CoinJoin: Bitcoin privacy for the real world

[coinft]

theymos, gmaxwell, everyone - excellent project! My donation on the way too...

IMHO we should motivate miners to operate liquid CoinJoin pools and pass all their new block rewards through it. Then integrate CoinJoin in as many clients as possible, for automatic or semi-automatic use. When everything is tainted, nothing is, and all list operators will look pretty stupid.

It's in the best interest of miners that bitcoins remain fungible long term, but some short sighted individual miners might object to getting slightly tainted coins. This could be offset by a small fee paid by CoinJoin users, and shared between pools and miners.

[oakpacific]

theymos, gmaxwell, everyone - excellent project! My donation on the way too...

IMHO we should motivate miners to operate liquid CoinJoin pools and pass all their new block rewards through it. Then integrate CoinJoin in as many clients as possible, for automatic or semi-automatic use. When everything is tainted, nothing is, and all list operators will look pretty stupid.

It's in the best interest of miners that bitcoins remain fungible long term, but some short sighted individual miners might object to getting slightly tainted coins. This could be offset by a small fee paid by CoinJoin users, and shared between pools and miners.

I tend to think that Coinjoin pools should be like Tor flashproxies, ephemeral, ad-hoc and untrackable.

[CIYAM]

Have sent some BTC and would be more than happy to set up a project on CIYAM Open for this (free of charge for its lifetime of course).

[westkybitcoins]

Consider a hypothetical CoinJoin transaction with several inputs and two outputs, A and B.

Output A is 5.21875 BTC and Output B is 3.4375.

In order for an attacker to break the mixing he must answer the question, "which combination of inputs add up to each output", and that question could likely have only one solution. If there is only one solution, the mixing has no value other than forcing the attacker to spend a bit of CPU power on it.

If the participants in the mix instead choose to only use integer powers of 2, they can break their desired outputs down like this:

Output A can be broken down as follows:
1 x 2²
1 x 2⁰
1 x 2^-3
1 x 2^-4
1 x 2^-5

Output B can be broken down as follows:

1 x 2¹
1 x 2⁰
1 x 2^-2
1 x 2^-3
1 x 2^-4

So now the transaction has 10 outputs: 4 BTC, 1 BTC, 1 BTC, 250 mBTC, 125 mBTC, 125 mBTC, 62.5 mBTC, 62.5 mBTC, 31.25 mBTC.

The odds of finding an unambiguous mapping of inputs to outputs should be far lower in the second case.

Hmm. It might simplify things by "approximating" powers of 2: 1, 2, 5, 10, 25, 50, 100, 250, 500, etc. Similarly, 0.5, 0.2, 0.1, 0.05, 0.02, 0.01, etc.

The downside is there's somewhat more risk of analysis matching inputs to outputs, but I would think the increased risk is very slight.

Among the benefits is that the math is simpler, allowing other ideas to be easily implemented (such as a cutoff value: everything under 0.000x BTC is lumped into one output. If a small, random transaction fee is also included, this avoids dust outputs but is still resistant to analysis.)

For example, your above outputs, after removing small transactions fees, might break down to

 A) 5.21872289 (prior output after removing a randomized 0.00002711 txn fee) =
  5 + 0.2 + 0.01 + 0.005 + 0.002 + 0.001 + 0.0005 + 0.0002 + 0.0002289 BTC

 B) 3.43742991 (prior output after removing a randomized 0.00007039 txn fee) =
  2 + 1 + 0.2 + 0.2 + .02 + 0.01 + 0.005 + 0.002 + 0.0002 + 0.0002 + 0.00002991 BTC

Almost all of the privacy, and the coins are less noticeable (as opposed to values like 0.03125 BTC) even just sitting in the wallet. And this would be a much better result too for those of us managing coins in paper wallets who need to determine how many change addresses to grab to spend X bitcoins.

Just a thought.

[justusranvier]

Among the benefits is that the math is simpler, allowing other ideas to be easily implemented (such as a cutoff value: everything under 0.000x BTC is lumped into one output. If a small, random transaction fee is also included, this avoids dust outputs but is still resistant to analysis.)

If outputs are in the form of Xⁿ, then you can easily implement a cutoff by specifying a minimum value for n. Leftovers just get added to the transaction fee.

I really don't care if there is a recommended standard of X=2, or X=5, or if an explicit negotiation step is added to the protocol to choose a value for X, just as long as there's some way to do it that actually gets implemented.

[dserrano5]

CoinJoin needs to be nicely implemented in Bitcoin-Qt before any of these ridiculous blacklist proposals take off. So for the next 30 days, I will match donations to the CoinJoin bounty fund (3M8XGFBKwkf7miBzpkU3x2DoWwAVrD1mhk), up to a maximum of 5 BTC.

Way to go!

I'm upping my offer from 0.50 to 0.75 but please tell Pieter to sign his pubkey in the second message of this thread.

Thank you!

[NewLiberty]

interesting...

