Bitcoin Forum
May 24, 2017, 03:46:56 PM *
News: Latest stable version of Bitcoin Core: 0.14.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 [33] 34 35 »
  Print  
Author Topic: CoinJoin: Bitcoin privacy for the real world  (Read 250071 times)
waxwing
Sr. Member
****
Offline Offline

Activity: 468


View Profile
May 22, 2016, 07:22:18 PM
 #641

On the topic of whether a coinjoin is discoverable/watermarkable let's say, I'd say a couple of things: if coinjoins follow an identifiable pattern, it certainly doesn't mean that they're useless; the main effect that a coinjoin output (i.e. equal sized output) is fundamentally indistinguishable from its neighbour coinjoin outputs is still true. That's the main effect we're looking for. The only conceivable negative is that the inputs to such a transaction are marked "This wallet closure is suspicious"; although I think any good "Bitcoin citizen" should prefer to use coinjoins where it's practical, since this is a currency and it's intended to be fungible. I've tried to make most of my recent retail payments with coinjoins.

Wallet closure analysis *is* damaged (severely) by use of coinjoins and that's the intention. Trying to make them invisible (i.e. not have properties distinct from non-coinjoins) seems like a high bar to set, and a moving target. I know Kristov Atlas has been looking into how transaction structures could be standardized to facilitate this; it seems like a hard goal to reach, but worth looking into.

Second, Joinmarket coinjoins are fairly easily found (with some false positives of course), see e.g.: https://github.com/AdamISZ/JMPrivacyAnalysis/blob/master/tumbler_privacy.md#identifying-joinmarket-transaction-types and Adlai's even made a tool to automate finding them on the blockchain: https://github.com/adlai/cjhunt.

TLDR I don't think coinjoins being identifiable is such a bad thing; even the most brain-dead construction is better for privacy than a non-coinjoin in any case, and by a long way.

PGP fingerprint 4668 9728 A9F6 4B39 1FA8 71B7 B3AE 09F1 E9A3 197A (use email to contact)
1495640816
Hero Member
*
Offline Offline

Posts: 1495640816

View Profile Personal Message (Offline)

Ignore
1495640816
Reply with quote  #2

1495640816
Report to moderator
1495640816
Hero Member
*
Offline Offline

Posts: 1495640816

View Profile Personal Message (Offline)

Ignore
1495640816
Reply with quote  #2

1495640816
Report to moderator
POLONIEX TRADING SIGNALS
+50% Profit and more via TELEGRAM
ALTCOINTRADER.CO
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1495640816
Hero Member
*
Offline Offline

Posts: 1495640816

View Profile Personal Message (Offline)

Ignore
1495640816
Reply with quote  #2

1495640816
Report to moderator
1495640816
Hero Member
*
Offline Offline

Posts: 1495640816

View Profile Personal Message (Offline)

Ignore
1495640816
Reply with quote  #2

1495640816
Report to moderator
1495640816
Hero Member
*
Offline Offline

Posts: 1495640816

View Profile Personal Message (Offline)

Ignore
1495640816
Reply with quote  #2

1495640816
Report to moderator
waxwing
Sr. Member
****
Offline Offline

Activity: 468


View Profile
May 22, 2016, 07:26:42 PM
 #642

I have a question:
When I am doing a transaction and I send my signed tx to the network. Could someone else take that transaction and add a additional signed input to the tx. So this would mean that my tx gets coinjoined without my approval, would that be accepted by the network?

Greets

Not possible unless you explicitly chose to use non-standard sighash flags (and even then! possibly it could happen with SIGHASH_SINGLE|SIGHASH_ANYONECANPAY).

PGP fingerprint 4668 9728 A9F6 4B39 1FA8 71B7 B3AE 09F1 E9A3 197A (use email to contact)
dooglus
Legendary
*
Offline Offline

Activity: 2170



View Profile
May 22, 2016, 08:57:35 PM
 #643

I have a question:
When I am doing a transaction and I send my signed tx to the network. Could someone else take that transaction and add a additional signed input to the tx. So this would mean that my tx gets coinjoined without my approval, would that be accepted by the network?

