CoinJoin: Bitcoin privacy for the real world

[belcher]

I'm pleased to announce the mainnet version of JoinMarket.

Expect glitches and a command line interface. But it works.

Here's some CoinJoins people have already done
https://blockchain.info/tx/601d9c15bc1edd2fe3e5c853ed111d11e9c0a5fb66c75571c7f10fa0d8ab23bb 5-party coinjoin
https://blockchain.info/tx/b85a3b563474ca98ba1809460e61a50053899c21f9869afb6a3a6d4b4cb00b7c 4-party coinjoin
https://blockchain.info/tx/e8b793b3464641df9404993c3101f81208b2d774f51a1ec748a608fbc9e22629 3-party coinjoin
https://blockchain.info/tx/665a9d7848cc0d28869ef866ca9a1117f20358e1e372dbbb01f1b75054584e70 3-party coinjoin

Only pocket change amounts for now, if anyone found an exploit bug they could theoretically clean out your wallet. My yield generator bot is running happily right now, I've already earned about 25000 satoshi.

I will be working on an Electrum plugin to make it easy to use. Electrum doesn't have a testnet version which is one reason we've moved to the mainnet now.

[1715055523]

1715055523

[1715055523]

1715055523

[1715055523]

1715055523

[1715055523]

1715055523

[Mixles]

In order to further incentivize work in this space there is now a multisignature escrow bounty fund:

   3M8XGFBKwkf7miBzpkU3x2DoWwAVrD1mhk
                    (yes, Bitcoin addresses can also start with a 3)

This is a two-of-three multisignature escrow with myself, Theymos, and Pieter Wuille as signers. To release any coin sent to this address at least two of these people must sign the transaction.

The bounty fund will pay out as funds are available according to the signers best judgment for completed work proposed in this thread that furthers the goal of making improved transaction privacy a practical reality for Bitcoin users.

Please feel free to contribute to the above address to support work on this infrastructure.

I would like to make a claim on this fund for work done on Compact Confidential Transactions (subject to the ongoing peer review).

https://bitcointalk.org/index.php?topic=1085436.msg11597427

CoinJoin should 'just work' in this scheme, and has a similar interface to gmaxwell's Confidential Transactions for keeping participant's balances hidden from other participants.

Participants generate some random inputs, and same number of random outputs, to themselves with a zero sum, and ensure that they do not introduce any fuzz over/underflow, so the fee is fixed.

An alternative approach, is to let participants share only their fee delta, guaranteeing that everyone makes the same fee adjustment, in which case the number of outputs can also differ to the number of inputs for each participant.

If anyone puts in too much or too little, their sum, and the whole transaction sum, won't come out as zero and the transaction will be invalid.

[belcher]

In order to further incentivize work in this space there is now a multisignature escrow bounty fund:

   3M8XGFBKwkf7miBzpkU3x2DoWwAVrD1mhk
                    (yes, Bitcoin addresses can also start with a 3)

This is a two-of-three multisignature escrow with myself, Theymos, and Pieter Wuille as signers. To release any coin sent to this address at least two of these people must sign the transaction.

The bounty fund will pay out as funds are available according to the signers best judgment for completed work proposed in this thread that furthers the goal of making improved transaction privacy a practical reality for Bitcoin users.

Please feel free to contribute to the above address to support work on this infrastructure.

I would like to make a claim on this fund for work done on Compact Confidential Transactions (subject to the ongoing peer review).

https://bitcointalk.org/index.php?topic=1085436.msg11597427

CoinJoin should 'just work' in this scheme, and has a similar interface to gmaxwell's Confidential Transactions for keeping participant's balances hidden from other participants.

Participants generate some random inputs, and same number of random outputs, to themselves with a zero sum, and ensure that they do not introduce any fuzz over/underflow, so the fee is fixed.

An alternative approach, is to let participants share only their fee delta, guaranteeing that everyone makes the same fee adjustment, in which case the number of outputs can also differ to the number of inputs for each participant.

If anyone puts in too much or too little, their sum, and the whole transaction sum, won't come out as zero and the transaction will be invalid.

It looks like you might need to write some code, as the post says "for completed work proposed in this thread that furthers the goal of making improved transaction privacy a practical reality for Bitcoin users."

[Mixles]

It looks like you might need to write some code, as the post says "for completed work proposed in this thread that furthers the goal of making improved transaction privacy a practical reality for Bitcoin users."

Just as well that it does not say "for completed code". Otherwise I would be going against the thing. In a knowledge economy, new knowledge (and new code) takes a lot of completed works. Anyway, the review is not complete yet so my claim might not be valid. And even if it is valid or invalid logically, the fund is ultimately at the discretion of two individuals. If they want to encourage or discourage this kind of research is up to them.

[phelix]

In order to further incentivize work in this space there is now a multisignature escrow bounty fund:

   3M8XGFBKwkf7miBzpkU3x2DoWwAVrD1mhk
                    (yes, Bitcoin addresses can also start with a 3)

This is a two-of-three multisignature escrow with myself, Theymos, and Pieter Wuille as signers. To release any coin sent to this address at least two of these people must sign the transaction.

