Bitcoin Forum
November 15, 2019, 07:36:34 AM *
News: Latest Bitcoin Core release: 0.18.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 [26] 27 28 29 30 31 32 33 34 35 36 37 38 »
  Print  
Author Topic: CoinJoin: Bitcoin privacy for the real world  (Read 291287 times)
Peter Todd
Legendary
*
expert
Offline Offline

Activity: 1106
Merit: 1015


View Profile
May 27, 2014, 12:11:42 PM
 #501

genjix: Yup. Scaling works out nicely too because the additional CoinJoin traffic will never be more than a small multiple of the existing transaction traffic, so doing all the CoinJoin communication via global broadcast messages is actually reasonably and efficient enough; gives good privacy for that communication. You can also reuse bitcoin age as a limited resource for anti-dos.

It's not as pretty as more clever crypto, e.g. the zerocash project that I'm also now working with, but has the huge advantage that its flaws are easy to understand and predictable. We want diversity in the level of engineering in the solutions we come up for to solve problems; CoinJoin + zerocash are two totally different approaches, and if one day we can use both we're more likely to actually achieve privacy.

The Bitcoin Forum is turning 10 years old! Join the community in sharing and exploring the notable posts made over the years.
1573803394
Hero Member
*
Offline Offline

Posts: 1573803394

View Profile Personal Message (Offline)

Ignore
1573803394
Reply with quote  #2

1573803394
Report to moderator
1573803394
Hero Member
*
Offline Offline

Posts: 1573803394

View Profile Personal Message (Offline)

Ignore
1573803394
Reply with quote  #2

1573803394
Report to moderator
1573803394
Hero Member
*
Offline Offline

Posts: 1573803394

View Profile Personal Message (Offline)

Ignore
1573803394
Reply with quote  #2

1573803394
Report to moderator
cbeast
Donator
Legendary
*
Offline Offline

Activity: 1736
Merit: 1002

Let's talk governance, lipstick, and pigs.


View Profile
May 27, 2014, 07:17:22 PM
 #502

The problem here is that you don't know the difference between reality and projection. Your apocalypse fantasy (bitcoin=plutonium) is something you should be talking about with a therapist - it has nothing to do with Bitcoin.
At worst it is an exaggerated analogy. The analogy relates to the newness of the technology. Bitcoin is based in math theory and the technology is accessible to all. Just because we have a technology, does that mean everyone should be allowed to use it? Does that go for any technology? Howabout drug manufacturing? Howabout explosives? Should anyone be able to do anything they want without restrictions?

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
genjix
Legendary
*
expert
Offline Offline

Activity: 1232
Merit: 1000


View Profile
May 27, 2014, 08:12:39 PM
Last edit: May 27, 2014, 08:32:43 PM by genjix
 #503

The problem here is that you don't know the difference between reality and projection. Your apocalypse fantasy (bitcoin=plutonium) is something you should be talking about with a therapist - it has nothing to do with Bitcoin.
At worst it is an exaggerated analogy. The analogy relates to the newness of the technology. Bitcoin is based in math theory and the technology is accessible to all. Just because we have a technology, does that mean everyone should be allowed to use it? Does that go for any technology? Howabout drug manufacturing? Howabout explosives? Should anyone be able to do anything they want without restrictions?

Your morals are not my morals. Who is the decider? Do you support a free and open internet?
And yes, I definitely would like cheap medicinal knock off drugs flooding into the markets, and more kids playing with explosives and becoming scientists. Maybe you want to arrest people who write virus coding tutorials also?

Your mistake is thinking that compliance buys curries you special favour... but at the risk of what? There are bigger things at stake here. Bitcoin is not unmovable code and math, it is consensus. It's imperative we develop this technology, strong, resilient and decentralised. Part of my goal is getting people to think and question things they've held as true. I think we can inspire an ideal through symbolic acts of disobedience, inspiring courage in others to stand with us.

As you demonstrated in your post, the threat is real and here. The world has changed and it's time to adapt, survive and thrive. Either that or go extinct the way of the dinosaurs. And you know what? Maybe that threat you saw was more imagined than you realised. And maybe those threats, just maybe they were a paper tigers and fears unfounded. We will always be on the right side of history because we are about humanity. Dynamism, love, art, energy, change, passion, reality, risk, colour, soul.

http://cultureandempire.com/

maaku
Legendary
*
expert
Offline Offline

Activity: 905
Merit: 1001


View Profile
May 27, 2014, 08:45:49 PM
 #504

Please stay on topic.

