CoinJoin: Bitcoin privacy for the real world

[telepatheic]

It also depresses me somewhat to see people talking about darkcoin (or even zerocoin/zerocash) when bytecoin has a privacy system with much better properties than CoinJoin (it's similar to CJ except you safely join with offline coin holders, and all users are participants), something made possible by the fact that it doesn't have to fit within the existing Bitcoin network, and it's completely practical, reasonably performant and deployed for some time now. But strangely, it's virtually unheard of...  Bytecoin's privacy properties are in some sense weaker than zerocoin's— since its like a supercharged coinjoin— but the cryptography is much stronger and much more efficient, so in practice I'd expect it to have better anonymity just due to it being much more practical (also as evidence to it existing as a deployed system).  ... so yea, if you actually are interested in privacy technology in a non-bitcoin system, Bytecoin seems to have pretty much nailed it.

Thanks for introducing me to Bytecoin/CryptoNote. Some solid cryptography being used (in theory) and some great improvements over bitcoin. Unfortunately the fact that there is another coin called bytecoin is very confusing and bytecoin doesn't really have any formal documentation other than this page. Time to do some source code reading!

[1714896843]

1714896843

[1714896843]

1714896843

[gmaxwell]

Thanks for introducing me to Bytecoin/CryptoNote. Some solid cryptography being used (in theory) and some great improvements over bitcoin. Unfortunately the fact that there is another coin called bytecoin is very confusing and bytecoin doesn't really have any formal documentation other than this page. Time to do some source code reading!

Yea, the Bytecoin/Bytecoin thing caused me to not notice it for a long time.

The cryptographically interesting Bytecoin has a reasonable whitepaper: https://bytecoin.org/old/whitepaper.pdf  Some of the things it does appear to be pointless or ill-advised to me and I would have counciled otherwise— but as far as the privacy aspect goes, the ring signature approach appears top notch. The privacy depends on the decisional DH problem, so perhaps you could argue that its privacy has a slightly weaker cryptographic story than the basic discrete log stuff (computational DH) but in the curve they're using its believed to be equally strong.  In any case, anything that has reduced the privacy question to asking about cryptographic assumptions has gone pretty good.

Sorry for the OT tangent here. Though there may be some good bitcoin-relevant privacy things to mine out of the bytecoin design.

[anonymousxx1503]

Thanks for introducing me to Bytecoin/CryptoNote. Some solid cryptography being used (in theory) and some great improvements over bitcoin. Unfortunately the fact that there is another coin called bytecoin is very confusing and bytecoin doesn't really have any formal documentation other than this page. Time to do some source code reading!

Yea, the Bytecoin/Bytecoin thing caused me to not notice it for a long time.

The cryptographically interesting Bytecoin has a reasonable whitepaper: https://bytecoin.org/old/whitepaper.pdf  Some of the things it does appear to be pointless or ill-advised to me and I would have counciled otherwise— but as far as the privacy aspect goes, the ring signature approach appears top notch. The privacy depends on the decisional DH problem, so perhaps you could argue that its privacy has a slightly weaker cryptographic story than the basic discrete log stuff (computational DH) but in the curve they're using its believed to be equally strong.  In any case, anything that has reduced the privacy question to asking about cryptographic assumptions has gone pretty good.

Sorry for the OT tangent here. Though there may be some good bitcoin-relevant privacy things to mine out of the bytecoin design.

It's hard to believe you're not a major bytecoin holder of some sort? Monero is a fork without the massive premine/instamine/slowmine without release whatever it was of bytecoin, I imagine your opinion about it is the same if they share cryptonote?

[gmaxwell]

It's hard to believe you're not a major bytecoin holder of some sort? Monero is a fork without the massive premine/instamine/slowmine without release whatever it was of bytecoin, I imagine your opinion about it is the same if they share cryptonote?

As hard as it is to believe, people other than me do occasionally have really good ideas.  ... (No, I'd only heard about it a couple months ago and looked into it in depth until the last week).  I think all these altcoins are horribly ill-advised in their altcoinness. You're in the wrong subforum and thread if you want to talk about cryptocurrency speculation— my interest here is just in the techniques— and I'm not going to credit some random code aping fork for other people's work when talking about them.

(In case anyone had the impression that I thought bytecoin was all love and wonder: the implementation is currently really immature and somewhat buggy— and perhaps not likely to improve if its authors are now getting voted off the island in a fork. The POW is very slow to validate, and seems generally ill-advised to me (see https://download.wpsoftware.net/bitcoin/asic-faq.pdf), the adaptive blocksize stuff seems dangerous and the coin burning excuse for it can't work as expected in the long run since miners can get paid out of band, ... but the privacy design is very good, though even there its incompatible with pruning (but so is everything else). Of course, all these concerns also apply to forks that just aped the code.).

