CoinJoin: Bitcoin privacy for the real world

[dooglus]

In that particular example, wouldn't it be more anonymous to just have 6 outputs of 61.04976087 BTC? (That's the total amount less tx fees divided by 6, or 3 yellows and 3 change outputs of all exactly the same amount).

That way, even the "change" outputs can no longer be tied to the three people.

The three people contributed different amounts to the transaction, so they get different amounts of change.

The person paying for the transaction (the 'taker' in JoinMarket terminology) decides the amount of the yellow outputs, and the other two people (the 'makers') go along with that. It's only the yellow amount which is to be considered 'joined'.

Note that we could figure out which of the three people was the taker by summing the inputs and outputs of each colour. We'll find that two of the thee made a small profit on this transaction (the makers) and one took a loss (the taker).

If the maker had wanted to mix his whole wallet in this transaction he could done so. He must have only needed 70 BTC mixed at this time, for whatever reason.

Also, try following the yellow outputs - you'll see that all three of them went on to further coinjoin transactions for different amounts.

[1593901537]

1593901537

[1593901537]

1593901537

[1593901537]

1593901537

[dserrano5]

Are there any easy, straightforward instructions to use joinmarket? Blockchain's shared coin was easy.

Check their thread. There's an electrum plugin under development that, although needs a bit of care at install time, it seems to work (read "worked for me") with a couple of mouse clicks.

[Cryddit]

Getting different amounts of change though doesn't have to mean that one is traceable.

Picture the same set of inputs, but a set of outputs all denominated in 30BTC, 10BTC, 3BTC, 0.1BTC, O.03BTC, etc.  Up to whatever set of denominations you can make at least ten each of and down to whatever denomination people are willing to give up as a mixer fee to enhance their anonymity.

Now some participants get more of one denomination, some participants get more of a different denomination, but with ten of each denomination there will always be a way to split up whatever amounts among three participants, and there's no way for an eavesdropper or block chain snoop to know which is whose.  They can't even use the number of each denomination issued as a guide to what particular amounts were paid out. 

[dooglus]

Picture the same set of inputs, but a set of outputs all denominated in 30BTC, 10BTC, 3BTC, 0.1BTC, O.03BTC, etc.

I like the idea of using powers of 2 as the change amounts. That way any amount can be created by using at most one of each size of change.

[belcher]

Change can be linked if later on the blockchain, change outputs are re-combined with inputs even if they use standard output sizes. That's why JoinMarket has so-called mixing depths which help stop that happening.

The downside of standard output sizes is that it may damage the divisibility of the currency, and also its bad for scalability because it greatly increases the number of outputs. I decided not to implement it in JoinMarket, but it's a tradeoff question so there's no obvious answer really.

A somewhat related idea is this one: https://github.com/JoinMarket-Org/joinmarket/issues/229

[smoothie]

Couldn't you just use poloniex to get monero bought with BTC, then send it to yourself with a mixin of 5 or 100 or whatever you choose, then convert it with XMR.to back to BTC?

That's centralized and you lose control of your coins even if temporarily. Coin Join allows for mixing without ever giving out your coins or control of them.

Any exchange or gambling site or online wallet will do what you suggest. You just have to trust them to be online long enough for you to withdraw, and/or not get hacked, shutdown, or whatever.

I've actually seen a few people deposit to my site, wait a few days (when I "join" all deposits to the cold wallet), then withdraw, without ever playing. Works the same way. But now their coins are "tainted", so don't go try going to coinbase directly from any gambling site. Our wallets are all tagged.

I'm speaking in terms of privacy. What's to stop someone from being all the "other people" in coin join transaction?

Essentially being Sybil attacked in terms of traceability.

The topic was privacy Not security.

The issue you bring up comes back to, how did you acquire the bitcoins you want to "wash" in the first place if you didn't mine them?

Pretty sure there was a "not being in control" aspect to the acquisition of the Bitcoin you are trying to use in a coin join Transaction. Kind of goes against what you just said in terms of centralization and security of your coins.

Concerning your comment about your bitcoins being tagged.
That cannot easily be done in monero due to its protocol based fungibility via ring signatures.

[Cryddit]

Picture the same set of inputs, but a set of outputs all denominated in 30BTC, 10BTC, 3BTC, 0.1BTC, O.03BTC, etc.

I like the idea of using powers of 2 as the change amounts. That way any amount can be created by using at most one of each size of change.

WRONG plan! 

You want at least ten outputs of each denomination you're creating. 

The whole idea of standardizing denominations is for txOuts to be indistinguishable.  The only one of a given denomination created in a transaction is VERY distinguishable from all other outputs.

[dooglus]

Picture the same set of inputs, but a set of outputs all denominated in 30BTC, 10BTC, 3BTC, 0.1BTC, O.03BTC, etc.

I like the idea of using powers of 2 as the change amounts. That way any amount can be created by using at most one of each size of change.

WRONG plan! 

You want at least ten outputs of each denomination you're creating. 

The whole idea of standardizing denominations is for txOuts to be indistinguishable.  The only one of a given denomination created in a transaction is VERY distinguishable from all other outputs.

At most one of each size goes to each participant. Each output goes to a different address.

[Cryddit]

At most one of each size goes to each participant. Each output goes to a different address.

Exactly.  And the people figuring out who got what *KNOW* that at most one of each size went to each participant.  That's why we don't do that.

[Dabs]

Summary: Get a hundred participants to send to a thousand addresses the exact same amount. Miner gets the change/fee.

If there is a maker/taker/website/bot that takes a fee, it could be part of the participant list.

