CoinJoin: Bitcoin privacy for the real world

[Carlton Banks]

Carlton, you don't reuse addresses. That was your mistake.

I don't reuse addresses. I was proposing a hypothetical situation. Greenlisting schemes suppose that everyone will be happy to reuse one address that is linked to a real world identity. Get with the program.

[1714027012]

1714027012

[1714027012]

1714027012

[justusranvier]

Obviously, perfect output indistinguishably is best, but even when the outputs are fully distinguishable (and everywhere in between) there is value too.

Why not right now encourage a standard that will more often result in the superior case?

I'm not particularly thrilled with merely degrading taint calculations when analytic capability is only going to improve over time.

I'm not really sure I follow. From my analysis there is zero benefit to mandating common output sizes across multiple transactions. gmaxwell, am I mistaken?

Consider a hypothetical CoinJoin transaction with several inputs and two outputs, A and B.

Output A is 5.21875 BTC and Output B is 3.4375.

In order for an attacker to break the mixing he must answer the question, "which combination of inputs add up to each output", and that question could likely have only one solution. If there is only one solution, the mixing has no value other than forcing the attacker to spend a bit of CPU power on it.

If the participants in the mix instead choose to only use integer powers of 2, they can break their desired outputs down like this:

Output A can be broken down as follows:
1 x 2²
1 x 2⁰
1 x 2^-3
1 x 2^-4
1 x 2^-5

Output B can be broken down as follows:

1 x 2¹
1 x 2⁰
1 x 2^-2
1 x 2^-3
1 x 2^-4

So now the transaction has 10 outputs: 4 BTC, 1 BTC, 1 BTC, 250 mBTC, 125 mBTC, 125 mBTC, 62.5 mBTC, 62.5 mBTC, 31.25 mBTC.

The odds of finding an unambiguous mapping of inputs to outputs should be far lower in the second case.

[jquinn]

I'm trying to get a fundraiser rolling on reddit.

http://www.reddit.com/r/Bitcoin/comments/1qmhkh/coinjoin_fundraising_drive/

Donated a $100.

[ShadowOfHarbringer]

Apparently people are plotting behind the scenes to put whitelisting, blacklisting and redlisting and other terrible ideas into Bitcoin.

Perhaps we should seriously speed up initiatives like CoinJoin, CoinSwap and CoinControl so people start massively mixing coins and make such efforts unfeasible.

[Carlton Banks]

Apparently people are plotting behind the scenes to put whitelisting, blacklisting and redlisting and other terrible ideas into Bitcoin.

Perhaps we should seriously speed up initiatives like CoinJoin, CoinSwap and CoinControl so people start massively mixing coins and make such efforts unfeasible.

This assumes that you opt-in to the listing with your real world ID, then obscure the source of your funds with anonymity schemes as you've denoted. But with CoinJoin, this could get you banned from the listings people, and potentially get all the CoinJoiners you collaborated with blacklisted too.

I think the best way is to encourage miners to ban the clean addresses from tx processing. If that doesn't succeed, use or develop another coin.

[ShadowOfHarbringer]

Apparently people are plotting behind the scenes to put whitelisting, blacklisting and redlisting and other terrible ideas into Bitcoin.

Perhaps we should seriously speed up initiatives like CoinJoin, CoinSwap and CoinControl so people start massively mixing coins and make such efforts unfeasible.

This assumes that you opt-in to the listing with your real world ID, then obscure the source of your funds with anonymity schemes as you've denoted. But with CoinJoin, this could get you banned from the listings people, and potentially get all the CoinJoiners you collaborated with blacklisted too.

I think the best way is to encourage miners to ban the clean addresses from tx processing. If that doesn't succeed, use or develop another coin.

Another option is to make CoinJoin/CoinSwap really popular. Perhaps make the client suggest mixing like by adding "mix coins with other's users coin" checkbox in the send coins GUI.

This way regulators will have no other way than to accept Bitcoin the way it is - mixed and untraceable.

[dserrano5]

Perhaps we should seriously speed up initiatives like CoinJoin, CoinSwap and CoinControl so people start massively mixing coins and make such efforts unfeasible.

And/or incorporating it into clients so people wouldn't have to bother. E.g. I wouldn't mind to spend a millibit a week in network fees just to have my coins periodically mixed.

[ShadowOfHarbringer]

Perhaps we should seriously speed up initiatives like CoinJoin, CoinSwap and CoinControl so people start massively mixing coins and make such efforts unfeasible.

And/or incorporating it into clients so people wouldn't have to bother. E.g. I wouldn't mind to spend a millibit a week in network fees just to have my coins periodically mixed.

Exactly what I am talking about.

We must make coin mixing almost as common as sending them. This way governments will have no choice but face the reality.

[Carlton Banks]

Another option is to make CoinJoin/CoinSwap really popular. Perhaps make the client suggest mixing like by adding "mix coins with other's users coin" checkbox in the send coins GUI.

This way regulators will have no other way than to accept Bitcoin the way it is - mixed and untraceable.

More difficult to popularise anonymising features than it is to find out what colour the biggest miners like their address lists. If they want the lists transparent, instead of red, black blue green or white, then they should prefer to ban any such coloured listed addresses from their transaction inclusions.

Let's push to hit these lists right at their fundamentals, make them undesirable and unusable, not the other way around.

[btc4ever]

Yes.  Mixing must be the norm, not the exception.

