CoinJoin: Bitcoin privacy for the real world

[smoothie]

Couldn't you just use poloniex to get monero bought with BTC, then send it to yourself with a mixin of 5 or 100 or whatever you choose, then convert it with XMR.to back to BTC?

[1498666065]

1498666065

[1498666065]

1498666065

[1498666065]

1498666065

[1498666065]

1498666065

[1498666065]

1498666065

[1498666065]

1498666065

[PantminerS7]

Somebody please "CoinJoin for Dummies".

Basically, you join payments together to 'anonymize' coins, while trading coins for other coins to make proving someones ownership of a specific coin harder.

Using Joinmarket as an example;
There are makers and takers in the Joinmarket network. Makers run a script that offers their coin for coinjoin transactions in exchange for a small fee. They sit around on the network, looking for a taker who needs coins mixed.

Takers, on the other hand, pay the makers to trade coins with them. Takers will come into Joinmarket announcing that they want to mix a certain amount of coins. Eventually a maker will accept his offer, and the maker and taker (and possibly more parties) all make one big Bitcoin transaction with lots of outputs to different addresses.

Joinmarket is just one of many ways a coinjoin can happen, but this should give you the general idea. 

The whole taker-maker process aims to mix the coins for the takers and the makers, making it harder to tell who owns which coins after the coinjoin-transaction. It will be hard to tell who now owns each output, if someone owns several outputs etc., which is the end goal of the transaction.

Users can run this process as many times as they like, the assumption being that more coinjoin transactions = better privacy.

[Equilux]

Somebody please "CoinJoin for Dummies".

Basically, you join payments together to 'anonymize' coins, while trading coins for other coins to make proving someones ownership of a specific coin harder.

Using Joinmarket as an example;
There are makers and takers in the Joinmarket network. Makers run a script that offers their coin for coinjoin transactions in exchange for a small fee. They sit around on the network, looking for a taker who needs coins mixed.

Takers, on the other hand, pay the makers to trade coins with them. Takers will come into Joinmarket announcing that they want to mix a certain amount of coins. Eventually a maker will accept his offer, and the maker and taker (and possibly more parties) all make one big Bitcoin transaction with lots of outputs to different addresses.

Joinmarket is just one of many ways a coinjoin can happen, but this should give you the general idea. 

The whole taker-maker process aims to mix the coins for the takers and the makers, making it harder to tell who owns which coins after the coinjoin-transaction. It will be hard to tell who now owns each output, if someone owns several outputs etc., which is the end goal of the transaction.

Users can run this process as many times as they like, the assumption being that more coinjoin transactions = better privacy.

Great post man, thanks! Makes me appreciate more what a cool idea this is.

[Dabs]

Couldn't you just use poloniex to get monero bought with BTC, then send it to yourself with a mixin of 5 or 100 or whatever you choose, then convert it with XMR.to back to BTC?

That's centralized and you lose control of your coins even if temporarily. Coin Join allows for mixing without ever giving out your coins or control of them.

Any exchange or gambling site or online wallet will do what you suggest. You just have to trust them to be online long enough for you to withdraw, and/or not get hacked, shutdown, or whatever.

I've actually seen a few people deposit to my site, wait a few days (when I "join" all deposits to the cold wallet), then withdraw, without ever playing. Works the same way. But now their coins are "tainted", so don't go try going to coinbase directly from any gambling site. Our wallets are all tagged.

[PantminerS7]

Somebody please "CoinJoin for Dummies".

Snip

Great post man, thanks! Makes me appreciate more what a cool idea this is.

If you like the idea and concept, I encourage you to download the blockchain and get your own Joinmarket-maker script running. Estimates are that the avg. maker gets about a 1% annual increase in their coin. All you need is a computer that can run the script and bitcoind.

You can get the private keys for your addresses, so you are actually in control of your coins the entire time, unlike all other similar services I've seen.

In addition, you'll get that good feeling of supporting both the bitcoin network and Joinmarket!

