Print  
Author Topic: CoinJoin: Bitcoin privacy for the real world  (Read 269347 times)
Gyrsur
Legendary
*
Offline Offline

Activity: 1834


#BEL+++


View Profile WWW
May 02, 2014, 04:36:32 PM
 #481

Some coinjoin news from darkwallet:

...

Please feedback Smiley



how much is libbitcoin (Bitcoin core implementation of Dark Wallet as I understand so far) compatible to "Bitcoin Core" the reference implementation of the Bitcoin protocol?

as I understood central servers are necessary like the Electrum central servers. are they Open Source software? where can I find this implementation? until now the client is Open Source but is the server code also available?

EDIT: found some information for myself.

https://wiki.unsystem.net/index.php/DarkWallet/Alpha#Server

https://wiki.unsystem.net/index.php/Obelisk

http://libbitcoin.dyne.org/obelisk/

https://wiki.unsystem.net/index.php/Obelisk/Servers

https://wiki.unsystem.net/index.php/DarkWallet/Gateway

https://github.com/darkwallet/gateway

https://github.com/libbitcoin
1513001931
Hero Member
*
Offline Offline

Posts: 1513001931

View Profile Personal Message (Offline)

Ignore
1513001931
Reply with quote  #2

1513001931
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
caedes
Jr. Member
*
Offline Offline

Activity: 44


View Profile
May 03, 2014, 12:24:33 PM
 #482

Is there a central server involved in your implementation? I'm not trying to spread FUD, it's just there is conflicting information out there on the net. What you describe here sounds like it is p2p. Where are the announce messages posted?

The clients meet in a lobby, that right now is the gateway they connect for other services. This works as an irc room. We're not making security assumptions there and the clients encrypt for the channel (useless for public announcement channel like this case) and then for the peer (using curve25519 dh).

What there is not is a pool, all mixing is coinjoin and the funds would never leave the client till signed together with someone.

Clients are sharing public keys and will engage in private communications after the initial announce, for now always through the "chat". Nothing is cleartext and the server has no role other as work like a broadcast medium with channel selection.

The gateway servers are now isolated but the plan soon is have them federate over a tuple space (probably through python entangled) (so anyone can join through tuple space instead of the websocket channel)

The clients can later choose other transports, as our protocol is purely logical.
caedes
Jr. Member
*
Offline Offline

Activity: 44


View Profile
May 03, 2014, 12:30:35 PM
 #483


how much is libbitcoin (Bitcoin core implementation of Dark Wallet as I understand so far) compatible to "Bitcoin Core" the reference implementation of the Bitcoin protocol?

as I understood central servers are necessary like the Electrum central servers. are they Open Source software? where can I find this implementation? until now the client is Open Source but is the server code also available?



About how compatible it is, I can't really answer myself just that it should be following the bitcoin protocol and we don't have any "propietary" extensions or anything like that. Of course it's going to need heavy testing, auditing etc and we are open and wellcome anyone that helps on that.

About servers, yes the model is similar to electrum. Since the server is opensource you can install it in you server, and in the future there is nothing against you can just run it in you laptop or some parts of it, ie we have no long running assumption everyone *has to be connected to our lobby or to a server*.

We're soon releasing more installers and howtos about server configuratiojn or autonomous config by installing everything (or some part) in your computer.

Edit: A little detail here. DarkWallet itself is javascript and uses bitcoinjs-lib as its core bitcoin implementation. Then our "obelisk server" runs libbitcoin.

Edit2: We have a thread for discussing DarkWallet technicals: https://bitcointalk.org/index.php?topic=592493.0. Will be better if we leave this thread for coinjoin specifics and do any dw specifics there.
caedes
Jr. Member
*
Offline Offline

Activity: 44


View Profile
May 03, 2014, 12:59:49 PM
 #484

Also, to make it clear:

Our approach does depend that different wallets can find a common medium to broadcast for coinjoin announces.

Other than that, the technique doesn't depend on the server itself, our mechanics is like ctx: https://gist.github.com/luke-jr/5409899 but we don't do it over the bitcoin network.

So the clients, after having chosen a common place to announce, in our case our gateway lobby:

0. Some are listening for offers
1: Send announcements to start a join (now looking for a peer, but could look for more), with a pubkey (now its using the same one, but can be one per-announcement and will be).
2. Other peers answer over ecdh, they will both offer inputs outputs, sign and broadcast over the private encrypted channel.

