Bitcoin Forum
August 18, 2017, 05:43:29 AM *
News: Latest stable version of Bitcoin Core: 0.14.2  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 [30] 31 32 33 34 35 »
  Print  
Author Topic: CoinJoin: Bitcoin privacy for the real world  (Read 257006 times)
evanito
Member
**
Offline Offline

Activity: 70

Your average Bitcoin enthusiast.


View Profile
August 22, 2014, 03:06:13 AM
 #581

This is cool to know, but I speculate that the average user wouldn't want this functionality. Of course those with security concerns or those trying to hide coins would absolutely love this service.

1503035009
Hero Member
*
Offline Offline

Posts: 1503035009

View Profile Personal Message (Offline)

Ignore
1503035009
Reply with quote  #2

1503035009
Report to moderator
1503035009
Hero Member
*
Offline Offline

Posts: 1503035009

View Profile Personal Message (Offline)

Ignore
1503035009
Reply with quote  #2

1503035009
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Rassah
Legendary
*
Offline Offline

Activity: 1680


Director of Bitcoin100


View Profile
August 22, 2014, 05:53:27 AM
 #582

This is cool to know, but I speculate that the average user wouldn't want this functionality. Of course those with security concerns or those trying to hide coins would absolutely love this service.

That's why some wallet makers will be implementing this as the default transaction method. Average users won't even know they are doing it.

dillpicklechips
Hero Member
*****
Offline Offline

Activity: 602


🌟  ATLANT ICO: 07/09/17 🌟


View Profile
September 07, 2014, 09:20:52 PM
 #583

Cross posting a coinjoin conversation:

As part of ongoing efforts of the Monero Project, a small program has been generated that allows you to do 1-of-N ring signatures using a secp256k1 keypair and a keyring of public keys. The program signs both binaries and text files.

https://github.com/monero-project/urs

To build and install, use this command after installation of Go:
Code:
go get -u -v github.com/monero-project/urs/...

According to the paper, unique ring signatures are anonymous except in the case of signing the same message multiple times (in which case X and Y in the signature appear to be the same).

http://csiflabs.cs.ucdavis.edu/~hbzhang/romring.pdf

A potential usage might be to sign gitian asserts from a trusted keyring anonymously that contains well known members of the Bitcoin project. Another usage would be for members of a trusted community of Bitcoin users to anonymously vote for some proposal by signing it separately and publishing their signatures.

Thanks to Hein Meling for the initial URS implementation, Conformal Systems for their immensely useful libraries, and gmaxwell for inspiration.

Another interesting use could be a type of ring signature coinjoin? A group gets together and determines the inputs. The ring signatures are used for each person to pick their outputs and can even have multiple outputs of different values. Once the group has enough messages specifying the output addresses the coinjoin transaction is created and signed. If any party of the group cheats the output values will total to be too high and the transaction is discarded.

This is a good idea. In the original coinjoin thread gmaxwell described a blinding scheme wherein users would initially provide their outputs in blinded form, have them blindsigned by the central server (or the "leader" node in a p2p setup) (or all participating parties, which is bandwidth-heavy), then reconnect anonymously to unblind them. For a p2p setup this means that somebody has to produce the blind signatures: either a leader must be selected, which adds complexity to the protocol, or every party signs every output, which leads to O(n^2) scaling.

With a ring signature on the other hand, each party would anonymously sign only their own outputs -- all nodes participate equally, with O(n) signatures. (Of course, the ring signatures are O(n) in size, so you might say this is still O(n^2) scaling. But since every signature uses the same keyring, this doesn't need to be passed around. Just the signature itself plus a blinding factor Q (one per signature, no need to use different ones per key in this case) as described in an earlier post.)


                     ▄ ▄▄▄▄▄▄▄▄
                    ▓▓▌         ░
                  ▄▓▓▓▓▓         ░
                 ▒▓▓▓▓▓▓▓▄        ░
                ▒▓▓▓▓▓▓▓▓▓░        ░
                ▀▓▓▓▓▓▓▓▀░░░░░░░░░
                  ▓▓▓▓▓░░░░░░░░░
           ▐▓▓    ▐▓▓▀░░░░▐▓▓▄        ░
          ▄▓▓▓▓▄    ▀ ░░ ▒▓▓▓▓▌         ░
         ▓▓▓▓▓▓▓▄         ▀▓▓▓▓▓         ░
        ▓▓▓▓▓▓▓▓▓▌         ▐▓▓▓▓▓▄        ░
        ▀▓▓▓▓▓▓▓▓░░░░░░░░░▐▓▓▓▓▓░░░░░░░░░░
          ▓▓▓▓▓▀░░░░░░░░ ░▀▀▀▀▀░░░░░░░░░░
    ▓▓    ▐▓▓▓░░░░░▓▓▄          ░░░░░░░░      ░
  ▄▓▓▓▓▄    ▀░░░░▐▓▓▓▓▓          ░▄▄▄▄░        ░
 ▄▓▓▓▓▓▓▄         ▐▓▓▓▓▓▄         ▀▓▓▓▓▄         ░
▓▓▓▓▓▓▓▓▓▓         ▐▓▓▓▓▓▄         ▐▓▓▓▓▓         ░
▀▓▓▓▓▓▓▓▓▀░░░░░░░░░▒▓▓▓▓▓░░░░░░░░░▐▓▓▓▓▓▀░░░░░░░░░
  ▓▓▓▓▓▓░░░░░░░░░ ▓▓▓▓▓▀░░░░░░░░░░▓▓▓▓▓░░░░░░░░░░
   ▀▓▓▀░░░░░░░░░░ ▐▓▓▓░ ░░░░░░░░  ▀▓▓▀░░░░░░░░░░
    ▀▀░░░░░░░░░░    ▀▀░░░░░░░░░    ▀▀░░░░░░░░░