@genjix, I think you misunderstood my point about multiple parties. Without blinding or ring signatures or other crypto magic, it is not possible to have multiple participants where the other participants don't know which outputs correspond with which participants (the exception for 2 users is simply that if there is only one other person participating, then obviously whatever outputs are not yours are his, not matter what fancy crypto is used). This is important because CoinJoin is useful for far more than mere mixing. Joint transactions are also the mechanism by which matching donations or crowdfund campaigns can be organized (see Mike Hearn's Lighthouse app), exchange transactions of colored coin assets can be arranged, and various cross-chain atomic trade protocols. Scaling up these applications to multiple participants without loss of privacy is very important.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
genjix
Legendary
*
expert
Offline Offline

Activity: 1232
Merit: 1000


View Profile
May 27, 2014, 09:54:59 PM
 #505

Please stay on topic.

@genjix, I think you misunderstood my point about multiple parties. Without blinding or ring signatures or other crypto magic, it is not possible to have multiple participants where the other participants don't know which outputs correspond with which participants (the exception for 2 users is simply that if there is only one other person participating, then obviously whatever outputs are not yours are his, not matter what fancy crypto is used). This is important because CoinJoin is useful for far more than mere mixing. Joint transactions are also the mechanism by which matching donations or crowdfund campaigns can be organized (see Mike Hearn's Lighthouse app), exchange transactions of colored coin assets can be arranged, and various cross-chain atomic trade protocols. Scaling up these applications to multiple participants without loss of privacy is very important.

I think it is.

Here's how we did it in the initial CoinJoin implementation we made.

* There's an anonymous chatroom (pre-negotiated shared secret in public room) accessible over Tor.
* Some dudes submit various outputs.
* Some dudes submit various inputs.
* Server replies back with a tx.
* Some dudes submit valid signatures.

We also did it for fixed units.
caedes
Newbie
*
Offline Offline

Activity: 44
Merit: 0


View Profile
May 28, 2014, 10:02:24 AM
 #506

Darkwallet does indeed implement coinjoin, albeit using a centralized matchmaking service to setup the mixes.

Just to clarify, we (darkwallet) don't exactly use a centralized matchmaking service, nor did we do at any point (as I would define it anyways). We did use a centralized matchmaking server in our first proof of concept on this thread.

The current scheme works on top of any chat service, where we initially integrated a simple chat in our lobby and now it's the same lobby but the channels exist in a p2p network of all gateways so clients can connect to any gateway or gateways seed from any other gateway.

You are right otherwise we don't yet use ring or blind signatures at the moment, so restricted to 2 party coinjoins, but the general design is done so we can (more or less) easily implement more complex coinjoin protocols.

cheers!
maaku
Legendary
*
expert
Offline Offline

Activity: 905
Merit: 1001


View Profile
May 28, 2014, 12:45:58 PM
 #507

Here's how we did it in the initial CoinJoin implementation we made.

* There's an anonymous chatroom (pre-negotiated shared secret in public room) accessible over Tor.
* Some dudes submit various outputs.
* Some dudes submit various inputs.
* Server replies back with a tx.
* Some dudes submit valid signatures.

If you are not linking outputs to inputs in the submission (say, by signing the request containing the outputs with the keys of the inputs), then you are leaving the protocol vulnerable to very easy to execute denial of service attacks. If you do close that DoS hole by signing the outputs with the inputs, then the sever operator at the very least knows the linkages and could log this information.

The solution, as explained in the OP, is blinding: link the inputs to the blinded outputs, and later anonymously reveal the outputs and the unblinded signature from the server. Then the participants know that the output was one of the original blinded outputs (because the server signed it), but they don't know which one. Even in a two-party mix with a facilitating server, the server doesn't know which output belongs to whom. If there is a DoS withholding of a signature at the end, the honest participants can elect to back out and reveal their blinding factors, thereby demonstrating their own linkages and preventing themselves from being DoS banned.

BTW, blinding is super easy to do. Using RSA it like a half-dozen lines of code.

We also did it for fixed units.

There is absolutely no reason to use fixed units. It adds no anonymity, and increases blockchain traffic.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
genjix
Legendary
*
expert
Offline Offline

Activity: 1232
Merit: 1000


View Profile
May 28, 2014, 01:34:32 PM
 #508

ok thanks for the clarification, makes sense now.
caedes also gave me a similar explanation.
christianlundkvist
Newbie
*
Offline Offline

Activity: 13
Merit: 0


View Profile
May 30, 2014, 12:02:07 AM
 #509

There is absolutely no reason to use fixed units. It adds no anonymity, and increases blockchain traffic.