The bounty fund will pay out as funds are available according to the signers best judgment for completed work proposed in this thread that furthers the goal of making improved transaction privacy a practical reality for Bitcoin users.

Please feel free to contribute to the above address to support work on this infrastructure.

Multisig address construction details:

Code:

Key from Theymos:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Here is a public key of mine, usable for the CoinJoin bounty fund:
02d5f2b9c68b22006161dfe58a78b37dc2b577e8bb4e4522940830264eb3b3a38b
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlISs5MACgkQxlVWk9q1kednkgD/WvE3F1hSoKHIr+y7q3O6xbGp
FM+P/lVbi/nZugrlNKABALMhYih2Ov80OS1PLMX9UpONn2eE2Xu+ZkxZ2SkQFfCU
=lFI0
-----END PGP SIGNATURE-----

Key from Gmaxwell:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is a public key of mine, usable for the CoinJoin bounty fund:
027b48575c15712867a8a1e6c9f52f510946130bbdf3b1e2feb344b8b68232ffb1
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlIbCV4ACgkQrIWTYrBBO/ooAgCdG9twTEFH5q+5Pip9qDOGsoww
a7YAoLfVP4CBaxk5mnpMXVHpQXqgVwxL
=k1JR
-----END PGP SIGNATURE-----

Key from Pieter:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
Here is a public key of mine, usable for the CoinJoin bounty fund:
0292782efcb08d621c360d055f407c8e75ffbbd06f6b7009c1432ca9eaa6732592
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
 
iQGcBAEBCAAGBQJSpLf6AAoJEI9lMlXIeZLgtRkL/3ufWgLyhTKM9T30JqA0a/Xh
5KUMD0csuxTMYraVOy9x7tRVZh+fETt4Y3clhErZj8g6VraC5ku+4pyHxtFztWor
N6QadkAvwuCAqmBxbAmb7hTq41eXjptzwqyUWh/z6YecBKeRIxIi/8LGqX/+gODd
GlKj66Ex27wgp9gJp/1Ot+hrTmmasxXAEjXYJTKr4LjJeajH/HJJQeCI6jTy4fdm
TsplX7rUgzhdZQ60malyn1MCmtdXRviWyWuAvKgpIaEMaZsFCSMfvNzUtKHiMv3n
HPxe9OAv1V2rdwU9oa7gxHLSvF7BER1XpWcA0UKTeD1w2/vzPZj3exDDHT8A35Ro
nhK6cJPYTdnzXLavpFqRD85R1G9W3rl4IzqfflXwWB2rRByyLROvrMfVG8iLMYP0
JcaB+8kttzqTa0vBiaosCvSbFZAfw2seyXxxF5anH4Q0ueMJKglLp6rE/51s1bQa
Hz6rsSAAdvx/OSCitKp1+JMzSKA/SwNMRUy4VqKQ4g==
=70Dh
-----END PGP SIGNATURE-----

2-of-3 Address construction: 
$ bitcoind createmultisig 2 '["02d5f2b9c68b22006161dfe58a78b37dc2b577e8bb4e4522940830264eb3b3a38b","027b48575c15712867a8a1e6c9f52f510946130bbdf3b1e2feb344b8b68232ffb1","0292782efcb08d621c360d055f407c8e75ffbbd06f6b7009c1432ca9eaa6732592"]'
{
    "address" : "3M8XGFBKwkf7miBzpkU3x2DoWwAVrD1mhk",
    "redeemScript" : "522102d5f2b9c68b22006161dfe58a78b37dc2b577e8bb4e4522940830264eb3b3a38b21027b48575c15712867a8a1e6c9f52f510946130bbdf3b1e2feb344b8b68232ffb1210292782efcb08d621c360d055f407c8e75ffbbd06f6b7009c1432ca9eaa673259253ae"
}

Would this suite Joinmarket? https://bitcointalk.org/index.php?topic=919116

[dooglus]

The bounty fund will pay out [...] for completed work proposed in this thread that furthers the goal of making improved transaction privacy a practical reality for Bitcoin users.

Would this suite Joinmarket? https://bitcointalk.org/index.php?topic=919116

Was the work proposed in this thread?

If so, JoinMarket definitely qualifies.

[phelix]

The bounty fund will pay out [...] for completed work proposed in this thread that furthers the goal of making improved transaction privacy a practical reality for Bitcoin users.

Would this suite Joinmarket? https://bitcointalk.org/index.php?topic=919116

Was the work proposed in this thread?

I guess only gmaxwell knows the answer to this question. In my eyes Joinmarket is going further than what has been suggested in this thread as it adds the incentive necessary for CoinJoin to actually go somewhere.

[tommorisonwebdesign]

It is definitely an interesting idea. I would definitely like to see am implementation of the concept coded and implemented.

[dooglus]

It is definitely an interesting idea. I would definitely like to see am implementation of the concept coded and implemented.

Check out JoinMarket.

It's an implementation of the concept coded and implemented.