                     ▄ ▄▄▄▄▄▄▄▄
                    ▓▓▌         ░
                  ▄▓▓▓▓▓         ░
                 ▒▓▓▓▓▓▓▓▄        ░
                ▒▓▓▓▓▓▓▓▓▓░        ░
                ▀▓▓▓▓▓▓▓▀░░░░░░░░░
                  ▓▓▓▓▓░░░░░░░░░
           ▐▓▓    ▐▓▓▀░░░░▐▓▓▄        ░
          ▄▓▓▓▓▄    ▀ ░░ ▒▓▓▓▓▌         ░
         ▓▓▓▓▓▓▓▄         ▀▓▓▓▓▓         ░
        ▓▓▓▓▓▓▓▓▓▌         ▐▓▓▓▓▓▄        ░
        ▀▓▓▓▓▓▓▓▓░░░░░░░░░▐▓▓▓▓▓░░░░░░░░░░
          ▓▓▓▓▓▀░░░░░░░░ ░▀▀▀▀▀░░░░░░░░░░
    ▓▓    ▐▓▓▓░░░░░▓▓▄          ░░░░░░░░      ░
  ▄▓▓▓▓▄    ▀░░░░▐▓▓▓▓▓          ░▄▄▄▄░        ░
 ▄▓▓▓▓▓▓▄         ▐▓▓▓▓▓▄         ▀▓▓▓▓▄         ░
▓▓▓▓▓▓▓▓▓▓         ▐▓▓▓▓▓▄         ▐▓▓▓▓▓         ░
▀▓▓▓▓▓▓▓▓▀░░░░░░░░░▒▓▓▓▓▓░░░░░░░░░▐▓▓▓▓▓▀░░░░░░░░░
  ▓▓▓▓▓▓░░░░░░░░░ ▓▓▓▓▓▀░░░░░░░░░░▓▓▓▓▓░░░░░░░░░░
   ▀▓▓▀░░░░░░░░░░ ▐▓▓▓░ ░░░░░░░░  ▀▓▓▀░░░░░░░░░░
    ▀▀░░░░░░░░░░    ▀▀░░░░░░░░░    ▀▀░░░░░░░░░

dillpicklechips
Hero Member
*****
Offline Offline

Activity: 602


🌟  ATLANT ICO: 07/09/17 🌟


View Profile
October 01, 2014, 03:35:53 PM
 #584

Some links from reddit.

https://www.youtube.com/watch?v=YDGUUtDqNV0
Coinshuffle: Trustless, Peer-to-Peer Bitcoin Mixing


Links:
Demos
http://shuffle.devbtc.com
http://simulator.devbtc.com
Github
https://github.com/bryanvu/coinshuffle-server
https://github.com/bryanvu/coinshuffle-sim
https://github.com/bryanvu/bitcoinjslib-wallet


                     ▄ ▄▄▄▄▄▄▄▄
                    ▓▓▌         ░
                  ▄▓▓▓▓▓         ░
                 ▒▓▓▓▓▓▓▓▄        ░
                ▒▓▓▓▓▓▓▓▓▓░        ░
                ▀▓▓▓▓▓▓▓▀░░░░░░░░░
                  ▓▓▓▓▓░░░░░░░░░
           ▐▓▓    ▐▓▓▀░░░░▐▓▓▄        ░
          ▄▓▓▓▓▄    ▀ ░░ ▒▓▓▓▓▌         ░
         ▓▓▓▓▓▓▓▄         ▀▓▓▓▓▓         ░
        ▓▓▓▓▓▓▓▓▓▌         ▐▓▓▓▓▓▄        ░
        ▀▓▓▓▓▓▓▓▓░░░░░░░░░▐▓▓▓▓▓░░░░░░░░░░
          ▓▓▓▓▓▀░░░░░░░░ ░▀▀▀▀▀░░░░░░░░░░
    ▓▓    ▐▓▓▓░░░░░▓▓▄          ░░░░░░░░      ░
  ▄▓▓▓▓▄    ▀░░░░▐▓▓▓▓▓          ░▄▄▄▄░        ░
 ▄▓▓▓▓▓▓▄         ▐▓▓▓▓▓▄         ▀▓▓▓▓▄         ░
▓▓▓▓▓▓▓▓▓▓         ▐▓▓▓▓▓▄         ▐▓▓▓▓▓         ░
▀▓▓▓▓▓▓▓▓▀░░░░░░░░░▒▓▓▓▓▓░░░░░░░░░▐▓▓▓▓▓▀░░░░░░░░░
  ▓▓▓▓▓▓░░░░░░░░░ ▓▓▓▓▓▀░░░░░░░░░░▓▓▓▓▓░░░░░░░░░░
   ▀▓▓▀░░░░░░░░░░ ▐▓▓▓░ ░░░░░░░░  ▀▓▓▀░░░░░░░░░░
    ▀▀░░░░░░░░░░    ▀▀░░░░░░░░░    ▀▀░░░░░░░░░