We believe the base we have can now have more hardened approaches tested, we provide a framework. This is a medium where we can do cryptographers dinner, or dissent protocols. This is just the beginning but it's a minimum that should work for getting the whole thing running.

Our goal is now apply the minimum necessary improvements, so on release this will also be making some claims about privacy, it's not making them right now, we're just offering information about where we are, so together with you people we can make it best.

We also invite other's to join forces and implement their techniques on our platform.

Edit: Added more detailed information about how we do it right now at: https://wiki.unsystem.net/index.php/DarkWallet/CoinMixing#Alpha_mixer
maaku
Legendary
*
expert
Offline Offline

Activity: 905


View Profile
May 03, 2014, 04:23:58 PM
 #485

@caedes, why not have a peer-to-peer broadcast-flood channel for announcing joint transaction availability? Maybe even reuse one that is already available, well maintained, and has known security properties, like say the bitcoin network itself? And then do direct connections to the followon stages?

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
genjix
Legendary
*
expert
Offline Offline

Activity: 1232


View Profile
May 03, 2014, 08:27:06 PM
 #486

@caedes, why not have a peer-to-peer broadcast-flood channel for announcing joint transaction availability? Maybe even reuse one that is already available, well maintained, and has known security properties, like say the bitcoin network itself? And then do direct connections to the followon stages?

We're waiting on a spec from Peter Todd.
caedes
Jr. Member
*
Offline Offline

Activity: 44


View Profile
May 04, 2014, 05:03:17 AM
 #487

@caedes, why not have a peer-to-peer broadcast-flood channel for announcing joint transaction availability? Maybe even reuse one that is already available, well maintained, and has known security properties, like say the bitcoin network itself? And then do direct connections to the followon stages?

Yes as genjix says we're waiting for specific proposal of how to approach it, when we designed the system that was the idea that we could use the bitcoin network to overcome some of the adversary problems.
maaku
Legendary
*
expert
Offline Offline

Activity: 905


View Profile
May 04, 2014, 06:11:50 AM
 #488

Yeah okay. I'll see if I can find time to finish the half-written BIP I've already started.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2366



View Profile
May 18, 2014, 10:26:24 PM
 #489

extremely interesting thread...what struck my eye was the slow validations which can cause a major clog with transactions when Dark Coin (based off of CoinJoin) gets bigger, right? The more coins transacted the slower the confirmations am I right in saying that?
No, not in a meaningful sense. Validation is very cheap. You do run into block size limits if you're trying to transact too much at once, but any privacy system is limited in its privacy by transaction volume.

"Dark Coin" really strikes me as pointless. The whole idea in coinjoin is that coinjoin is already part of the design of Bitcoin. There is no advantage in having a new and different system. If you're going to do something incompatible, losing Bitcoin's network effect in the process, then you can do something much stronger.

It also depresses me somewhat to see people talking about darkcoin (or even zerocoin/zerocash) when bytecoin has a privacy system with much better properties than CoinJoin (it's similar to CJ except you safely join with offline coin holders, and all users are participants), something made possible by the fact that it doesn't have to fit within the existing Bitcoin network, and it's completely practical, reasonably performant and deployed for some time now. But strangely, it's virtually unheard of...  Bytecoin's privacy properties are in some sense weaker than zerocoin's— since its like a supercharged coinjoin— but the cryptography is much stronger and much more efficient, so in practice I'd expect it to have better anonymity just due to it being much more practical (also as evidence to it existing as a deployed system).  ... so yea, if you actually are interested in privacy technology in a non-bitcoin system, Bytecoin seems to have pretty much nailed it.

Bitcoin will not be compromised
telepatheic
Jr. Member
*
Offline Offline

Activity: 56

Get off the web. Go do something in meatspace!


View Profile
May 18, 2014, 11:03:48 PM
 #490

It also depresses me somewhat to see people talking about darkcoin (or even zerocoin/zerocash) when bytecoin has a privacy system with much better properties than CoinJoin (it's similar to CJ except you safely join with offline coin holders, and all users are participants), something made possible by the fact that it doesn't have to fit within the existing Bitcoin network, and it's completely practical, reasonably performant and deployed for some time now. But strangely, it's virtually unheard of...  Bytecoin's privacy properties are in some sense weaker than zerocoin's— since its like a supercharged coinjoin— but the cryptography is much stronger and much more efficient, so in practice I'd expect it to have better anonymity just due to it being much more practical (also as evidence to it existing as a deployed system).  ... so yea, if you actually are interested in privacy technology in a non-bitcoin system, Bytecoin seems to have pretty much nailed it.