[tailsjoin]

I can't see any reason for why JoinMarket development shouldn't be give some or all of this fund.

[bassmaster]

+1 for JoinMarket (and perhaps TailsJoin getting a small percentage as well)

Would love to have gmaxwell take a look at the implementation and provide feedback.

[ABISprotocol]

Probably nobody will care, but....

1) https://github.com/bitcoin/bitcoin/issues/3226#issuecomment-164755098

2) https://github.com/bitcoin-dot-org/bitcoin.org/pull/1129#issuecomment-155241130

Cheers

[ABISprotocol]

I'm pleased to announce the mainnet version of JoinMarket.

Expect glitches and a command line interface. But it works.

(...)

I will be working on an Electrum plugin to make it easy to use. Electrum doesn't have a testnet version which is one reason we've moved to the mainnet now.

At this point, do you have an Electrum plugin?  If so, where to go to find it?
Am assuming at this point, it's probably here..
https://github.com/JoinMarket-Org/joinmarket/issues/44
and also
https://github.com/JoinMarket-Org/joinmarket/tree/electrum-plugin
If there's a particular file that needs attention/work pls. advise.

[belcher]

The electrum plugin would work by having a sidecar daemon that the plugin sends transaction information to and obtains an unsigned coinjoin transaction. The files are electrum-plugin-daemon.py and electrum-plugin.py, although that branch is probably quite stale.

[mamadmankan]

IMHO, it could be used as a load balancing device for a system with a fixed block size limit. CoinJoins happen automatically to help compress more transactions into the available block space. This could provide a good argument against a scheme with a continuously variable block size, or to a scheme with no limit at all (although I don't think anyone has yet made any serious proposal for the latter). It also illustrates that CoinJoin really is just that, joining inputs and outputs into single transactions, regardless of the utility you're seeking from doing so.

[marcus_of_augustus]

IMHO, it could be used as a load balancing device for a system with a fixed block size limit. CoinJoins happen automatically to help compress more transactions into the available block space. This could provide a good argument against a scheme with a continuously variable block size, or to a scheme with no limit at all (although I don't think anyone has yet made any serious proposal for the latter). It also illustrates that CoinJoin really is just that, joining inputs and outputs into single transactions, regardless of the utility you're seeking from doing so.

Interesting. What is the effective 'compression' of doing several individual TX versus a single CoinJoin containing the same TXs?

[Carlton Banks]

IMHO, it could be used as a load balancing device for a system with a fixed block size limit. CoinJoins happen automatically to help compress more transactions into the available block space. This could provide a good argument against a scheme with a continuously variable block size, or to a scheme with no limit at all (although I don't think anyone has yet made any serious proposal for the latter). It also illustrates that CoinJoin really is just that, joining inputs and outputs into single transactions, regardless of the utility you're seeking from doing so.

Interesting. What is the effective 'compression' of doing several individual TX versus a single CoinJoin containing the same TXs?

There's a fair proportion of header/data for single output -> pair of outputs, but mamadmankan is only identifying the first steps in the line of thinking that led to stuff like SegWit and Lightning.

[Dabs]

Sorry for bumping this thread ... I'm just curious.

...

3M8XGFBKwkf7miBzpkU3x2DoWwAVrD1mhk

...

The bounty fund will pay out as funds are available according to the signers best judgment for completed work proposed in this thread that furthers the goal of making improved transaction privacy a practical reality for Bitcoin users.

If JoinMarket did not qualify, and CoinShuffle (or ShuffleCoin?) did not also qualify, what would do it? Does it have to be completely decentralized? Can it be something that relies on a "super-node" or even a third party website, bot or api? (Someone collects possible transactions and makes everyone sign it once a day or once an hour or something.)

How do you define "practical reality for Bitcoin users"?

Did I miss any other attempts at implementing this aside from CoinShuffle and JoinMarket?

[waxwing]

Sorry for bumping this thread ... I'm just curious.

...

3M8XGFBKwkf7miBzpkU3x2DoWwAVrD1mhk

...

The bounty fund will pay out as funds are available according to the signers best judgment for completed work proposed in this thread that furthers the goal of making improved transaction privacy a practical reality for Bitcoin users.

If JoinMarket did not qualify, and CoinShuffle (or ShuffleCoin?) did not also qualify, what would do it? Does it have to be completely decentralized? Can it be something that relies on a "super-node" or even a third party website, bot or api? (Someone collects possible transactions and makes everyone sign it once a day or once an hour or something.)

How do you define "practical reality for Bitcoin users"?

Did I miss any other attempts at implementing this aside from CoinShuffle and JoinMarket?

Coinshuffle is really an enhancement protocol on top of any coinjoin implementation, it's not a coinjoin implementation itself. There hasn't as yet been an implementation using it (correct me if I'm wrong), so from that point of view the question doesn't apply to coinshuffle, although Mycelium are currently working on one.

[schnuber]

I have a question:
When I am doing a transaction and I send my signed tx to the network. Could someone else take that transaction and add a additional signed input to the tx. So this would mean that my tx gets coinjoined without my approval, would that be accepted by the network?

Greets