                     ▄ ▄▄▄▄▄▄▄▄
                    ▓▓▌         ░
                  ▄▓▓▓▓▓         ░
                 ▒▓▓▓▓▓▓▓▄        ░
                ▒▓▓▓▓▓▓▓▓▓░        ░
                ▀▓▓▓▓▓▓▓▀░░░░░░░░░
                  ▓▓▓▓▓░░░░░░░░░
           ▐▓▓    ▐▓▓▀░░░░▐▓▓▄        ░
          ▄▓▓▓▓▄    ▀ ░░ ▒▓▓▓▓▌         ░
         ▓▓▓▓▓▓▓▄         ▀▓▓▓▓▓         ░
        ▓▓▓▓▓▓▓▓▓▌         ▐▓▓▓▓▓▄        ░
        ▀▓▓▓▓▓▓▓▓░░░░░░░░░▐▓▓▓▓▓░░░░░░░░░░
          ▓▓▓▓▓▀░░░░░░░░ ░▀▀▀▀▀░░░░░░░░░░
    ▓▓    ▐▓▓▓░░░░░▓▓▄          ░░░░░░░░      ░
  ▄▓▓▓▓▄    ▀░░░░▐▓▓▓▓▓          ░▄▄▄▄░        ░
 ▄▓▓▓▓▓▓▄         ▐▓▓▓▓▓▄         ▀▓▓▓▓▄         ░
▓▓▓▓▓▓▓▓▓▓         ▐▓▓▓▓▓▄         ▐▓▓▓▓▓         ░
▀▓▓▓▓▓▓▓▓▀░░░░░░░░░▒▓▓▓▓▓░░░░░░░░░▐▓▓▓▓▓▀░░░░░░░░░
  ▓▓▓▓▓▓░░░░░░░░░ ▓▓▓▓▓▀░░░░░░░░░░▓▓▓▓▓░░░░░░░░░░
   ▀▓▓▀░░░░░░░░░░ ▐▓▓▓░ ░░░░░░░░  ▀▓▓▀░░░░░░░░░░
    ▀▀░░░░░░░░░░    ▀▀░░░░░░░░░    ▀▀░░░░░░░░░

Trader Steve
Hero Member
*****
Offline Offline

Activity: 832


"How do you eat an elephant? One bit at a time..."


View Profile
October 01, 2014, 06:13:27 PM
 #585


I cannot code but I would love to see this project develop. If anybody wants to develop a wallet I'm sure there are many people like myself that would donate to help make it happen.
Trader Steve
Hero Member
*****
Offline Offline

Activity: 832


"How do you eat an elephant? One bit at a time..."


View Profile
October 01, 2014, 10:32:47 PM
 #586

FYI, Mycelium's development roadmap is

1) Implement HD wallets (about 95%+ done, and works fine in testnet Dev build, but still need to update LocalTrader and other minor things to work with it)
2) Move the entire infrastructure to Tor, meaning our nodes will be run as hidden servers, only accessible through Tor, and Mycelium Wallet will have Tor built in (hopefully this won't cause problems in blocked countries, like China or Iran)
3) Implement CoinJoin, using our nodes that are used for address lookup and broadcasts, to collect and broadcast mixing requests. Likely enable this as a default feature. We'll have to figure out if we'll need to follow the DarkWallet model of letting some users leave their coins to mix, or if we have enough transaction volume to do it on the fly. Maybe we'll even link with DarkWallet servers, and use the people looking to mix there.

Fantastic!
dillpicklechips
Hero Member
*****
Offline Offline

Activity: 602


🌟  ATLANT ICO: 07/09/17 🌟


View Profile
October 03, 2014, 03:47:52 AM
 #587

For CoinShuffle:
Are denominations best? I'm just wondering if each user specified multiple output addresses in separate encrypted containers would the amounts provide some type of clue to the originator?

I'm thinking of CoinShuffle while doing payments. If an item costs 1.2 btc then the wallet could do a CoinShuffle for 2 btc sending one output to the actual payment and the change to an address they control.


                     ▄ ▄▄▄▄▄▄▄▄
                    ▓▓▌         ░
                  ▄▓▓▓▓▓         ░
                 ▒▓▓▓▓▓▓▓▄        ░
                ▒▓▓▓▓▓▓▓▓▓░        ░
                ▀▓▓▓▓▓▓▓▀░░░░░░░░░
                  ▓▓▓▓▓░░░░░░░░░
           ▐▓▓    ▐▓▓▀░░░░▐▓▓▄        ░
          ▄▓▓▓▓▄    ▀ ░░ ▒▓▓▓▓▌         ░
         ▓▓▓▓▓▓▓▄         ▀▓▓▓▓▓         ░
        ▓▓▓▓▓▓▓▓▓▌         ▐▓▓▓▓▓▄        ░
        ▀▓▓▓▓▓▓▓▓░░░░░░░░░▐▓▓▓▓▓░░░░░░░░░░
          ▓▓▓▓▓▀░░░░░░░░ ░▀▀▀▀▀░░░░░░░░░░
    ▓▓    ▐▓▓▓░░░░░▓▓▄          ░░░░░░░░      ░
  ▄▓▓▓▓▄    ▀░░░░▐▓▓▓▓▓          ░▄▄▄▄░        ░
 ▄▓▓▓▓▓▓▄         ▐▓▓▓▓▓▄         ▀▓▓▓▓▄         ░
▓▓▓▓▓▓▓▓▓▓         ▐▓▓▓▓▓▄         ▐▓▓▓▓▓         ░
▀▓▓▓▓▓▓▓▓▀░░░░░░░░░▒▓▓▓▓▓░░░░░░░░░▐▓▓▓▓▓▀░░░░░░░░░
  ▓▓▓▓▓▓░░░░░░░░░ ▓▓▓▓▓▀░░░░░░░░░░▓▓▓▓▓░░░░░░░░░░
   ▀▓▓▀░░░░░░░░░░ ▐▓▓▓░ ░░░░░░░░  ▀▓▓▀░░░░░░░░░░
    ▀▀░░░░░░░░░░    ▀▀░░░░░░░░░    ▀▀░░░░░░░░░


