Bitcoin Forum
June 28, 2017, 04:07:43 PM *
News: Latest stable version of Bitcoin Core: 0.14.2  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 [26] 27 28 29 30 31 32 33 34 35 »
  Print  
Author Topic: CoinJoin: Bitcoin privacy for the real world  (Read 252757 times)
dewdeded
Legendary
*
Offline Offline

Activity: 924


Monero Evangelist


View Profile WWW
May 27, 2014, 12:11:58 AM
 #501

Now I am confused.

e.g. on https://darkcointalk.org/threads/coinjoin-in-bitcoin-and-darksend.560/
or http://www.reddit.com/r/DRKCoin/comments/1zlv36/what_does_darkcoin_offer_that_couldnt_be_done/
or some/alot other sites they talk about CoinJoin in DarkSend
1498666063
Hero Member
*
Offline Offline

Posts: 1498666063

View Profile Personal Message (Offline)

Ignore
1498666063
Reply with quote  #2

1498666063
Report to moderator
1498666063
Hero Member
*
Offline Offline

Posts: 1498666063

View Profile Personal Message (Offline)

Ignore
1498666063
Reply with quote  #2

1498666063
Report to moderator
1498666063
Hero Member
*
Offline Offline

Posts: 1498666063

View Profile Personal Message (Offline)

Ignore
1498666063
Reply with quote  #2

1498666063
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1498666063
Hero Member
*
Offline Offline

Posts: 1498666063

View Profile Personal Message (Offline)

Ignore
1498666063
Reply with quote  #2

1498666063
Report to moderator
cbeast
Donator
Legendary
*
Offline Offline

Activity: 1736

Let's talk governance, lipstick, and pigs.


View Profile
May 27, 2014, 12:15:57 AM
 #502

Showing a brother he is going the wrong way.

https://bitcointalk.org/index.php?topic=626425.msg6959794#msg6959794

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
genjix
Legendary
*
expert
Offline Offline

Activity: 1232


View Profile
May 27, 2014, 11:08:14 AM
 #503

maaku, the mixers are connected through a p2p protocol so anyone can set one up, however I think the idea (according to Peter Todd) is to use the Bitcoin network as a mixnet.
I don't think we can use ring signatures unless bitcoin adopted ed25519... or am I mistaken?
also it can scale >2 participants, because you do multiple rounds (share outputs, share inputs, give signatures).

cbeast, self-censorship is why threat is so effective. the real people who will adopt our tools won't be yuppie students buying coffee at the bar, it will be new digital black markets & we market to them. the tools go beyond mere payments into governance, markets and new forms of association between humans. the effect is deeper. bitcoin is more than a payments innovation despite what others want to make us believe. I'm not shuffling its massive potential under the carpet through fear of retribution and spending my time making Facebook apps.
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
May 27, 2014, 11:47:24 AM
 #504

Let's see.

I think dark cryptocurrencies are too powerful a tool for our civilization in its current state. Governments must use whatever means necessary to control its development for the safety and security of law-abiding citizens.

The problem here is that you don't know the difference between reality and projection. Your apocalypse fantasy (bitcoin=plutonium) is something you should be talking about with a therapist - it has nothing to do with Bitcoin.
Peter Todd
Legendary
*
expert
Offline Offline

Activity: 1078


View Profile
May 27, 2014, 12:11:42 PM
 #505

genjix: Yup. Scaling works out nicely too because the additional CoinJoin traffic will never be more than a small multiple of the existing transaction traffic, so doing all the CoinJoin communication via global broadcast messages is actually reasonably and efficient enough; gives good privacy for that communication. You can also reuse bitcoin age as a limited resource for anti-dos.

It's not as pretty as more clever crypto, e.g. the zerocash project that I'm also now working with, but has the huge advantage that its flaws are easy to understand and predictable. We want diversity in the level of engineering in the solutions we come up for to solve problems; CoinJoin + zerocash are two totally different approaches, and if one day we can use both we're more likely to actually achieve privacy.

cbeast
Donator
Legendary
*
Offline Offline

Activity: 1736

Let's talk governance, lipstick, and pigs.