[telepatheic]

Looking through the white paper, it seems like ring signatures don't actually sign the bytecoin transactions, they only sign the inputs.

I wonder if anyone with an expertise in ring signatures has reviewed the paper, its a little out of my comfort zone.

[Gyrsur]

It's hard to believe you're not a major bytecoin holder of some sort? Monero is a fork without the massive premine/instamine/slowmine without release whatever it was of bytecoin, I imagine your opinion about it is the same if they share cryptonote?

As hard as it is to believe, people other than me do occasionally have really good ideas.  ... (No, I'd only heard about it a couple months ago and looked into it in depth until the last week).  I think all these altcoins are horribly ill-advised in their altcoinness. You're in the wrong subforum and thread if you want to talk about cryptocurrency speculation— my interest here is just in the techniques— and I'm not going to credit some random code aping fork for other people's work when talking about them.

(In case anyone had the impression that I thought bytecoin was all love and wonder: the implementation is currently really immature and somewhat buggy— and perhaps not likely to improve if its authors are now getting voted off the island in a fork. The POW is very slow to validate, and seems generally ill-advised to me (see https://download.wpsoftware.net/bitcoin/asic-faq.pdf), the adaptive blocksize stuff seems dangerous and the coin burning excuse for it can't work as expected in the long run since miners can get paid out of band, ... but the privacy design is very good, though even there its incompatible with pruning (but so is everything else). Of course, all these concerns also apply to forks that just aped the code.).

did you had the chance to get a look into Darkcoin, too? thank you!

[dewdeded]

http://sharedcoin.com/ is trustless centralized CoinJoin by Greg Maxwell.
Darksend in DarkCoin is dezentralized CoinCoin by Evan Duffield.

Haters/FUDers/trolls hate on DarkCoin saying it's insecure because bad actors like Goverments could run many Masternodes.


Leeds me to the question:

Is dezentralized trustless CoinJoin possible?

[maaku]

Greg has nothing to do with sharedcoin (and sharedcoin has little to do with coinjoin).

To your question, read the op. This whole thread is a description of how to do decentralized, trustless mixing.

[genjix]

kinda sad darkcoin isnt implementing ring sigs
masternodes are coinjoin servers where miners must pay tax
i'm interested to understand how that differs to federated darkwallet gateways
still, all power to drk... 4th crypto now

[dewdeded]

maaku: Thank you very much. SharedCoin is based on what technology then?

All: As its basically the same. Any reasons why is DarkCoins DarkSend attacked as insecure, but DarkWallet is not?

[maaku]

Sharedcoin is a blockchain.info product. You can read about it on their website, but I don't think it was based on any external design, just a mixing service cooked up by one of their engineers.

Darkcoin and darkwallet also have nothing in common either. Despite co-opting the name, darkcoin's darksend doesn't appear to have anything to do with coinjoin. Their description and illustration in their thread shows some sort of centralized mixing service (more akin to sharedcoin), and indeed their distribution mechanism involves a reward for "masternodes" which perform the mixing with these fresh coins. It would be nice if someone from that project could chime in here and explain just what it is trying to accomplish, because the available technical descriptions are scarce and contradictory.

Darkwallet does indeed implement coinjoin, albeit using a centralized matchmaking service to setup the mixes. I have been informed by the developers that this is a temporary mechanism and they are working towards a fully p2p solution. They do not use the blind signing or ring signature mechanisms which are required to scale to more than 2 participants without revealing ownership of outputs.

[dewdeded]

Now I am confused.

e.g. on https://darkcointalk.org/threads/coinjoin-in-bitcoin-and-darksend.560/
or http://www.reddit.com/r/DRKCoin/comments/1zlv36/what_does_darkcoin_offer_that_couldnt_be_done/
or some/alot other sites they talk about CoinJoin in DarkSend

[cbeast]

Showing a brother he is going the wrong way.

https://bitcointalk.org/index.php?topic=626425.msg6959794#msg6959794

[genjix]

maaku, the mixers are connected through a p2p protocol so anyone can set one up, however I think the idea (according to Peter Todd) is to use the Bitcoin network as a mixnet.
I don't think we can use ring signatures unless bitcoin adopted ed25519... or am I mistaken?
also it can scale >2 participants, because you do multiple rounds (share outputs, share inputs, give signatures).

cbeast, self-censorship is why threat is so effective. the real people who will adopt our tools won't be yuppie students buying coffee at the bar, it will be new digital black markets & we market to them. the tools go beyond mere payments into governance, markets and new forms of association between humans. the effect is deeper. bitcoin is more than a payments innovation despite what others want to make us believe. I'm not shuffling its massive potential under the carpet through fear of retribution and spending my time making Facebook apps.

[justusranvier]

Showing a brother he is going the wrong way.

https://bitcointalk.org/index.php?topic=626425.msg6959794#msg6959794

Let's see.