Greets

Not possible unless you explicitly chose to use non-standard sighash flags (and even then! possibly it could happen with SIGHASH_SINGLE|SIGHASH_ANYONECANPAY).

Or in layman's terms, by default every signature is signing the complete set of inputs and outputs. If you change any input or output the signatures become invalid.

Just-Dice                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   Play or Invest                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   1% House Edge
Dabs
Staff
Legendary
*
Online Online

Activity: 1694



View Profile
May 23, 2016, 02:56:34 AM
 #644

Oh. Ok. I get it. This is good then.

But for people to do the CoinJoin, they all have to sign the same transaction, thus the possibility of a denial of service attack (by pretending to be part of the process but not signing the transaction.)

From what I understand, this "network level snooping" can only be done live, or someone or something is watching a good number of nodes, because the blockchain data itself does not store ip addresses. The transaction doesn't have any ip address information either. And where the transaction is first relayed is no indication that that is the one that actually sent it. And in any case, with a CoinJoin with a good number of real people, it doesn't matter who sent it as everyone else signed it, the one who actually broadcasts the transaction can be anyone, or even a completely different entity, or went through Tor or a VPN or from some random internet cafe. (Spammers do it all the time and are rarely or never caught.)

So, the problem is: too big a CoinJoin, (like with a few thousand) is hard to pull off, and some people might not go through with it. Too small, (such as 2 or 3 or 4 inputs and outputs) and its too easy to analyze.

So, if someone comes up with a "trusted" server, or shall I say "trustless" server, even if it is suboptimal, then that's still a good thing as long as that server is not compromised, or it doesn't keep logs after every transaction or something like that.

I mean, I can see at least 2 really big "traditional" mixers on these forums. The biggest one supposedly has a reserve of 3000 BTC. These guys can certainly pull it off, many people already trust them to mix "traditionally", I don't suppose they'd have a problem getting the same users to trust them to "CoinJoin" the whole thing and include their reserve in the process.

I have an idea, and guys, let me know if this is decent or crazy or whatever: or if this is already what is being done by JoinMarket, Shuffle, Whatever.

1. I make a website or a server for this purpose.
2. It asks users to create their transactions, and a given time limit, say 30 minutes or 1 hour.
3. Every 30 minutes, or every hour, it gets back to all the users with the giant CoinJoin transaction formed thus far and asks all the people to sign.
4. The site itself takes a fee, and that's some how inserted into the process.
5. Assuming the site is "trustable", then only outsiders are "attackers" and they're not going to learn much except "I see 100 inputs and 200 outputs, and I own 20 of them. I dunno who the other 80 are."
6. Repeat every hour or every whenever. Or every 100 people. Or once a day.
7. Java script or open source client side signing thingy that can sign for you if you're away from your computer so the site doesn't have to wait an hour when it reaches the minimum number of people.

The other idea I had, which I mentioned a long time ago, is like a traditional mixer, in that the mixer site itself has to be trusted, but it does everything internally, and you just send your coins. Instead of the traditional mixing of unrelated inputs and outputs, it's basically a CoinJoin mixer that gets all deposits and spits out the transactions just like a traditional mixer. The only downside is having to trust the site.

Escrow Service (Services) - GPG ID: 32AD7565, OTC ID: Dabs
All messages concerning escrow or with bitcoin addresses are GPG signed. Please verify.
CompTIA A+, Microsoft Certified Professional, MCSA: Windows 10; Windows Server 2012, MCSE: Cloud Platform and Infrastructure; Productivity; Messaging
Rampion
Legendary
*
Offline Offline

Activity: 1106


View Profile
May 23, 2016, 08:08:27 AM
 #645

BTW (and sorry for being slightly off-topic): did blockchain.info remove "shared coin", their coinjoin implementation? Cannot find it anymore!

waxwing
Sr. Member
****
Offline Offline

Activity: 468


View Profile
May 23, 2016, 08:38:53 AM
 #646

I have an idea, and guys, let me know if this is decent or crazy or whatever: or if this is already what is being done by JoinMarket, Shuffle, Whatever.