This is going to be a headache, but I'm sure software can figure it out.

[dwgscale11]

Why was Sharedcoin (I'm assuming it utilized CoinJoin?) removed from blockchain.info?  Does CoinJoin exist anymore? (Not JoinMarket) It was super easy to use as it was built into the send of the online wallet on blockchain.info.

[Dabs]

Uh, ShareCoin was a service or feature of blockchain. It wasn't exactly a CoinJoin implementation. JoinMarket does CoinJoin, but I understand why you'd want an easier method.

Which leads me to ask: What qualifies for the bounty? There's 42 BTC up for grabs on the bounty multi-sig address, but JoinMarket doesn't seem to qualify, or maybe it's not considered "practical" enough.

If I make a website that looks like, for example, shapeshift, and you see that you can send coins there, and every hour there is a CoinJoin transaction (even if internal to the site), does that count? Or any form of centralization doesn't count?

See, for CoinJoin to really work the way it was intended, everyone that participates in a CoinJoin transaction needs to be all online and they all need to sign. Perhaps what they're looking for is some Windows Bitcoin Core Qt wallet type that includes a tick box for [X] CoinJoin, then it would automatically look for others.

[dwgscale11]

Uh, ShareCoin was a service or feature of blockchain. It wasn't exactly a CoinJoin implementation. JoinMarket does CoinJoin, but I understand why you'd want an easier method.

Which leads me to ask: What qualifies for the bounty? There's 42 BTC up for grabs on the bounty multi-sig address, but JoinMarket doesn't seem to qualify, or maybe it's not considered "practical" enough.

If I make a website that looks like, for example, shapeshift, and you see that you can send coins there, and every hour there is a CoinJoin transaction (even if internal to the site), does that count? Or any form of centralization doesn't count?

See, for CoinJoin to really work the way it was intended, everyone that participates in a CoinJoin transaction needs to be all online and they all need to sign. Perhaps what they're looking for is some Windows Bitcoin Core Qt wallet type that includes a tick box for [X] CoinJoin, then it would automatically look for others.

I'm curious as to WHY it was a service that is no longer?  Who shut it down?  Is the code still out there?

[u15776]

Great post man, thanks! Makes me appreciate more what a cool idea this is.

Here's an actual example of a CoinJoin transaction (click link for blockchain.info link):

http://i.imgur.com/Osuydri.png

There were 3 people involved in the transaction. There are 6 outputs, 2 per person. 3 of the outputs (coloured yellow) are for the exact same amount. It's impossible to know which of these three yellow outputs belongs to which of the 3 people just from looking at this transaction. The other 3 outputs are change amounts. We can easily tie the change outputs to the inputs, which I did by using the coloured arrows.

The guy who spent 82 BTC got back a yellow 70 BTC and 12 BTC of change - indicated by the blue arrow.
The guy who spent 171 BTC got back a yellow 70 BTC and 101 BTC of change - indicated by the orange arrow.
All the other inputs came from the 3rd guy, and he got back a yellow 70 BTC and 41 BTC of change - indicated by all the red lines.

Hopefully that makes it clearer. It's the yellow outputs that have been anonymised by this transaction, not the inputs or the change outputs.

Cool, I first thought that inputs are sent to another bitcoin address and from there to the outputs. But, this seems not to be the case. Is CoinJoin a smart contract or a dAPP as with Ethereum?

[687_2]

The bounty is still available, and it's pretty significant now:

https://blockchain.info/address/3M8XGFBKwkf7miBzpkU3x2DoWwAVrD1mhk

[gmaxwell]

In order to further incentivize work in this space there is now a multisignature escrow bounty fund:
   3M8XGFBKwkf7miBzpkU3x2DoWwAVrD1mhk

Just a note in case anyone was watching the address: three weeks back the outputs to this address were consolidated in order to take advantage of low fees on the network and to simplify sweeps of further bitcoin spinoffs (as signing for 65 inputs is a bit of a burden); the consolidated funds were moved back to the same address, minus a nominal amount of fee (about 2sat/byte).

[Dabs]

There's a bunch of new tech out there, some with fantasy names or Harry Potter themes, and some alt wallets that have a built in "obfuscation" button but I don't know if they do CoinJoin or not. As well as Huffle Puffle and other funny sounding ones, also Dark Send, Shared Send, Dark Wallet, Stealth Wallet, Dark Chocolate?

Maybe an altcoin that has masternodes that does CoinJoins of bitcoins ...

None of those qualify for the bounty?

[wintercooled]

Hi All,

Adam Ficsor (@nopara73) and Myself are currently trying to test an implementation of a Chaumian CoinJoin mixer and client wallet using the ZeroLink framework and HiddenWallet. https://github.com/nopara73/ZeroLink

We are aiming for 100 participants in the first scale testnet test and any participation would be appreciated. The mix is ongoing and currently we have about half the required anonymity set to conclude our test. To participate you basically have to download binaries (or compile from source), get some testnet coins, move them into a bech32 address in HiddenWallet and join the mix.

Many thanks to those that than can help.

A guide to participating in the test:

https://github.com/nopara73/HiddenWallet/blob/master/HiddenWallet.Documentation/TestingTheZeroLinkMixer.md

[RobertNykanen]

Yes, the facilitator gains no extra information about the transaction than is observable from the outside, if blind signing is used

[alex6464]

Gmaxwell and his bitcoin devs should realise that the IRS has already mapped out all significant bitcoin addresses to social security numbers, whilst they debate the alpha tech of ring sigs but yet are doing nothing to fix the privacy issue