This surprised me. Surely a transaction with inputs 5,5,5,5 and outputs 5,5,5,5 will have better privacy characteristics than one with inputs 15, 5 and outputs 1,2,3,14?  Or am I misunderstanding what "fixed units" mean?
jeffersonairplane
Legendary
*
Offline Offline

Activity: 1509
Merit: 1000


www.bitkong.com


View Profile
May 30, 2014, 12:24:52 AM
 #510

Pretty interesting OP. I find the complexity hinders from anonymity.
anti-scam
Sr. Member
****
Offline Offline

Activity: 476
Merit: 251


COINECT


View Profile
May 30, 2014, 12:57:39 PM
 #511

The promised update to the original Zerocoin/Zerocash paper (http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf) has been released and it claims to reduce the size of a Zerocash transaction to under 1 kB and the time to verify a coin's spending transaction to under 6 ms. I have not fully read the paper yet, but am wondering if anyone has investigated these claims and whether or not these improvements would fully remove the barriers that previously prevented the protocol's integration into Bitcoin?

I am posting this here since I assume that there is a reasonable degree of overlap between those interested in Zerocash and those interested in CoinJoin. I apologize if this has already been addressed but I have been away for a while and am trying to catch up. I know that Peter Todd is advising the Zerocash team so I'm sure he has some valuable insight.

.
                ▄▄▓▓▄▄   ▄▓▓▓▄
            ▄▄▓▓▀    ▀▓▓▓▀   ▀▓▓▓▄
         ▄▓▓▀▀        ▐▓         ▀▓▓▓
         ▓▓   ░▓▓▒    ▐▓     ▓▓░   ▐▓
         ▓▓    ░▀▓▓   ▐▓   ░▓▀▀    ▐▓
      ▄▓▓▓▓▓▓▓░  ▓▓   ▐▓   ░▓   ▒▓▓▓▓▓▓▄
    ▓▓▀     ▀▀   ▓▓   ▐▓   ░▓▄   ▀▀    ▀▓▓░
    ▓▓        ▓▓▓░    ▐▓     ▀▓▓▄        ▓░
    ▓▓▄▄▄    ▐▓░   ▄▓▄▓▓▒▄▓▄   ▓▓░   ▄▄▄▄▓░
    ▓▓▀▀▀    ▐▓░   ▀▀▀▓▓▒▀▀    ▓▓░   ▀▀▀▒▓░
    ▓▓        ▀▓▓▓▄   ▐▓    ▄▓▓▓▀       ░▓░
    ▀▓▓▄▄  ▄▓▄   ▓▓   ▐▓   ▐▓▒   ▓▄   ▄▓▓▓░
        ▀▓▓▓▀▀   ▓▓   ▐▓   ▐▓░   ▀▀▓▓▓▀░
         ▓▓    ▄▓▓▓   ▐▓    ▓▓▄░   ▐▓░░
         ▀▓▄   ▀▓     ▐▓     ▀▀   ▄▓▓░
           ▀▓▓▓▄      ▓▓░      ▄▓▓▀░
               ▀▓▓▓▓▓▓▀░▓▓▓▄▓▓▓░
.
COINECT
██
██
██
██
██
██
██
AI-based decentralized
arbitrage trading system
██
██
██
██
██
██
██
.

 
                              ▄████▄
                        ▄▄█████▀▀███
                    ▄▄████▀▀     ███
              ▄▄▄████▀▀    ▄▄   ▐██
          ▄▄█████▀       ▄█▀    ██▌
     ▄▄████▀▀▀       ▄███▀      ██▌
    ████▀        ▄▄████▀       ▐██
     ██████▄▄  ▄█████▀         ██▌
          ▀████████           ▐██
            ▀████▌            ███
             ▀███  ▄██▄▄     ▐██▀
              ███▄███▀███▄   ███
              ▀███▀▀   ▀▀███▄██▌
                          ▀▀█▀▀
.

▄▀▀▀▀▀▀▀▀▀▀▀▄
█   ▄▄▄▄▄▄   ██▄
█  ▓▓▓▓▓▓▓▌  ████▄
█  ▓▓▓▓▓▓▓▌  ███████▄
█  ▓▓▓▓▓▓▓▌  ▐▓███████▄
█              ▀▀▀▀▀▀▀▀█
█  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  █
█                      █
█  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  █
█  ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  █
█                      █
█  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  █
█                      █
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
██
██
██
██
██
██
██
maaku
Legendary
*
expert
Offline Offline

Activity: 905
Merit: 1001


View Profile
May 30, 2014, 03:18:45 PM
 #512

anti-scam: off-topic. please use the zerocash thread.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
Carlton Banks
Legendary
*
Offline Offline