View Profile
May 27, 2014, 07:17:22 PM
 #506

The problem here is that you don't know the difference between reality and projection. Your apocalypse fantasy (bitcoin=plutonium) is something you should be talking about with a therapist - it has nothing to do with Bitcoin.
At worst it is an exaggerated analogy. The analogy relates to the newness of the technology. Bitcoin is based in math theory and the technology is accessible to all. Just because we have a technology, does that mean everyone should be allowed to use it? Does that go for any technology? Howabout drug manufacturing? Howabout explosives? Should anyone be able to do anything they want without restrictions?

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
genjix
Legendary
*
expert
Offline Offline

Activity: 1232


View Profile
May 27, 2014, 08:12:39 PM
 #507

The problem here is that you don't know the difference between reality and projection. Your apocalypse fantasy (bitcoin=plutonium) is something you should be talking about with a therapist - it has nothing to do with Bitcoin.
At worst it is an exaggerated analogy. The analogy relates to the newness of the technology. Bitcoin is based in math theory and the technology is accessible to all. Just because we have a technology, does that mean everyone should be allowed to use it? Does that go for any technology? Howabout drug manufacturing? Howabout explosives? Should anyone be able to do anything they want without restrictions?

Your morals are not my morals. Who is the decider? Do you support a free and open internet?
And yes, I definitely would like cheap medicinal knock off drugs flooding into the markets, and more kids playing with explosives and becoming scientists. Maybe you want to arrest people who write virus coding tutorials also?

Your mistake is thinking that compliance buys curries you special favour... but at the risk of what? There are bigger things at stake here. Bitcoin is not unmovable code and math, it is consensus. It's imperative we develop this technology, strong, resilient and decentralised. Part of my goal is getting people to think and question things they've held as true. I think we can inspire an ideal through symbolic acts of disobedience, inspiring courage in others to stand with us.

As you demonstrated in your post, the threat is real and here. The world has changed and it's time to adapt, survive and thrive. Either that or go extinct the way of the dinosaurs. And you know what? Maybe that threat you saw was more imagined than you realised. And maybe those threats, just maybe they were a paper tigers and fears unfounded. We will always be on the right side of history because we are about humanity. Dynamism, love, art, energy, change, passion, reality, risk, colour, soul.

http://cultureandempire.com/

maaku
Legendary
*
expert
Offline Offline

Activity: 905


View Profile
May 27, 2014, 08:45:49 PM
 #508

Please stay on topic.

@genjix, I think you misunderstood my point about multiple parties. Without blinding or ring signatures or other crypto magic, it is not possible to have multiple participants where the other participants don't know which outputs correspond with which participants (the exception for 2 users is simply that if there is only one other person participating, then obviously whatever outputs are not yours are his, not matter what fancy crypto is used). This is important because CoinJoin is useful for far more than mere mixing. Joint transactions are also the mechanism by which matching donations or crowdfund campaigns can be organized (see Mike Hearn's Lighthouse app), exchange transactions of colored coin assets can be arranged, and various cross-chain atomic trade protocols. Scaling up these applications to multiple participants without loss of privacy is very important.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
genjix
Legendary
*
expert
Offline Offline

Activity: 1232


View Profile
May 27, 2014, 09:54:59 PM
 #509

Please stay on topic.

@genjix, I think you misunderstood my point about multiple parties. Without blinding or ring signatures or other crypto magic, it is not possible to have multiple participants where the other participants don't know which outputs correspond with which participants (the exception for 2 users is simply that if there is only one other person participating, then obviously whatever outputs are not yours are his, not matter what fancy crypto is used). This is important because CoinJoin is useful for far more than mere mixing. Joint transactions are also the mechanism by which matching donations or crowdfund campaigns can be organized (see Mike Hearn's Lighthouse app), exchange transactions of colored coin assets can be arranged, and various cross-chain atomic trade protocols. Scaling up these applications to multiple participants without loss of privacy is very important.