                     ▄ ▄▄▄▄▄▄▄▄
                    ▓▓▌         ░
                  ▄▓▓▓▓▓         ░
                 ▒▓▓▓▓▓▓▓▄        ░
                ▒▓▓▓▓▓▓▓▓▓░        ░
                ▀▓▓▓▓▓▓▓▀░░░░░░░░░
                  ▓▓▓▓▓░░░░░░░░░
           ▐▓▓    ▐▓▓▀░░░░▐▓▓▄        ░
          ▄▓▓▓▓▄    ▀ ░░ ▒▓▓▓▓▌         ░
         ▓▓▓▓▓▓▓▄         ▀▓▓▓▓▓         ░
        ▓▓▓▓▓▓▓▓▓▌         ▐▓▓▓▓▓▄        ░
        ▀▓▓▓▓▓▓▓▓░░░░░░░░░▐▓▓▓▓▓░░░░░░░░░░
          ▓▓▓▓▓▀░░░░░░░░ ░▀▀▀▀▀░░░░░░░░░░
    ▓▓    ▐▓▓▓░░░░░▓▓▄          ░░░░░░░░      ░
  ▄▓▓▓▓▄    ▀░░░░▐▓▓▓▓▓          ░▄▄▄▄░        ░
 ▄▓▓▓▓▓▓▄         ▐▓▓▓▓▓▄         ▀▓▓▓▓▄         ░
▓▓▓▓▓▓▓▓▓▓         ▐▓▓▓▓▓▄         ▐▓▓▓▓▓         ░
▀▓▓▓▓▓▓▓▓▀░░░░░░░░░▒▓▓▓▓▓░░░░░░░░░▐▓▓▓▓▓▀░░░░░░░░░
  ▓▓▓▓▓▓░░░░░░░░░ ▓▓▓▓▓▀░░░░░░░░░░▓▓▓▓▓░░░░░░░░░░
   ▀▓▓▀░░░░░░░░░░ ▐▓▓▓░ ░░░░░░░░  ▀▓▓▀░░░░░░░░░░
    ▀▀░░░░░░░░░░    ▀▀░░░░░░░░░    ▀▀░░░░░░░░░

belcher
Full Member
***
Offline Offline

Activity: 227


View Profile
October 30, 2014, 05:34:50 PM
 #588

I posted this relevant text to the darkwallet mailing list.

Summary:
One party waits for a mix (by enabling mixing on a pocket). Another wants to mix on demand.

Allow waiting party to specify a mixing fee that will be paid to its change address by the other side.

I suggest this will create a mixing market and increase mixing volume.


----------------------------------------------------------


A proposal for an improvement to darkwallet's coinjoin system.

Darkwallet's coinjoin works with two parties. One party will wait around with bitcoins they wish to mix. Another party will connect with them whenever they want to do a transactions and the two parties will do a coinjoin. By analogy with exchange matching engines, I will call the first party the coinjoin maker and the second the coinjoin taker.

The idea is that there will be people acting as makers who will slowly mix their coins for the benefit of the takers who want to immediately mix.

Here is an example of a darkwallet coinjoin transaction
https://blockchain.info/tx/c38aac9910f327700e0f199972eed8ea7c6b1920e965f9cb48a92973e7325046

As you can see, the change addresses can be linked with the inputs but the address with outputs of 0.01btc cannot be linked. Mixing is achieved.
The maker/taker model solves the problem of having to wait around for someone who wants to coinjoin exactly the same amount as you.

There are a few small problems with this. I will propose an improvement.

First, the only people motivated enough to mix will be people who already have desire privacy. So, for the example of someone wanting to privately buy contraception and hide the fact from their parents, mixing may result in their coins being mixed with drug money. It is easy to imagine this ecosystem being split between 'clean' coins mostly owned by investors and 'dirty' coins owned by 'undesirables' of society. It's easy to imagine a blacklist system being made which these two groups are seperated and cannot cross the barrier of blacklists, which would be highly damaging to bitcoin fungiblility.

Secondly, there is little incentive to act as a coinjoin maker when you could just be a coinjoin taker and get your mixing done without any waiting.

Thirdly, a small number of coinjoin makers leaves open the possiblity of three-letter agencies offering coinjoin making, and using that role to deanonymize darkwallet coinjoins.

Proposal: Pay the coinjoin makers. They will put up offers to do coinjoin along with a fee they ask. The coinjoin transaction would be built up in a similar way to the above example, with the coinjoin maker fee being added to the associated change address and taken away from the coinjoin taker's change address.