[dooglus]

Great post man, thanks! Makes me appreciate more what a cool idea this is.

Here's an actual example of a CoinJoin transaction (click link for blockchain.info link):



There were 3 people involved in the transaction. There are 6 outputs, 2 per person. 3 of the outputs (coloured yellow) are for the exact same amount. It's impossible to know which of these three yellow outputs belongs to which of the 3 people just from looking at this transaction. The other 3 outputs are change amounts. We can easily tie the change outputs to the inputs, which I did by using the coloured arrows.

The guy who spent 82 BTC got back a yellow 70 BTC and 12 BTC of change - indicated by the blue arrow.
The guy who spent 171 BTC got back a yellow 70 BTC and 101 BTC of change - indicated by the orange arrow.
All the other inputs came from the 3rd guy, and he got back a yellow 70 BTC and 41 BTC of change - indicated by all the red lines.

Hopefully that makes it clearer. It's the yellow outputs that have been anonymised by this transaction, not the inputs or the change outputs.

[Dabs]

There were 3 people involved in the transaction.

Hopefully that makes it clearer. It's the yellow outputs that have been anonymised by this transaction, not the inputs or the change outputs.

In that particular example, wouldn't it be more anonymous to just have 6 outputs of 61.04976087 BTC? (That's the total amount less tx fees divided by 6, or 3 yellows and 3 change outputs of all exactly the same amount).

That way, even the "change" outputs can no longer be tied to the three people.

[PantminerS7]

There were 3 people involved in the transaction.

Hopefully that makes it clearer. It's the yellow outputs that have been anonymised by this transaction, not the inputs or the change outputs.

In that particular example, wouldn't it be more anonymous to just have 6 outputs of 61.04976087 BTC? (That's the total amount less tx fees divided by 6, or 3 yellows and 3 change outputs of all exactly the same amount).

That way, even the "change" outputs can no longer be tied to the three people.

Sure, it's possible. With a lot of coinjoin services, you can split the amount over several addresses. This is encouraged by some of them, and it should theoretically be better for privacy.

[Kevin29]

Nice

[dooglus]

In that particular example, wouldn't it be more anonymous to just have 6 outputs of 61.04976087 BTC? (That's the total amount less tx fees divided by 6, or 3 yellows and 3 change outputs of all exactly the same amount).

That way, even the "change" outputs can no longer be tied to the three people.

The three people contributed different amounts to the transaction, so they get different amounts of change.

The person paying for the transaction (the 'taker' in JoinMarket terminology) decides the amount of the yellow outputs, and the other two people (the 'makers') go along with that. It's only the yellow amount which is to be considered 'joined'.

Note that we could figure out which of the three people was the taker by summing the inputs and outputs of each colour. We'll find that two of the thee made a small profit on this transaction (the makers) and one took a loss (the taker).

If the maker had wanted to mix his whole wallet in this transaction he could done so. He must have only needed 70 BTC mixed at this time, for whatever reason.

Also, try following the yellow outputs - you'll see that all three of them went on to further coinjoin transactions for different amounts.

[dserrano5]

Are there any easy, straightforward instructions to use joinmarket? Blockchain's shared coin was easy.

Check their thread. There's an electrum plugin under development that, although needs a bit of care at install time, it seems to work (read "worked for me") with a couple of mouse clicks.

[Cryddit]

Getting different amounts of change though doesn't have to mean that one is traceable.

Picture the same set of inputs, but a set of outputs all denominated in 30BTC, 10BTC, 3BTC, 0.1BTC, O.03BTC, etc.  Up to whatever set of denominations you can make at least ten each of and down to whatever denomination people are willing to give up as a mixer fee to enhance their anonymity.

Now some participants get more of one denomination, some participants get more of a different denomination, but with ten of each denomination there will always be a way to split up whatever amounts among three participants, and there's no way for an eavesdropper or block chain snoop to know which is whose.  They can't even use the number of each denomination issued as a guide to what particular amounts were paid out. 