I think it is.

Here's how we did it in the initial CoinJoin implementation we made.

* There's an anonymous chatroom (pre-negotiated shared secret in public room) accessible over Tor.
* Some dudes submit various outputs.
* Some dudes submit various inputs.
* Server replies back with a tx.
* Some dudes submit valid signatures.

We also did it for fixed units.
caedes
Jr. Member
*
Offline Offline

Activity: 44


View Profile
May 28, 2014, 10:02:24 AM
 #510

Darkwallet does indeed implement coinjoin, albeit using a centralized matchmaking service to setup the mixes.

Just to clarify, we (darkwallet) don't exactly use a centralized matchmaking service, nor did we do at any point (as I would define it anyways). We did use a centralized matchmaking server in our first proof of concept on this thread.

The current scheme works on top of any chat service, where we initially integrated a simple chat in our lobby and now it's the same lobby but the channels exist in a p2p network of all gateways so clients can connect to any gateway or gateways seed from any other gateway.

You are right otherwise we don't yet use ring or blind signatures at the moment, so restricted to 2 party coinjoins, but the general design is done so we can (more or less) easily implement more complex coinjoin protocols.

cheers!
maaku
Legendary
*
expert
Offline Offline

Activity: 905


View Profile
May 28, 2014, 12:45:58 PM
 #511

Here's how we did it in the initial CoinJoin implementation we made.

* There's an anonymous chatroom (pre-negotiated shared secret in public room) accessible over Tor.
* Some dudes submit various outputs.
* Some dudes submit various inputs.
* Server replies back with a tx.
* Some dudes submit valid signatures.

If you are not linking outputs to inputs in the submission (say, by signing the request containing the outputs with the keys of the inputs), then you are leaving the protocol vulnerable to very easy to execute denial of service attacks. If you do close that DoS hole by signing the outputs with the inputs, then the sever operator at the very least knows the linkages and could log this information.

The solution, as explained in the OP, is blinding: link the inputs to the blinded outputs, and later anonymously reveal the outputs and the unblinded signature from the server. Then the participants know that the output was one of the original blinded outputs (because the server signed it), but they don't know which one. Even in a two-party mix with a facilitating server, the server doesn't know which output belongs to whom. If there is a DoS withholding of a signature at the end, the honest participants can elect to back out and reveal their blinding factors, thereby demonstrating their own linkages and preventing themselves from being DoS banned.

BTW, blinding is super easy to do. Using RSA it like a half-dozen lines of code.

We also did it for fixed units.

There is absolutely no reason to use fixed units. It adds no anonymity, and increases blockchain traffic.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
genjix
Legendary
*
expert
Offline Offline

Activity: 1232


View Profile
May 28, 2014, 01:34:32 PM
 #512

ok thanks for the clarification, makes sense now.
caedes also gave me a similar explanation.
christianlundkvist
Newbie
*
Offline Offline

Activity: 13


View Profile
May 30, 2014, 12:02:07 AM
 #513

There is absolutely no reason to use fixed units. It adds no anonymity, and increases blockchain traffic.

This surprised me. Surely a transaction with inputs 5,5,5,5 and outputs 5,5,5,5 will have better privacy characteristics than one with inputs 15, 5 and outputs 1,2,3,14?  Or am I misunderstanding what "fixed units" mean?
jeffersonairplane
Legendary
*
Offline Offline

Activity: 1246


www.bitkong.com


View Profile
May 30, 2014, 12:24:52 AM
 #514

Pretty interesting OP. I find the complexity hinders from anonymity.
anti-scam
Full Member
***
Offline Offline

Activity: 224


View Profile
May 30, 2014, 12:57:39 PM
 #515

The promised update to the original Zerocoin/Zerocash paper (http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf) has been released and it claims to reduce the size of a Zerocash transaction to under 1 kB and the time to verify a coin's spending transaction to under 6 ms. I have not fully read the paper yet, but am wondering if anyone has investigated these claims and whether or not these improvements would fully remove the barriers that previously prevented the protocol's integration into Bitcoin?