An implication of this is that darkwallet coinjoin mixing will become like an almost-riskless savings account. We already see that holders of bitcoin are willing to earn just 0.006% per day by lending btc on the bitfinex exchange, and that contains a substantial risk that bitfinex will go disappear or be hacked taking all the bitcoins with it.
Darkwallet coinjoin with a maker's fees would be far less risky, the bitcoin private keys would never leave the owner's computer. This would likely result in investors pouring in. The huge relative supply of bitcoins along with the drought of other worthy bitcoin investments is likely to drive down the fees of mixing as the investors bid each other down.

The coinjoin takers will have access to tens of thousands of clean, untainted bitcoins to mix with at a very low price. The makers will have access to a very low risk investment for their bitcoins. Bitcoin fungiblility as a whole will benefit because the entire economy and flow of money will be more interrelated, making blacklists completely unfeasable. The market for coinjoin makers may end up so deep and liquid that three-party or even four-party coinjoins may become managable to organise.


~Belcher
PGP fingerprint: 0A8B 038F 5E10 CC27 89BF  CFFF EF73 4EA6 77F3 1129

1HZBd22eQLgbwxjwbCtSjhoPFWxQg8rBd9
JoinMarket - CoinJoin that people will actually use.
PGP fingerprint: 0A8B 038F 5E10 CC27 89BF CFFF EF73 4EA6 77F3 1129
2586
Member
**
Offline Offline

Activity: 76


View Profile
October 30, 2014, 05:55:42 PM
 #589

Proposal: Pay the coinjoin makers. They will put up offers to do coinjoin along with a fee they ask. The coinjoin transaction would be built up in a similar way to the above example, with the coinjoin maker fee being added to the associated change address and taken away from the coinjoin taker's change address.

Doesn't seem like a terrible idea. I do wonder though, could this potentially compromise the privacy of coinjoin makers based on the unique fee amounts that they charge? If I'm charging 0.5773% per transaction, that might make it easy to identify which transactions I'm involved in. Or does this not matter?

If it does, perhaps some sort of fee standardization or fuzzing should be included. Makers could be required to choose a specific fee tier (1%, 0.5%, 0.1%, 0.05%, etc). Alternatively, makers could choose a range in which to make offers (such as 0.1%-0.9%), and randomly change their offer every time their offer is taken or every 10 minutes that it sits untaken.

cascadebot: A simple (but effective) lending bot for Bitfinex
laurentmt
Sr. Member
****
Offline Offline

Activity: 386


View Profile
October 30, 2014, 06:22:48 PM
 #590

I like this idea.

Providing a financial incentive seems a good way to increase adoption of privacy tools and transform dormant bitcoins in active money.

Moreover, some coinjoin txs (like the example in your post) provide a low entropy and it's really easy to link outputs.
By transferring a fee from taker to maker, the tx becomes more similar to a regular tx in term of entropy and you can't link outputs with 100% certainty.
The "downside" is that these txs still have a specific signature (#outputs >=4) different from the most usual txs (#outputs = 2).

Just a detail: Don't think your proposal will "solve" the third point from your post. Having more makers is nice but it won't remove attackers. And some could argue that your proposal will just help to fund them Wink
belcher
Full Member
***
Offline Offline

Activity: 227


View Profile
October 30, 2014, 07:07:30 PM
 #591

I do wonder though, could this potentially compromise the privacy of coinjoin makers based on the unique fee amounts that they charge? If I'm charging 0.5773% per transaction, that might make it easy to identify which transactions I'm involved in. Or does this not matter?

An individual maker's fees won't be too different from anyone else because of market forces. There will surely be many many people offering to make coinjoin at almost exactly the same fee.

But you're right that coinjoin doesnt hide the fact that coinjoin is taking place. In the posted example (tx hash: c38aac9...) we know its a coinjoin but have no idea which 0.01btc output belongs to whom.



Moreover, some coinjoin txs (like the example in your post) provide a low entropy and it's really easy to link outputs.
By transferring a fee from taker to maker, the tx becomes more similar to a regular tx in term of entropy and you can't link outputs with 100% certainty.
The "downside" is that these txs still have a specific signature (#outputs >=4) different from the most usual txs (#outputs = 2).

Yep, it's inherent in coinjoin that you cant hide easily the fact that a coinjoin took place.
Individual outputs are still mixed though.

Just a detail: Don't think your proposal will "solve" the third point from your post. Having more makers is nice but it won't remove attackers. And some could argue that your proposal will just help to fund them Wink

I never said it would Smiley
(Maybe implied it)

It's similar to the situation with tor nodes. More honest nodes make it harder for the NSA.

1HZBd22eQLgbwxjwbCtSjhoPFWxQg8rBd9
JoinMarket - CoinJoin that people will actually use.
PGP fingerprint: 0A8B 038F 5E10 CC27 89BF CFFF EF73 4EA6 77F3 1129
HostFat
Staff
Legendary
*
Offline Offline

Activity: 2548


I support freedom of choice


View Profile WWW
October 31, 2014, 12:16:42 AM
 #592

I's a very good idea, I like it Smiley

Maybe this idea can be even used to give more funds to the DarkWallet team.