[phelix]

CoinJoin needs to be nicely implemented in Bitcoin-Qt before any of these ridiculous blacklist proposals take off. So for the next 30 days, I will match donations to the CoinJoin bounty fund (3M8XGFBKwkf7miBzpkU3x2DoWwAVrD1mhk), up to a maximum of 5 BTC. Just donate to that address, and in 30 days I'll donate the difference between the current received amount (16.21420773) and the received amount at that time (max 5 BTC).

Cool.

[Arksun]

Ok so most of this goes way over my head of understanding, so can someone just tell me. Using such a system as this, if I make a payment to an address, does the receiver still see my address as the address the payment came from, or do they receive the correct amount of Bitcoins, but from some other unknown address?

[Hawkix]

CoinJoin is like collecting 20 of 100 USD bills into a hat and then passing the hat to another group of 20 people, each one takes its 100 USD bill. Noone knows who gives you which bill.

[Anon136]

theymos you rock! here is some more donation for you to generously match

transaction id: a2ce643656a516784dbb32547408831226b3fc737552377cfd64cc8066fff850

[Arksun]

CoinJoin is like collecting 20 of 100 USD bills into a hat and then passing the hat to another group of 20 people, each one takes its 100 USD bill. Noone knows who gives you which bill.

Ah ok, so this would basically be useless for any kind of eCommerce, or paying in restaurant with bitcoins etc because they wouldn't know who paid for it.  I sincerely hope this would then be an optional way of transferring rather than a replacement right?, otherwise it would pretty much destroy Bitcoin as a means for paying for goods.

[jl2012]

CoinJoin is like collecting 20 of 100 USD bills into a hat and then passing the hat to another group of 20 people, each one takes its 100 USD bill. Noone knows who gives you which bill.

Ah ok, so this would basically be useless for any kind of eCommerce, or paying in restaurant with bitcoins etc because they wouldn't know who paid for it.  I sincerely hope this would then be an optional way of transferring rather than a replacement right?, otherwise it would pretty much destroy Bitcoin as a means for paying for goods.

The merchant doesn't need to know who paid because every time they issue a bill they use a brand new address. Forget address reuse

[jquinn]

Even if you can't afford to donate BTC, anyone who has a reddit account can help out by upvoting and commenting on this fundraising drive I posted:

http://www.reddit.com/r/Bitcoin/comments/1qmhkh/coinjoin_fundraising_drive/

If we can get this onto the front page of r/bitcoin I think we could get some decent coin.

Also, I'm getting a report of a problem sending coin to the address. I originally tried to use the reddit bitcoin tip bot to send it, but kept getting rejected. I eventually just used Coinbase. Now someone is commenting saying that bitcoin tip bot, Mt. Gox, and even Armory all rejected their attempts to send coin.

Here is the Armory error: "You have entered 1 invalid addresses. The errors have been highlighted on the entry screen."

Does anyone have any idea why that would be happening?

EDIT: The commenter just posted the Mt Gox error: "This address is not on the right network"

[Peter Todd]

Does anyone have any idea why that would be happening?

EDIT: The commenter just posted the Mt Gox error: "This address is not on the right network"

Armory and Mt Gox, and all bitcoinj-derived wallets, don't support P2SH addresses yet. Electrum does support P2SH, and so does Bitcoin-QT.

P2SH was added about two years ago - about time wallets upgrade...

[maaku]

Ah ok, so this would basically be useless for any kind of eCommerce, or paying in restaurant with bitcoins etc because they wouldn't know who paid for it.  I sincerely hope this would then be an optional way of transferring rather than a replacement right?, otherwise it would pretty much destroy Bitcoin as a means for paying for goods.

No, you have a misunderstanding of how bitcoin works. There is no "from" address. A merchant knows when they've been paid because they receive payment to a one-time-use address they generated specifically for the transaction. The way this would work in CoinJoin is that you pretend that you are mixing X coins, where X is the amount that you are paying the merchant, and then use the key id provided by the merchant for your blinded output.

And yes, this is a PURELY higher-level protocol that makes no changes to how bitcoin currently operates.

[justusranvier]

Does anyone have any idea why that would be happening?

EDIT: The commenter just posted the Mt Gox error: "This address is not on the right network"

Armory and Mt Gox, and all bitcoinj-derived wallets, don't support P2SH addresses yet. Electrum does support P2SH, and so does Bitcoin-QT.

P2SH was added about two years ago - about time wallets upgrade...

Armory will get P2SH "soon", at least: https://github.com/etotheipi/BitcoinArmory/issues/127

[BigJohn]

This does sound great. But I'm not sure I understand how this helps the Blacklist/Whitelist issue. If TPTB still make some kind of Whitelist where merchants are only allowed to accept coins from certain "white" addresses, what does something like CoinJoin offer against that?

[solex]

This does sound great. But I'm not sure I understand how this helps the Blacklist/Whitelist issue. If TPTB still make some kind of Whitelist where merchants are only allowed to accept coins from certain "white" addresses, what does something like CoinJoin offer against that?

Address re-use is being actively discouraged now. Once this becomes the norm then whitelists will be irrelevant.

[BigJohn]

In what way is it being discouraged? Is it anything beyond informing people that it's bad practice? I'd like to see some anti-address-reuse measure become baseline, maybe even in the protocol itself if possible. Does CoinJoin have anything to do with address reuse then?