Thanks for introducing me to Bytecoin/CryptoNote. Some solid cryptography being used (in theory) and some great improvements over bitcoin. Unfortunately the fact that there is another coin called bytecoin is very confusing and bytecoin doesn't really have any formal documentation other than this page. Time to do some source code reading!
gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2366



View Profile
May 19, 2014, 12:54:58 AM
 #491

Thanks for introducing me to Bytecoin/CryptoNote. Some solid cryptography being used (in theory) and some great improvements over bitcoin. Unfortunately the fact that there is another coin called bytecoin is very confusing and bytecoin doesn't really have any formal documentation other than this page. Time to do some source code reading!
Yea, the Bytecoin/Bytecoin thing caused me to not notice it for a long time.

The cryptographically interesting Bytecoin has a reasonable whitepaper: https://bytecoin.org/old/whitepaper.pdf  Some of the things it does appear to be pointless or ill-advised to me and I would have counciled otherwise— but as far as the privacy aspect goes, the ring signature approach appears top notch. The privacy depends on the decisional DH problem, so perhaps you could argue that its privacy has a slightly weaker cryptographic story than the basic discrete log stuff (computational DH) but in the curve they're using its believed to be equally strong.  In any case, anything that has reduced the privacy question to asking about cryptographic assumptions has gone pretty good.

Sorry for the OT tangent here. Though there may be some good bitcoin-relevant privacy things to mine out of the bytecoin design.


Bitcoin will not be compromised
anonymousxx1503
Hero Member
*****
Offline Offline

Activity: 532


View Profile
May 19, 2014, 10:58:01 PM
 #492

Thanks for introducing me to Bytecoin/CryptoNote. Some solid cryptography being used (in theory) and some great improvements over bitcoin. Unfortunately the fact that there is another coin called bytecoin is very confusing and bytecoin doesn't really have any formal documentation other than this page. Time to do some source code reading!
Yea, the Bytecoin/Bytecoin thing caused me to not notice it for a long time.

The cryptographically interesting Bytecoin has a reasonable whitepaper: https://bytecoin.org/old/whitepaper.pdf  Some of the things it does appear to be pointless or ill-advised to me and I would have counciled otherwise— but as far as the privacy aspect goes, the ring signature approach appears top notch. The privacy depends on the decisional DH problem, so perhaps you could argue that its privacy has a slightly weaker cryptographic story than the basic discrete log stuff (computational DH) but in the curve they're using its believed to be equally strong.  In any case, anything that has reduced the privacy question to asking about cryptographic assumptions has gone pretty good.

Sorry for the OT tangent here. Though there may be some good bitcoin-relevant privacy things to mine out of the bytecoin design.



It's hard to believe you're not a major bytecoin holder of some sort? Monero is a fork without the massive premine/instamine/slowmine without release whatever it was of bytecoin, I imagine your opinion about it is the same if they share cryptonote?

I'd like to thank eduffield and the other developers for this critically important evolution in virtual currency. DarkCoin is what bitcoin should have been. Some might call it "Bitcoin 2.0" but would do better by saying: "DarkCoin is digital cash." - Child Harold - February 28, 2014
https://bitcointalk.org/index.php?topic=421615.msg5424980#msg5424980
gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2366



View Profile
May 20, 2014, 12:08:03 AM
 #493

It's hard to believe you're not a major bytecoin holder of some sort? Monero is a fork without the massive premine/instamine/slowmine without release whatever it was of bytecoin, I imagine your opinion about it is the same if they share cryptonote?
As hard as it is to believe, people other than me do occasionally have really good ideas. Smiley  ... (No, I'd only heard about it a couple months ago and looked into it in depth until the last week).  I think all these altcoins are horribly ill-advised in their altcoinness. You're in the wrong subforum and thread if you want to talk about cryptocurrency speculation— my interest here is just in the techniques— and I'm not going to credit some random code aping fork for other people's work when talking about them.

(In case anyone had the impression that I thought bytecoin was all love and wonder: the implementation is currently really immature and somewhat buggy— and perhaps not likely to improve if its authors are now getting voted off the island in a fork. The POW is very slow to validate, and seems generally ill-advised to me (see https://download.wpsoftware.net/bitcoin/asic-faq.pdf), the adaptive blocksize stuff seems dangerous and the coin burning excuse for it can't work as expected in the long run since miners can get paid out of band, ... but the privacy design is very good, though even there its incompatible with pruning (but so is everything else). Of course, all these concerns also apply to forks that just aped the code.).