Eternity Wall: Messages lasting forever - The Rock Trading (ref): A good exchange / gateway Ripple, with support for multisig, since 2007. 
https://bitcointa.lk: Bitcointalk backup if offline - Bitcoin Foundation Italia - Blog: http://theupwind.blogspot.it
little tiger
Jr. Member
*
Offline Offline

Activity: 36


View Profile
October 31, 2014, 03:59:14 AM
 #593

it's a cool idea, but is there any simpler way to maintain the btc privacy?
molecular
Donator
Legendary
*
Offline Offline

Activity: 2338



View Profile
October 31, 2014, 05:09:40 AM
 #594

here's an idea by belcher@irc regarding coinjoin implementation in darkwallet:

A proposal for an improvement to darkwallet's coinjoin system.
 
Darkwallet's coinjoin works with two parties. One party will wait around with bitcoins they wish to mix. Another party will connect with them whenever they want to do a transactions and the two parties will do a coinjoin. By analogy with exchange matching engines, I will call the first party the coinjoin maker and the second the coinjoin taker.
 
The idea is that there will be people acting as makers who will slowly mix their coins for the benefit of the takers who want to immediately mix.
 
Here is an example of a darkwallet coinjoin transaction
https://blockchain.info/tx/c38aac9910f327700e0f199972eed8ea7c6b1920e965f9cb48a92973e7325046
 
As you can see, the change addresses can be linked with the inputs but the address with outputs of 0.01btc cannot be linked. Mixing is achieved.
The maker/taker model solves the problem of having to wait around for someone who wants to coinjoin exactly the same amount as you.
 
There are a few small problems with this. I will propose an improvement.
 
First, the only people motivated enough to mix will be people who already have desire privacy. So, for the example of someone wanting to privately buy contraception and hide the fact from their parents, mixing may result in their coins being mixed with drug money. It is easy to imagine this ecosystem being split between 'clean' coins mostly owned by investors and 'dirty' coins owned by 'undesirables' of society. It's easy to imagine a blacklist system being made which these two groups are seperated and cannot cross the barrier of blacklists, which would be highly damaging to bitcoin fungiblility.
 
Secondly, there is little incentive to act as a coinjoin maker when you could just be a coinjoin taker and get your mixing done without any waiting.
 
Thirdly, a small number of coinjoin makers leaves open the possiblity of three-letter agencies offering coinjoin making, and using that role to deanonymize darkwallet coinjoins.
 
Proposal: Pay the coinjoin makers. They will put up offers to do coinjoin along with a fee they ask. The coinjoin transaction would be built up in a similar way to the above example, with the coinjoin maker fee being added to the associated change address and taken away from the coinjoin taker's change address.
 
An implication of this is that darkwallet coinjoin mixing will become like an almost-riskless savings account. We already see that holders of bitcoin are willing to earn just 0.006% per day by lending btc on the bitfinex exchange, and that contains a substantial risk that bitfinex will go disappear or be hacked taking all the bitcoins with it.
Darkwallet coinjoin with a maker's fees would be far less risky, the bitcoin private keys would never leave the owner's computer. This would likely result in investors pouring in. The huge relative supply of bitcoins along with the drought of other worthy bitcoin investments is likely to drive down the fees of mixing as the investors bid each other down.
 
The coinjoin takers will have access to tens of thousands of clean, untainted bitcoins to mix with at a very low price. The makers will have access to a very low risk investment for their bitcoins. Bitcoin fungiblility as a whole will benefit because the entire economy and flow of money will be more interrelated, making blacklists completely unfeasable. The market for coinjoin makers may end up so deep and liquid that three-party or even four-party coinjoins may become managable to organise.
 
 
~Belcher
PGP fingerprint: 0A8B 038F 5E10 CC27 89BF  CFFF EF73 4EA6 77F3 1129
 
 
some notes on the darkwallet example transactions
 
INPUTS
1FDCg = 0.0067
1FAkh = 0.0056
total = 0.0123
 
OUTPUTS
1MUZn = 0.001   total = 0.0062 => fee = 0.0005
1231P = 0.0052
1Fufj = 0.001   total = 0.0055 => fee = 0.0001
1iYSY = 0.0045
total = 0.0117
 
fee = 0.0006
 
so we can see the 1FDCg input address has the same owner as 1231P
 and that 1FAkh is owned by the same person as 1iYSY
 but cant tell from this tx which of those owns 1MUZn or 1Fufj
 
so we can see the owner of 1FDCg address paid 0.0005 for the miner fee
 while 1FAkh only paid 0.0001

it's mainly about incentivizing people to offer to be a coinjoin mixing partner by creating a market for this with a fee takers would pay.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
2586
Member
**
Offline Offline

Activity: 76


View Profile
October 31, 2014, 05:47:16 AM
 #595

You're late to the party, molecular.  Smiley

Another idea: Instead of or in addition to specifying a max fee they're willing to pay, takers could specify an amount of time that they're willing to wait, and their wallet would pick a max fee based on that (similar to the new dynamic transaction fees in bitcoin-qt).

If a taker specifies a max fee of zero, in addition to looking for a zero-fee maker to pair with, their wallet should also look for other takers with similar transaction sizes to pair them with. Senders could even specify that they want to receive a fee rather than paying one, effectively turning them into makers as well, except that they want to send bitcoins in the process, rather than just idly mixing their funds.