Activity: 2548
Merit: 2052



View Profile
May 30, 2014, 04:52:53 PM
 #513

anti-scam: off-topic. please use the zerocash thread.

maaku, you do actually have to read the post before making OT admonishments

Vires in numeris
genjix
Legendary
*
expert
Offline Offline

Activity: 1232
Merit: 1000


View Profile
May 31, 2014, 12:35:53 PM
 #514

The promised update to the original Zerocoin/Zerocash paper (http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf) has been released and it claims to reduce the size of a Zerocash transaction to under 1 kB and the time to verify a coin's spending transaction to under 6 ms. I have not fully read the paper yet, but am wondering if anyone has investigated these claims and whether or not these improvements would fully remove the barriers that previously prevented the protocol's integration into Bitcoin?

I am posting this here since I assume that there is a reasonable degree of overlap between those interested in Zerocash and those interested in CoinJoin. I apologize if this has already been addressed but I have been away for a while and am trying to catch up. I know that Peter Todd is advising the Zerocash team so I'm sure he has some valuable insight.

It sounds exciting from what I've heard, but it probably won't go into Bitcoin directly. We need to keep Bitcoin's consensus pure and untouched. We don't nearly know enough.
anti-scam
Sr. Member
****
Offline Offline

Activity: 476
Merit: 251


COINECT


View Profile
May 31, 2014, 01:11:31 PM
 #515

The promised update to the original Zerocoin/Zerocash paper (http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf) has been released and it claims to reduce the size of a Zerocash transaction to under 1 kB and the time to verify a coin's spending transaction to under 6 ms. I have not fully read the paper yet, but am wondering if anyone has investigated these claims and whether or not these improvements would fully remove the barriers that previously prevented the protocol's integration into Bitcoin?

I am posting this here since I assume that there is a reasonable degree of overlap between those interested in Zerocash and those interested in CoinJoin. I apologize if this has already been addressed but I have been away for a while and am trying to catch up. I know that Peter Todd is advising the Zerocash team so I'm sure he has some valuable insight.

It sounds exciting from what I've heard, but it probably won't go into Bitcoin directly. We need to keep Bitcoin's consensus pure and untouched. We don't nearly know enough.

I find this response a bit confusing. In what way would Zerocash affect Bitcoin's consensus, assuming a one-to-one conversion rate? As for not knowing nearly enough, the whitepaper is pretty detailed and still seems to make provisions for including the protocol directly into Bitcoin. I don't mean to be argumentative, but I consider truly anonymous payments to be a "killer feature" that could very negatively affect Bitcoin's value if it lags behind. Of course there's no rush but it would seem prudent to me to start collecting a bounty.

.
                ▄▄▓▓▄▄   ▄▓▓▓▄
            ▄▄▓▓▀    ▀▓▓▓▀   ▀▓▓▓▄
         ▄▓▓▀▀        ▐▓         ▀▓▓▓
         ▓▓   ░▓▓▒    ▐▓     ▓▓░   ▐▓
         ▓▓    ░▀▓▓   ▐▓   ░▓▀▀    ▐▓
      ▄▓▓▓▓▓▓▓░  ▓▓   ▐▓   ░▓   ▒▓▓▓▓▓▓▄
    ▓▓▀     ▀▀   ▓▓   ▐▓   ░▓▄   ▀▀    ▀▓▓░
    ▓▓        ▓▓▓░    ▐▓     ▀▓▓▄        ▓░
    ▓▓▄▄▄    ▐▓░   ▄▓▄▓▓▒▄▓▄   ▓▓░   ▄▄▄▄▓░
    ▓▓▀▀▀    ▐▓░   ▀▀▀▓▓▒▀▀    ▓▓░   ▀▀▀▒▓░
    ▓▓        ▀▓▓▓▄   ▐▓    ▄▓▓▓▀       ░▓░
    ▀▓▓▄▄  ▄▓▄   ▓▓   ▐▓   ▐▓▒   ▓▄   ▄▓▓▓░
        ▀▓▓▓▀▀   ▓▓   ▐▓   ▐▓░   ▀▀▓▓▓▀░
         ▓▓    ▄▓▓▓   ▐▓    ▓▓▄░   ▐▓░░
         ▀▓▄   ▀▓     ▐▓     ▀▀   ▄▓▓░
           ▀▓▓▓▄      ▓▓░      ▄▓▓▀░
               ▀▓▓▓▓▓▓▀░▓▓▓▄▓▓▓░
.
COINECT
██
██
██
██
██
██
██
AI-based decentralized
arbitrage trading system
██
██
██
██
██
██
██
.