[dooglus]

Picture the same set of inputs, but a set of outputs all denominated in 30BTC, 10BTC, 3BTC, 0.1BTC, O.03BTC, etc.

I like the idea of using powers of 2 as the change amounts. That way any amount can be created by using at most one of each size of change.

[belcher]

Change can be linked if later on the blockchain, change outputs are re-combined with inputs even if they use standard output sizes. That's why JoinMarket has so-called mixing depths which help stop that happening.

The downside of standard output sizes is that it may damage the divisibility of the currency, and also its bad for scalability because it greatly increases the number of outputs. I decided not to implement it in JoinMarket, but it's a tradeoff question so there's no obvious answer really.

A somewhat related idea is this one: https://github.com/JoinMarket-Org/joinmarket/issues/229

[smoothie]

Couldn't you just use poloniex to get monero bought with BTC, then send it to yourself with a mixin of 5 or 100 or whatever you choose, then convert it with XMR.to back to BTC?

That's centralized and you lose control of your coins even if temporarily. Coin Join allows for mixing without ever giving out your coins or control of them.

Any exchange or gambling site or online wallet will do what you suggest. You just have to trust them to be online long enough for you to withdraw, and/or not get hacked, shutdown, or whatever.

I've actually seen a few people deposit to my site, wait a few days (when I "join" all deposits to the cold wallet), then withdraw, without ever playing. Works the same way. But now their coins are "tainted", so don't go try going to coinbase directly from any gambling site. Our wallets are all tagged.

I'm speaking in terms of privacy. What's to stop someone from being all the "other people" in coin join transaction?

Essentially being Sybil attacked in terms of traceability.

The topic was privacy Not security.

The issue you bring up comes back to, how did you acquire the bitcoins you want to "wash" in the first place if you didn't mine them?

Pretty sure there was a "not being in control" aspect to the acquisition of the Bitcoin you are trying to use in a coin join Transaction. Kind of goes against what you just said in terms of centralization and security of your coins.

Concerning your comment about your bitcoins being tagged.
That cannot easily be done in monero due to its protocol based fungibility via ring signatures.

[Cryddit]

Picture the same set of inputs, but a set of outputs all denominated in 30BTC, 10BTC, 3BTC, 0.1BTC, O.03BTC, etc.

I like the idea of using powers of 2 as the change amounts. That way any amount can be created by using at most one of each size of change.

WRONG plan! 

You want at least ten outputs of each denomination you're creating. 

The whole idea of standardizing denominations is for txOuts to be indistinguishable.  The only one of a given denomination created in a transaction is VERY distinguishable from all other outputs.

[dooglus]

Picture the same set of inputs, but a set of outputs all denominated in 30BTC, 10BTC, 3BTC, 0.1BTC, O.03BTC, etc.

I like the idea of using powers of 2 as the change amounts. That way any amount can be created by using at most one of each size of change.

WRONG plan! 

You want at least ten outputs of each denomination you're creating. 

The whole idea of standardizing denominations is for txOuts to be indistinguishable.  The only one of a given denomination created in a transaction is VERY distinguishable from all other outputs.

At most one of each size goes to each participant. Each output goes to a different address.

[Cryddit]

At most one of each size goes to each participant. Each output goes to a different address.

Exactly.  And the people figuring out who got what *KNOW* that at most one of each size went to each participant.  That's why we don't do that.

[Dabs]

Summary: Get a hundred participants to send to a thousand addresses the exact same amount. Miner gets the change/fee.

If there is a maker/taker/website/bot that takes a fee, it could be part of the participant list.

This is going to be a headache, but I'm sure software can figure it out.

[dwgscale11]

Why was Sharedcoin (I'm assuming it utilized CoinJoin?) removed from blockchain.info?  Does CoinJoin exist anymore? (Not JoinMarket) It was super easy to use as it was built into the send of the online wallet on blockchain.info.