I think dark cryptocurrencies are too powerful a tool for our civilization in its current state. Governments must use whatever means necessary to control its development for the safety and security of law-abiding citizens.

The problem here is that you don't know the difference between reality and projection. Your apocalypse fantasy (bitcoin=plutonium) is something you should be talking about with a therapist - it has nothing to do with Bitcoin.

[Peter Todd]

genjix: Yup. Scaling works out nicely too because the additional CoinJoin traffic will never be more than a small multiple of the existing transaction traffic, so doing all the CoinJoin communication via global broadcast messages is actually reasonably and efficient enough; gives good privacy for that communication. You can also reuse bitcoin age as a limited resource for anti-dos.

It's not as pretty as more clever crypto, e.g. the zerocash project that I'm also now working with, but has the huge advantage that its flaws are easy to understand and predictable. We want diversity in the level of engineering in the solutions we come up for to solve problems; CoinJoin + zerocash are two totally different approaches, and if one day we can use both we're more likely to actually achieve privacy.

[cbeast]

The problem here is that you don't know the difference between reality and projection. Your apocalypse fantasy (bitcoin=plutonium) is something you should be talking about with a therapist - it has nothing to do with Bitcoin.

At worst it is an exaggerated analogy. The analogy relates to the newness of the technology. Bitcoin is based in math theory and the technology is accessible to all. Just because we have a technology, does that mean everyone should be allowed to use it? Does that go for any technology? Howabout drug manufacturing? Howabout explosives? Should anyone be able to do anything they want without restrictions?

[genjix]

The problem here is that you don't know the difference between reality and projection. Your apocalypse fantasy (bitcoin=plutonium) is something you should be talking about with a therapist - it has nothing to do with Bitcoin.

At worst it is an exaggerated analogy. The analogy relates to the newness of the technology. Bitcoin is based in math theory and the technology is accessible to all. Just because we have a technology, does that mean everyone should be allowed to use it? Does that go for any technology? Howabout drug manufacturing? Howabout explosives? Should anyone be able to do anything they want without restrictions?

Your morals are not my morals. Who is the decider? Do you support a free and open internet?
And yes, I definitely would like cheap medicinal knock off drugs flooding into the markets, and more kids playing with explosives and becoming scientists. Maybe you want to arrest people who write virus coding tutorials also?

Your mistake is thinking that compliance buys curries you special favour... but at the risk of what? There are bigger things at stake here. Bitcoin is not unmovable code and math, it is consensus. It's imperative we develop this technology, strong, resilient and decentralised. Part of my goal is getting people to think and question things they've held as true. I think we can inspire an ideal through symbolic acts of disobedience, inspiring courage in others to stand with us.

As you demonstrated in your post, the threat is real and here. The world has changed and it's time to adapt, survive and thrive. Either that or go extinct the way of the dinosaurs. And you know what? Maybe that threat you saw was more imagined than you realised. And maybe those threats, just maybe they were a paper tigers and fears unfounded. We will always be on the right side of history because we are about humanity. Dynamism, love, art, energy, change, passion, reality, risk, colour, soul.

http://cultureandempire.com/

[maaku]

Please stay on topic.

@genjix, I think you misunderstood my point about multiple parties. Without blinding or ring signatures or other crypto magic, it is not possible to have multiple participants where the other participants don't know which outputs correspond with which participants (the exception for 2 users is simply that if there is only one other person participating, then obviously whatever outputs are not yours are his, not matter what fancy crypto is used). This is important because CoinJoin is useful for far more than mere mixing. Joint transactions are also the mechanism by which matching donations or crowdfund campaigns can be organized (see Mike Hearn's Lighthouse app), exchange transactions of colored coin assets can be arranged, and various cross-chain atomic trade protocols. Scaling up these applications to multiple participants without loss of privacy is very important.

[genjix]

Please stay on topic.

@genjix, I think you misunderstood my point about multiple parties. Without blinding or ring signatures or other crypto magic, it is not possible to have multiple participants where the other participants don't know which outputs correspond with which participants (the exception for 2 users is simply that if there is only one other person participating, then obviously whatever outputs are not yours are his, not matter what fancy crypto is used). This is important because CoinJoin is useful for far more than mere mixing. Joint transactions are also the mechanism by which matching donations or crowdfund campaigns can be organized (see Mike Hearn's Lighthouse app), exchange transactions of colored coin assets can be arranged, and various cross-chain atomic trade protocols. Scaling up these applications to multiple participants without loss of privacy is very important.

I think it is.

Here's how we did it in the initial CoinJoin implementation we made.

* There's an anonymous chatroom (pre-negotiated shared secret in public room) accessible over Tor.
* Some dudes submit various outputs.
* Some dudes submit various inputs.
* Server replies back with a tx.
* Some dudes submit valid signatures.

We also did it for fixed units.