If it is the exception, then even the fact that you are engaging in it is suspicious.

Perhaps we should seriously speed up initiatives like CoinJoin, CoinSwap and CoinControl so people start massively mixing coins and make such efforts unfeasible.

And/or incorporating it into clients so people wouldn't have to bother. E.g. I wouldn't mind to spend a millibit a week in network fees just to have my coins periodically mixed.

Exactly what I am talking about.

We must make coin mixing almost as common as sending them. This way governments will have no choice but face the reality.

[Carlton Banks]

Perhaps we should seriously speed up initiatives like CoinJoin, CoinSwap and CoinControl so people start massively mixing coins and make such efforts unfeasible.

And/or incorporating it into clients so people wouldn't have to bother. E.g. I wouldn't mind to spend a millibit a week in network fees just to have my coins periodically mixed.

Exactly what I am talking about.

We must make coin mixing almost as common as sending them. This way governments will have no choice but face the reality.

I think there are too many compliant goody goodies out there for this to work. You only have to craft a well thought through smear campaign against anonymising and most people will be too anxious to rebel against it, they will believe the nonsense is true.

There are fewer miners than users, and they are naturally determined risk takers. They are easier to convince of the drawbacks than average users, especially as they have probably got more BTC balance whose long term value and viability they wish to protect.

[dserrano5]

Code:

Key from Pieter (pgp signature to be provided later):

0292782efcb08d621c360d055f407c8e75ffbbd06f6b7009c1432ca9eaa6732592

Oops, seems that a signature was forgotten . I'll donate half a coin to this as soon as the sig is in place!

Please everyone consider donating.

[phillipsjk]

Perhaps we should seriously speed up initiatives like CoinJoin, CoinSwap and CoinControl so people start massively mixing coins and make such efforts unfeasible.

And/or incorporating it into clients so people wouldn't have to bother. E.g. I wouldn't mind to spend a millibit a week in network fees just to have my coins periodically mixed.

Such coins are not at rest, thus can be stolen by a determined cracker.

[maaku]

Consider a hypothetical CoinJoin transaction with several inputs and two outputs, A and B.

Output A is 5.21875 BTC and Output B is 3.4375.

...

The mixing application described in the OP uses same valued outputs for two reasons: (1) to avoid this sort of identification, and (2) to prevent the facilitator from learning identities through blind signatures. This requires that within a single transaction, the mixed outputs must have the same value denominations (or be divided into groups of same-valued denominations). The hypothetical given is a weaker protocol than the OP.

That said, there is no reason that the common denomination used by one transaction has to match or be a multiple of the common denomination of another - that gains you nothing as far as I can tell.

[justusranvier]

The mixing application described in the OP uses same valued outputs

And I believe that drastically reduces its usefulness.

It's fine as an academic exercise but how people actually use their bitcoins in the real world is considerably more messy. Unless you can handle situations where the users need to mix differing amounts of coins you'll either degrade the mixing to uselessness or else end up with a double coincidence of wants problem where nobody can find suitable partners top mix with.

[jedunnigan]

The mixing application described in the OP uses same valued outputs

And I believe that drastically reduces its usefulness.

It's fine as an academic exercise but how people actually use their bitcoins in the real world is considerably more messy. Unless you can handle situations where the users need to mix differing amounts of coins you'll either degrade the mixing to uselessness or else end up with a double coincidence of wants problem where nobody can find suitable partners top mix with.

Yea, and to that effect there should be a step prior to the CJ where outputs are made uniform.

[Carlton Banks]

The mixing application described in the OP uses same valued outputs

And I believe that drastically reduces its usefulness.

It's fine as an academic exercise but how people actually use their bitcoins in the real world is considerably more messy. Unless you can handle situations where the users need to mix differing amounts of coins you'll either degrade the mixing to uselessness or else end up with a double coincidence of wants problem where nobody can find suitable partners top mix with.

A decentralised approach would provide enough variety so that the number of people who have to compromise would decrease, but I agree that this harms the effectiveness of the anonymity of inputs. It would also be less easy to convince a nosy listing agency that you were settling several hundred payments in a single transaction... especially when several hundred other CoinJoin participants could be making the same claim to the very same transaction to the same agency. It's not possible that you're all the sole originator of the same transaction.

[theymos]

CoinJoin needs to be nicely implemented in Bitcoin-Qt before any of these ridiculous blacklist proposals take off. So for the next 30 days, I will match donations to the CoinJoin bounty fund (3M8XGFBKwkf7miBzpkU3x2DoWwAVrD1mhk), up to a maximum of 5 BTC. Just donate to that address, and in 30 days I'll donate the difference between the current received amount (16.21420773) and the received amount at that time (max 5 BTC).

Edit: Paid 5 BTC.

[Trader Steve]

CoinJoin needs to be nicely implemented in Bitcoin-Qt before any of these ridiculous blacklist proposals take off. So for the next 30 days, I will match donations to the CoinJoin bounty fund (3M8XGFBKwkf7miBzpkU3x2DoWwAVrD1mhk), up to a maximum of 5 BTC. Just donate to that address, and in 30 days I'll donate the difference between the current received amount (16.21420773) and the received amount at that time (max 5 BTC).

Theymos, you rock! I've already donated but you've inspired me to send a little more.

[solex]

theymos, gmaxwell, everyone - excellent project! My donation on the way too...