1. I make a website or a server for this purpose.
2. It asks users to create their transactions, and a given time limit, say 30 minutes or 1 hour.
3. Every 30 minutes, or every hour, it gets back to all the users with the giant CoinJoin transaction formed thus far and asks all the people to sign.
4. The site itself takes a fee, and that's some how inserted into the process.
5. Assuming the site is "trustable", then only outsiders are "attackers" and they're not going to learn much except "I see 100 inputs and 200 outputs, and I own 20 of them. I dunno who the other 80 are."
6. Repeat every hour or every whenever. Or every 100 people. Or once a day.
7. Java script or open source client side signing thingy that can sign for you if you're away from your computer so the site doesn't have to wait an hour when it reaches the minimum number of people.

I don't know if you're aware, but joinmarket exists (has done for a year on mainnet now), it's doing maybe 50-100 transactions per day (hard to get numbers without running the blockchain analysis mentioned above; and false positives there will confuse it). You can see the orderbook at https://joinmarket.me/ob

As for the description above, it's fine (it's the first, simplest design mentioned by gmaxwell in the OP) but having the server know all the linkages is a bit much. Joinmarket has one participant act as the coordinator for each transaction, and pay for the privilege of knowing the linkages for that transaction (I'm repeating myself now, I said this a few posts back). Instead of one server with a global history. To go further, you add Coinshuffle or blind signing so that no-one needs to know the linkages (assuming no Sybil case, i.e. other participants are really distinct).

The economic incentive, while small, helps create more participants. Most joinmarket coinjoins involve 3-6 participants although 10+ is not unheard of  (I myself had a couple of 9,10 party joins recently, e.g. e701bc57fa663eaef4d57a9ea20b3212a90a8be71a32bd3bcb84062e864bdab0).


PGP fingerprint 4668 9728 A9F6 4B39 1FA8 71B7 B3AE 09F1 E9A3 197A (use email to contact)
CohibAA
Full Member
***
Offline Offline

Activity: 218



View Profile WWW
May 23, 2016, 08:51:34 AM
 #647


I have an idea, and guys, let me know if this is decent or crazy or whatever: or if this is already what is being done by JoinMarket, Shuffle, Whatever.

1. I make a website or a server for this purpose.
2. It asks users to create their transactions, and a given time limit, say 30 minutes or 1 hour.
3. Every 30 minutes, or every hour, it gets back to all the users with the giant CoinJoin transaction formed thus far and asks all the people to sign.
4. The site itself takes a fee, and that's some how inserted into the process.
5. Assuming the site is "trustable", then only outsiders are "attackers" and they're not going to learn much except "I see 100 inputs and 200 outputs, and I own 20 of them. I dunno who the other 80 are."
6. Repeat every hour or every whenever. Or every 100 people. Or once a day.
7. Java script or open source client side signing thingy that can sign for you if you're away from your computer so the site doesn't have to wait an hour when it reaches the minimum number of people.

The other idea I had, which I mentioned a long time ago, is like a traditional mixer, in that the mixer site itself has to be trusted, but it does everything internally, and you just send your coins. Instead of the traditional mixing of unrelated inputs and outputs, it's basically a CoinJoin mixer that gets all deposits and spits out the transactions just like a traditional mixer. The only downside is having to trust the site.

I think it's at least a decent idea, although implementation might be tricky.  One limitation with JoinMarket is the ability to easily facilitate a transaction with a very large number of parties.  As of right now, there are only about 50 "makers" on the orderbook, and likely many of those are actually the same people, running multiple yield generator bots.  The largest coinjoin done using JoinMarket that I am aware of had 17 parties. (that might not even be the most interesting thing about that transaction...)