These options do increase the complexity of the pairing algorithm, but would allow for a wider variety of preferences to be expressed on the mixing market. Incentivizing idle-mixing is a great idea, but we don't want to discourage send-mixing just because all the idle-mixers start expecting payment for it.

cascadebot: A simple (but effective) lending bot for Bitfinex
HostFat
Staff
Legendary
*
Offline Offline

Activity: 2548


I support freedom of choice


View Profile WWW
October 31, 2014, 01:20:00 PM
 #596

As it seems that just-mined-bitcoins have a higher value on privacy, it would be cool to have something that show this to the end user.
Something that show that some "offers" are better than others.

Eternity Wall: Messages lasting forever - The Rock Trading (ref): A good exchange / gateway Ripple, with support for multisig, since 2007. 
https://bitcointa.lk: Bitcointalk backup if offline - Bitcoin Foundation Italia - Blog: http://theupwind.blogspot.it
laurentmt
Sr. Member
****
Offline Offline

Activity: 386


View Profile
October 31, 2014, 01:29:32 PM
 #597

@belcher:
The idea surely requires some more thoughts (potential incentives for sybil attacks, ...) but I like the analogy with mining.
Miners are incentivized to ensure network security by blocks rewards and txs fees.
With this model, users are incentivized to ensure better network privacy thanks to "coinjoin fees".
Note that people at unsystem may have considered a similar idea (see bottom of this page).


Another idea: Instead of or in addition to specifying a max fee they're willing to pay, takers could specify an amount of time that they're willing to wait, and their wallet would pick a max fee based on that (similar to the new dynamic transaction fees in bitcoin-qt).

If a taker specifies a max fee of zero, in addition to looking for a zero-fee maker to pair with, their wallet should also look for other takers with similar transaction sizes to pair them with. Senders could even specify that they want to receive a fee rather than paying one, effectively turning them into makers as well, except that they want to send bitcoins in the process, rather than just idly mixing their funds.

These options do increase the complexity of the pairing algorithm, but would allow for a wider variety of preferences to be expressed on the mixing market.
Interesting idea.
IMHO,we should make a distinction between what is defined at protocol level (e.g pairing of maker & taker if fees match) and more complex behaviours implemented by wallets (e.g. taker defines the max fee he wants to pay and how long he can wait and the wallet applies a strategy to get a coinjoin which optimizes user's goals).
But I fully agree that UX will be key for adoption and that we should avoid too complex schemes.


Incentivizing idle-mixing is a great idea, but we don't want to discourage send-mixing just because all the idle-mixers start expecting payment for it.
That's another very good point but I'm not sure I reach the same conclusion.

Being a "constant" maker implies a few things :
- your computer remains online and consumes energy => being a maker implies a cost (not comparable to mining costs but there's a cost)
- you keep mixable coins in an hot wallet instead of a cold wallet => being a maker implies some risks

I'm sure that privacy enthusiasts may accept the cost and risk and become "constant" makers without a reward but this free model doesn't incentivize others people to become "constant" makers. The risk is that send-mixing is discouraged because there isn't enough makers and mixing takes too much time.

With fees, we may expect a range of offers (from 0 fee proposed by privacy enthusiasts to some X,Y, ... fees proposed by others makers).
It seems reasonable to think that a fair "market price" should appear even if some makers may still propose 0 fee mixing in order to maintain the system.
belcher
Full Member
***
Offline Offline

Activity: 227


View Profile
October 31, 2014, 05:27:25 PM
 #598

@belcher:
The idea surely requires some more thoughts (potential incentives for sybil attacks, ...) but I like the analogy with mining.
Miners are incentivized to ensure network security by blocks rewards and txs fees.
With this model, users are incentivized to ensure better network privacy thanks to "coinjoin fees".
Note that people at unsystem may have considered a similar idea (see bottom of this page).

Yes. There's some good points raised by waxwing and others on the reddit thread that appeared.
https://pay.reddit.com/r/Bitcoin/comments/2ku4tc/darkwallet_forward_from_irc_coinjoin_proposal/

Also painlord2k had suggested an idea like this too on the dev mailing list in Nov 2013. The idea is quite obvious so I'm not surprised its been thought of a few times.


So Sybil attacks.
On the one hand it seems more honest coinjoin makers, motivated by their income, is a good thing because they crowd out the sybils.
On the other hand, now the sybils get paid too so their cost of maintaining a maker (running a computer online, owning large amounts of bitcoins) is slightly reduced.
Then there's also the coinjoin makers who were there in the status quo, people who just want to mix coins, don't mind waiting and would be willing to mix for free.
I'm not sure which way it would swing. I intuitively think Sybils will find it harder in the fee-paying model but I'm not sure how to prove or disprove that.

Now for a Sybil attack new identities need to be cheap and easy to create. But Sybil coinjoin makers are actually expensive to create and maintain because they must have bitcoins which cant be used anywhere else while the attack goes on. If bitcoiners are happy with mining power being proportional to processor power, I imagine they will be happy with coinjoin making power proportional to bitcoin ownership.

Maybe an analogy helps to clarify somehow? If tor nodes were paid would sybils find it harder or easier? If bitcoin nodes were paid would sybil nodes find it harder or easier to operate?

Would appreciate thoughts.


As it seems that just-mined-bitcoins have a higher value on privacy, it would be cool to have something that show this to the end user.
Something that show that some "offers" are better than others.

IMHO I would be against reducing the fungibility of bitcoins. Part of the purpose of all this coinjoin stuff is to keep bitcoins fungible so that it can be a good form of money.
But your idea could be implemented by the makers publishing the UTXO they will use, and the takers can scan the entire blockchain to see how close it is to a coinbase transaction.