 
                              ▄████▄
                        ▄▄█████▀▀███
                    ▄▄████▀▀     ███
              ▄▄▄████▀▀    ▄▄   ▐██
          ▄▄█████▀       ▄█▀    ██▌
     ▄▄████▀▀▀       ▄███▀      ██▌
    ████▀        ▄▄████▀       ▐██
     ██████▄▄  ▄█████▀         ██▌
          ▀████████           ▐██
            ▀████▌            ███
             ▀███  ▄██▄▄     ▐██▀
              ███▄███▀███▄   ███
              ▀███▀▀   ▀▀███▄██▌
                          ▀▀█▀▀
.

▄▀▀▀▀▀▀▀▀▀▀▀▄
█   ▄▄▄▄▄▄   ██▄
█  ▓▓▓▓▓▓▓▌  ████▄
█  ▓▓▓▓▓▓▓▌  ███████▄
█  ▓▓▓▓▓▓▓▌  ▐▓███████▄
█              ▀▀▀▀▀▀▀▀█
█  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  █
█                      █
█  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  █
█  ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  █
█                      █
█  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  █
█                      █
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
██
██
██
██
██
██
██
Michael_S
Sr. Member
****
Offline Offline

Activity: 278
Merit: 250


Bitcoin-Note-and-Voucher-Printing-Empowerer


View Profile
May 31, 2014, 03:24:50 PM
 #516

Hope that this thread is appropriate:

I think the wide perception that CoinJoin (or DarkCoin) as such brings full anonymity is wrong.

I tried to write an educational memo to illustrate why only using CoinJoin (or DarkCoin) does not yet guarantee anonymity.

You can find it here: http://de.scribd.com/doc/227369807

maaku
Legendary
*
expert
Offline Offline

Activity: 905
Merit: 1001


View Profile
May 31, 2014, 03:31:04 PM
 #517

maaku, you do actually have to read the post before making OT admonishments

He was asking about Zerocash. Zerocash has nothing to do with CoinJoin, and has it's own thread. I'd happy to discuss it there. In very short summary: Zerocash is not and never has been considered for inclusion on the bitcoin block chain. When the author references bitcoin he means the bitcoin protocol generally.

@Michael_S the point is that you multiple mixes, as well as opportunistic mixes each time you transact. Each mix increases the anonymity set. No one is claiming perfect anonymity a la Zerocash.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
genjix
Legendary
*
expert
Offline Offline

Activity: 1232
Merit: 1000


View Profile
May 31, 2014, 03:36:52 PM
 #518

yep that's how ZeroCash and CoinJoin could work together. Both are pretty cool systems.

CoinJoin would be for your day to day payments.

ZeroCash would be for anonymising your savings.

(I'm just projecting here don't know full details) It seems like their plan is to build a layer on top of Bitcoin like how MasterCoin works. And that the ZC ledger tracks the Bitcoin one so you can convert to and from the ZC system. That's really exciting if so.
dewdeded
Legendary
*
Offline Offline

Activity: 1218
Merit: 1011


Monero Evangelist


View Profile WWW
May 31, 2014, 04:41:28 PM
 #519

AFAIK ZeroCash needs a trusted accumulator. So it's just a science prototype and wont become a cryptocurrency, no one will use a cryptocurrency where:

- if an NSA agent contributed to the "trusted setup" there will be no privacy
or
- if an Mark Karpeles guy contributed to the "trusted setup" he can generate/create more coins than announced (as his crime would be invisible in the block chain)



Why use technologies based on trust, when we have trustless ones. Satoshi created Bitcoin specifically with the idea/key feature of not depending on trusting a third party.



Carlton Banks
Legendary
*
Offline Offline

Activity: 2548
Merit: 2052



View Profile
May 31, 2014, 08:09:02 PM
 #520

maaku, you do actually have to read the post before making OT admonishments

He was asking about Zerocash. Zerocash has nothing to do with CoinJoin, and has it's own thread. I'd happy to discuss it there. In very short summary: Zerocash is not and never has been considered for inclusion on the bitcoin block chain. When the author references bitcoin he means the bitcoin protocol generally.

@Michael_S the point is that you multiple mixes, as well as opportunistic mixes each time you transact. Each mix increases the anonymity set. No one is claiming perfect anonymity a la Zerocash.

Surely a discussion about the way new developments in the Zerocash project relate to Coinjoin actually belong in their own exclusive thread, no? Technically, I mean.

Vires in numeris
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 [26] 27 28 29 30 31 32 33 34 35 36 37 38 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!