 Huh

I think something like this would be possible to build within JoinMarket, such that "takers" are given an option to delay and group their transaction with other takers (and makers, maybe), but again, I'm sure the coding would be substantial.  A better solution for JoinMarket will likely be simple growth.  The GUI is probably helping to bring in more users.  An Electrum plugin could also be potentially huge for JoinMarket, bringing fungibility (is that a word?) to many more users.  I think some privacy conscious websites may also benefit from implementing JoinMarket transactions into their wallet structure (online casinos, darknet markets, etc.) which will also help the current limitations.

Interesting times.

belcher
Full Member
***
Offline Offline

Activity: 224


View Profile
May 23, 2016, 11:44:29 AM
 #648

New paper on address closures / clustering.

http://arxiv.org/abs/1605.06369



Sorry for bumping this thread ... I'm just curious.

...

3M8XGFBKwkf7miBzpkU3x2DoWwAVrD1mhk

...

The bounty fund will pay out as funds are available according to the signers best judgment for completed work proposed in this thread that furthers the goal of making improved transaction privacy a practical reality for Bitcoin users.

If JoinMarket did not qualify, and CoinShuffle (or ShuffleCoin?) did not also qualify, what would do it? Does it have to be completely decentralized? Can it be something that relies on a "super-node" or even a third party website, bot or api? (Someone collects possible transactions and makes everyone sign it once a day or once an hour or something.)

How do you define "practical reality for Bitcoin users"?

Did I miss any other attempts at implementing this aside from CoinShuffle and JoinMarket?

Would be interested to know as well.
Six months ago I sent a PM to theymos, Pieter Wuille, gmaxwell asking for (some of) the bounty.



I think something like this would be possible to build within JoinMarket, such that "takers" are given an option to delay and group their transaction with other takers (and makers, maybe), but again, I'm sure the coding would be substantial.  A better solution for JoinMarket will likely be simple growth.  The GUI is probably helping to bring in more users.  An Electrum plugin could also be potentially huge for JoinMarket, bringing fungibility (is that a word?) to many more users.  I think some privacy conscious websites may also benefit from implementing JoinMarket transactions into their wallet structure (online casinos, darknet markets, etc.) which will also help the current limitations.


This could be done with a script called patientsendpayment.py, https://github.com/JoinMarket-Org/joinmarket/wiki/Sending-payments-with-CoinJoin#patient-send-payment
Although because the current protocol is flawed and needs updating, you can only send to addresses for which you know the private key.

Using JoinMarket for bitcoin websites could be done today, I've written a brief explanation on how here https://github.com/JoinMarket-Org/joinmarket/issues/293

1HZBd22eQLgbwxjwbCtSjhoPFWxQg8rBd9
JoinMarket - CoinJoin that people will actually use.
PGP fingerprint: 0A8B 038F 5E10 CC27 89BF CFFF EF73 4EA6 77F3 1129
Dabs
Staff
Legendary
*
Online Online

Activity: 1694



View Profile
May 23, 2016, 04:47:15 PM
 #649

(that might not even be the most interesting thing about that transaction...)

I looked at that, and this one looked interesting to me:

https://btc.blockr.io/address/info/1PavedWithGodAndSomeTeensionXudq5X

It would seem someone intentionally destroyed 1.6 BTC.

Escrow Service (Services) - GPG ID: 32AD7565, OTC ID: Dabs
All messages concerning escrow or with bitcoin addresses are GPG signed. Please verify.
CompTIA A+, Microsoft Certified Professional, MCSA: Windows 10; Windows Server 2012, MCSE: Cloud Platform and Infrastructure; Productivity; Messaging
waxwing
Sr. Member
****
Offline Offline

Activity: 468


View Profile
May 24, 2016, 10:00:54 AM
 #650

It would seem someone intentionally destroyed 1.6 BTC.