To people who like this idea. Be honest, how much did you like the part about generating an income from your own hoarded bitcoins. Smiley
I'm guessing the psychological effect of earning interest on your coins, even if its only a few thousand satoshis a day, will be very strong.
You all love getting money for doing nothing. Of course you do, that's part of the reason you chose to save and invest (In bonds, shares, and yes, bitcoins) rather than consume your entire income.

So we have to be careful our greed and entrepreneurial rapture don't blind us to some problem (sybil attack, etc)

1HZBd22eQLgbwxjwbCtSjhoPFWxQg8rBd9
JoinMarket - CoinJoin that people will actually use.
PGP fingerprint: 0A8B 038F 5E10 CC27 89BF CFFF EF73 4EA6 77F3 1129
2586
Member
**
Offline Offline

Activity: 76


View Profile
October 31, 2014, 06:52:52 PM
 #599

So Sybil attacks.
On the one hand it seems more honest coinjoin makers, motivated by their income, is a good thing because they crowd out the sybils.
On the other hand, now the sybils get paid too so their cost of maintaining a maker (running a computer online, owning large amounts of bitcoins) is slightly reduced.
Then there's also the coinjoin makers who were there in the status quo, people who just want to mix coins, don't mind waiting and would be willing to mix for free.
I'm not sure which way it would swing. I intuitively think Sybils will find it harder in the fee-paying model but I'm not sure how to prove or disprove that.

Now for a Sybil attack new identities need to be cheap and easy to create. But Sybil coinjoin makers are actually expensive to create and maintain because they must have bitcoins which cant be used anywhere else while the attack goes on. If bitcoiners are happy with mining power being proportional to processor power, I imagine they will be happy with coinjoin making power proportional to bitcoin ownership.

Performing a coinjoin makes the maker's funds unavailable for a little while, right? Or can it be done safely with unconfirmed outputs? Either way, it might make sense to require inputs to have a certain number of confirmations in order to drive up the cost of a sybil attack. If the attacker can't make their funds available again immediately after performing a mix, they'll be severely limited in the number of mixes they're able to participate in. Perhaps takers could specify a minimum number of confirmations that they want the maker's inputs to have.

Takers will need to be wary of automatically accepting the lowest-priced mix offers, since that will give attackers a way to get their offers taken more often than those of comparatively higher-fee honest makers. Some sort of fuzzing is probably in order, i.e. "pick a random offer from available offers with fee from 0% to 0.5%" rather than "pick the lowest offer available, not to exceed 0.5%". Depending on how paranoid the taker is, they may want to do one or more coinjoin sends back to themselves, then a final coinjoin send to their intended recipient, increasing their odds of getting at least one good mix.

Quote
To people who like this idea. Be honest, how much did you like the part about generating an income from your own hoarded bitcoins. Smiley
I'm guessing the psychological effect of earning interest on your coins, even if its only a few thousand satoshis a day, will be very strong.
You all love getting money for doing nothing. Of course you do, that's part of the reason you chose to save and invest (In bonds, shares, and yes, bitcoins) rather than consume your entire income.

So we have to be careful our greed and entrepreneurial rapture don't blind us to some problem (sybil attack, etc)

Got me. I'm currently lending a significant chunk of my bitcoin savings on Bitfinex, though I'm not entirely certain that my income from it outweighs the counterparty risk. I'd love to be able to eliminate the counterparty risk entirely.

Without fees, I'd still operate as a coinjoin maker, since I want financial privacy for myself, I want to "stick it to the man", and I want to help others gain financial privacy as well. However, being paid would make the difference between acting as a maker part time with small amounts and doing so full time with large amounts. Which is the whole point of this proposal, after all.  Smiley

cascadebot: A simple (but effective) lending bot for Bitfinex
laurentmt
Sr. Member
****
Offline Offline

Activity: 386


View Profile
October 31, 2014, 06:54:01 PM
 #600

So Sybil attacks.
...
Would appreciate thoughts.
A quick thought : I think the answer will depend on the type of attacker you consider.
My previous comment about 3 letters agency was almost a joke but I think that for this kind of "attacker", reward/no reward doesn't make any difference because of their financial resources. Having a financial incentive may increase the number of makers and you can expect that some people won't be catched by the attacker but I'm not really sure it will make a big difference.

To people who like this idea. Be honest, how much did you like the part about generating an income from your own hoarded bitcoins. Smiley
I'm guessing the psychological effect of earning interest on your coins, even if its only a few thousand satoshis a day, will be very strong.
You all love getting money for doing nothing. Of course you do, that's part of the reason you chose to save and invest (In bonds, shares, and yes, bitcoins) rather than consume your entire income.

So we have to be careful our greed and entrepreneurial rapture don't blind us to some problem (sybil attack, etc)
Human "greed" is precisely the interesting factor for this model.
Privacy usually comes with a cost (in term of UX or financial cost, ...) and no "obvious" reward (except for people having a "shadow" activity).
The outcome is that digital privacy is at a very low level for many people.
IMHO, introducing a reward may be an important factor to increase adoption.

Let's make a parallel with bitcoin security. This security is enforced by mining and full nodes.
Mining comes with a reward and hashpower is skyrocketing. Full nodes have no reward and their number is almost constant or decreasing...


Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 [30] 31 32 33 34 35 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!