I am posting this here since I assume that there is a reasonable degree of overlap between those interested in Zerocash and those interested in CoinJoin. I apologize if this has already been addressed but I have been away for a while and am trying to catch up. I know that Peter Todd is advising the Zerocash team so I'm sure he has some valuable insight.

maaku
Legendary
*
expert
Offline Offline

Activity: 905


View Profile
May 30, 2014, 03:18:45 PM
 #516

anti-scam: off-topic. please use the zerocash thread.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
Carlton Banks
Legendary
*
Offline Offline

Activity: 1680



View Profile
May 30, 2014, 04:52:53 PM
 #517

anti-scam: off-topic. please use the zerocash thread.

maaku, you do actually have to read the post before making OT admonishments

Vires in numeris
genjix
Legendary
*
expert
Offline Offline

Activity: 1232


View Profile
May 31, 2014, 12:35:53 PM
 #518

The promised update to the original Zerocoin/Zerocash paper (http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf) has been released and it claims to reduce the size of a Zerocash transaction to under 1 kB and the time to verify a coin's spending transaction to under 6 ms. I have not fully read the paper yet, but am wondering if anyone has investigated these claims and whether or not these improvements would fully remove the barriers that previously prevented the protocol's integration into Bitcoin?

I am posting this here since I assume that there is a reasonable degree of overlap between those interested in Zerocash and those interested in CoinJoin. I apologize if this has already been addressed but I have been away for a while and am trying to catch up. I know that Peter Todd is advising the Zerocash team so I'm sure he has some valuable insight.

It sounds exciting from what I've heard, but it probably won't go into Bitcoin directly. We need to keep Bitcoin's consensus pure and untouched. We don't nearly know enough.
anti-scam
Full Member
***
Offline Offline

Activity: 224


View Profile
May 31, 2014, 01:11:31 PM
 #519

The promised update to the original Zerocoin/Zerocash paper (http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf) has been released and it claims to reduce the size of a Zerocash transaction to under 1 kB and the time to verify a coin's spending transaction to under 6 ms. I have not fully read the paper yet, but am wondering if anyone has investigated these claims and whether or not these improvements would fully remove the barriers that previously prevented the protocol's integration into Bitcoin?

I am posting this here since I assume that there is a reasonable degree of overlap between those interested in Zerocash and those interested in CoinJoin. I apologize if this has already been addressed but I have been away for a while and am trying to catch up. I know that Peter Todd is advising the Zerocash team so I'm sure he has some valuable insight.

It sounds exciting from what I've heard, but it probably won't go into Bitcoin directly. We need to keep Bitcoin's consensus pure and untouched. We don't nearly know enough.

I find this response a bit confusing. In what way would Zerocash affect Bitcoin's consensus, assuming a one-to-one conversion rate? As for not knowing nearly enough, the whitepaper is pretty detailed and still seems to make provisions for including the protocol directly into Bitcoin. I don't mean to be argumentative, but I consider truly anonymous payments to be a "killer feature" that could very negatively affect Bitcoin's value if it lags behind. Of course there's no rush but it would seem prudent to me to start collecting a bounty.

Michael_S
Sr. Member
****
Offline Offline

Activity: 278


Bitcoin-Note-and-Voucher-Printing-Empowerer


View Profile
May 31, 2014, 03:24:50 PM
 #520

Hope that this thread is appropriate:

I think the wide perception that CoinJoin (or DarkCoin) as such brings full anonymity is wrong.

I tried to write an educational memo to illustrate why only using CoinJoin (or DarkCoin) does not yet guarantee anonymity.

You can find it here: http://de.scribd.com/doc/227369807

Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 [26] 27 28 29 30 31 32 33 34 35 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!