Phi to be (more) precise Smiley

PGP fingerprint 4668 9728 A9F6 4B39 1FA8 71B7 B3AE 09F1 E9A3 197A (use email to contact)
mangox
Sr. Member
****
Offline Offline

Activity: 336


ALL escrow is signed! https://keybase.io/verify


View Profile
May 31, 2016, 07:07:59 PM
 #651

Quote
BTW (and sorry for being slightly off-topic): did blockchain.info remove "shared coin", their coinjoin implementation? Cannot find it anymore!

does not exist anymore Sad

ALL escrow is signed!
https://keybase.io/verify
Rampion
Legendary
*
Offline Offline

Activity: 1106


View Profile
May 31, 2016, 07:38:41 PM
 #652

Quote
BTW (and sorry for being slightly off-topic): did blockchain.info remove "shared coin", their coinjoin implementation? Cannot find it anymore!

does not exist anymore Sad

That really sucks.

K1773R
Legendary
*
Offline Offline

Activity: 1540


/dev/null


View Profile
June 06, 2016, 08:18:33 AM
 #653

Quote
BTW (and sorry for being slightly off-topic): did blockchain.info remove "shared coin", their coinjoin implementation? Cannot find it anymore!

does not exist anymore Sad

That really sucks.
Just use joinmarket.

[GPG Public Key]  [Devcoin Builds]  [BBQCoin Builds]  [Multichain Blockexplorer]  [Multichain Blockexplorer - PoS Coins]  [Ufasoft Miner Linux Builds]
BTC/DVC/TRC/FRC: 1K1773RbXRZVRQSSXe9N6N2MUFERvrdu6y ANC/XPM AK1773RTmRKtvbKBCrUu95UQg5iegrqyeA NMC: NK1773Rzv8b4ugmCgX789PbjewA9fL9Dy1 LTC: LKi773RBuPepQH8E6Zb1ponoCvgbU7hHmd EMC: EK1773RxUes1HX1YAGMZ1xVYBBRUCqfDoF BQC: bK1773R1APJz4yTgRkmdKQhjhiMyQpJgfN
Mr.Broker
Newbie
*
Offline Offline

Activity: 5


View Profile
June 07, 2016, 11:17:47 AM
 #654

People appear to have been sending very large numbers of addresses dust as a way to break anonymity. Granted, they also may have been doing it as a way to get signatures from scriptPubKeys due to the 'R' re-use issue, but the script would use bitcoind to spend the dust which is known to not be vulnerable.

Also there's lots of pretty much unspendable dust out there from Satoshidice and others, and again such a script can help.
ABISprotocol
Sr. Member
****
Offline Offline

Activity: 266

ABISprotocol on Gist


View Profile WWW
June 08, 2016, 07:08:05 AM
 #655

People appear to have been sending very large numbers of addresses dust as a way to break anonymity. Granted, they also may have been doing it as a way to get signatures from scriptPubKeys due to the 'R' re-use issue, but the script would use bitcoind to spend the dust which is known to not be vulnerable.

Also there's lots of pretty much unspendable dust out there from Satoshidice and others, and again such a script can help.

Check with Peter Todd before using (not sure if up to date exactly because was last updated November 2015) but, this could be useful if you are trying to deal with some dust issue (Core)

https://github.com/petertodd/dust-b-gone

I also happen to think that dust isn't as big a deal as people think it is.  It is a gift, not a curse, and it should be treated as such, people just haven't been innovative enough yet to address it well or meaningfully.  See project referred to in my signature.

Also, see BlockCypher's API http://dev.blockcypher.com/#microtransaction-api

(I do not work for BlockCypher, but I consider their work innovative)

ABISprotocol (Github/Gist)
http://abis.io
Rampion
Legendary
*
Offline Offline

Activity: 1106


View Profile
June 08, 2016, 01:37:41 PM
 #656

Quote
BTW (and sorry for being slightly off-topic): did blockchain.info remove "shared coin", their coinjoin implementation? Cannot find it anymore!

does not exist anymore Sad

That really sucks.
Just use joinmarket.