Bitcoin will not be compromised
telepatheic
Jr. Member
*
Offline Offline

Activity: 56

Get off the web. Go do something in meatspace!


View Profile
May 20, 2014, 12:34:46 AM
 #494

Looking through the white paper, it seems like ring signatures don't actually sign the bytecoin transactions, they only sign the inputs.

I wonder if anyone with an expertise in ring signatures has reviewed the paper, its a little out of my comfort zone.
Gyrsur
Legendary
*
Offline Offline

Activity: 1834


#BEL+++


View Profile WWW
May 25, 2014, 10:12:30 AM
 #495

It's hard to believe you're not a major bytecoin holder of some sort? Monero is a fork without the massive premine/instamine/slowmine without release whatever it was of bytecoin, I imagine your opinion about it is the same if they share cryptonote?
As hard as it is to believe, people other than me do occasionally have really good ideas. Smiley  ... (No, I'd only heard about it a couple months ago and looked into it in depth until the last week).  I think all these altcoins are horribly ill-advised in their altcoinness. You're in the wrong subforum and thread if you want to talk about cryptocurrency speculation— my interest here is just in the techniques— and I'm not going to credit some random code aping fork for other people's work when talking about them.

(In case anyone had the impression that I thought bytecoin was all love and wonder: the implementation is currently really immature and somewhat buggy— and perhaps not likely to improve if its authors are now getting voted off the island in a fork. The POW is very slow to validate, and seems generally ill-advised to me (see https://download.wpsoftware.net/bitcoin/asic-faq.pdf), the adaptive blocksize stuff seems dangerous and the coin burning excuse for it can't work as expected in the long run since miners can get paid out of band, ... but the privacy design is very good, though even there its incompatible with pruning (but so is everything else). Of course, all these concerns also apply to forks that just aped the code.).


did you had the chance to get a look into Darkcoin, too? thank you!
dewdeded
Legendary
*
Offline Offline

Activity: 1050


Monero Evangelist


View Profile WWW
May 26, 2014, 08:56:13 PM
 #496

http://sharedcoin.com/ is trustless centralized CoinJoin by Greg Maxwell.
Darksend in DarkCoin is dezentralized CoinCoin by Evan Duffield.

Haters/FUDers/trolls hate on DarkCoin saying it's insecure because bad actors like Goverments could run many Masternodes.


Leeds me to the question:

Is dezentralized trustless CoinJoin possible?
maaku
Legendary
*
expert
Offline Offline

Activity: 905


View Profile
May 26, 2014, 10:20:04 PM
 #497

Greg has nothing to do with sharedcoin (and sharedcoin has little to do with coinjoin).

To your question, read the op. This whole thread is a description of how to do decentralized, trustless mixing.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
genjix
Legendary
*
expert
Offline Offline

Activity: 1232


View Profile
May 26, 2014, 10:33:59 PM
 #498

kinda sad darkcoin isnt implementing ring sigs
masternodes are coinjoin servers where miners must pay tax
i'm interested to understand how that differs to federated darkwallet gateways
still, all power to drk... 4th crypto now
dewdeded
Legendary
*
Offline Offline

Activity: 1050


Monero Evangelist


View Profile WWW
May 26, 2014, 10:52:05 PM
 #499

maaku: Thank you very much. SharedCoin is based on what technology then?

All: As its basically the same. Any reasons why is DarkCoins DarkSend attacked as insecure, but DarkWallet is not?
maaku
Legendary
*
expert
Offline Offline

Activity: 905


View Profile
May 27, 2014, 12:00:18 AM
 #500

Sharedcoin is a blockchain.info product. You can read about it on their website, but I don't think it was based on any external design, just a mixing service cooked up by one of their engineers.

Darkcoin and darkwallet also have nothing in common either. Despite co-opting the name, darkcoin's darksend doesn't appear to have anything to do with coinjoin. Their description and illustration in their thread shows some sort of centralized mixing service (more akin to sharedcoin), and indeed their distribution mechanism involves a reward for "masternodes" which perform the mixing with these fresh coins. It would be nice if someone from that project could chime in here and explain just what it is trying to accomplish, because the available technical descriptions are scarce and contradictory.

Darkwallet does indeed implement coinjoin, albeit using a centralized matchmaking service to setup the mixes. I have been informed by the developers that this is a temporary mechanism and they are working towards a fully p2p solution. They do not use the blind signing or ring signature mechanisms which are required to scale to more than 2 participants without revealing ownership of outputs.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 [25] 26 27 28 29 30 31 32 33 34 35 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!