Are there any easy, straightforward instructions to use joinmarket? Blockchain's shared coin was easy.

Cryddit
Legendary
*
Offline Offline

Activity: 840


View Profile
June 08, 2016, 07:59:29 PM
 #657

Bitcoin gambling sites are entirely functional as (probabilistic) mixers, if you trust the gambling sites.

Wanna mix 10BTC? Just make a hundred 0.1BTC bets at even odds.  50 of them pay out double (minus the house cut) and 50 disappear.  So you get your 10BTC back, minus the house cut, and the house cut in that case is just a mixing fee.

But that's not really what coinjoin is supposed to accomplish.
ABISprotocol
Sr. Member
****
Offline Offline

Activity: 266

ABISprotocol on Gist


View Profile WWW
June 08, 2016, 09:50:52 PM
 #658

Quote
BTW (and sorry for being slightly off-topic): did blockchain.info remove "shared coin", their coinjoin implementation? Cannot find it anymore!

does not exist anymore Sad

That really sucks.
Just use joinmarket.

Are there any easy, straightforward instructions to use joinmarket? Blockchain's shared coin was easy.

Actually, yes, there are -

Joinmarket has a reddit:  https://www.reddit.com/r/joinmarket  May not be a bad place to have questions answered, but you may want to do tor and create a disposable account for it.  I won't use reddit anymore because of this - they are getting NSLs all the time, read in depth into comments... https://www.reddit.com/r/announcements/comments/4cqyia/for_your_reading_pleasure_our_2015_transparency/

However, if you don't want to deal with that, you could just view / lurk in the reddit discussions without having to log in and find out some of what you need, or just check out the right-hand side of the screen (under 'How do I get Started') which has the links you need.

There's also a very handy set of instructions right on github, for the GUI version of it, here:

https://github.com/JoinMarket-Org/JMBinary

Pretty damn handy.  :-)

ABISprotocol (Github/Gist)
http://abis.io
Dabs
Staff
Legendary
*
Online Online

Activity: 1694



View Profile
June 09, 2016, 06:06:34 PM
 #659

Bitcoin gambling sites are entirely functional as (probabilistic) mixers, if you trust the gambling sites.

Wanna mix 10BTC? Just make a hundred 0.1BTC bets at even odds.  50 of them pay out double (minus the house cut) and 50 disappear.  So you get your 10BTC back, minus the house cut, and the house cut in that case is just a mixing fee.

But that's not really what coinjoin is supposed to accomplish.

Most gambling sites do off-chain transactions. If you want to mix 10 BTC, you simply deposit. Wait a few days. And then Withdraw. No need to actually gamble or play.

The problem is if you need to exchange the mixed coins, they are tagged as "gambling" coins by such exchanges as coinbase. So you need to bounce them around a few times among your own wallets.

Escrow Service (Services) - GPG ID: 32AD7565, OTC ID: Dabs
All messages concerning escrow or with bitcoin addresses are GPG signed. Please verify.
CompTIA A+, Microsoft Certified Professional, MCSA: Windows 10; Windows Server 2012, MCSE: Cloud Platform and Infrastructure; Productivity; Messaging
Carlsen
Sr. Member
****
Offline Offline

Activity: 476

★YoBit.Net★ 350+ Coins Exchange & Dice


View Profile
June 10, 2016, 09:00:17 AM
 #660

Bitcoin gambling sites are entirely functional as (probabilistic) mixers, if you trust the gambling sites.

Wanna mix 10BTC? Just make a hundred 0.1BTC bets at even odds.  50 of them pay out double (minus the house cut) and 50 disappear.  So you get your 10BTC back, minus the house cut, and the house cut in that case is just a mixing fee.

But that's not really what coinjoin is supposed to accomplish.

In this case I would be just too scared to loose 75 or more of my bets.
That would be a relatively high mixing fee. Personally I would not take that risk.

Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 [33] 34 35 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!