eduffield (OP)
Legendary
Offline
Activity: 1176
Merit: 1036
Dash Developer
|
|
April 01, 2014, 07:39:53 PM |
|
You must also factor that your participants might be a Sybil attack. In that case, the number of rounds doesn't help you increase the anonymity set nor decrease the percentage.
That is factored in -- in fact that's the point of this calculation. The assumption being made here (for the sake of getting some hard numbers): 1410 sybil nodes, 1000 non-sybil nodes. We only need one non-sybil node in the pooling chain to retain anonymity. The longer the chain, the greater the likelihood of this. No you misunderstood my point. I mean the participants who are sending inputs to the CoinJoin mix. Those inputs can be Sybil attacked. If you are the only non-Sybil input, then your output is known with 100% certainty. If there are 50% Sybil inputs, then the anonymity set of outputs that you are mixed with is reduced by 50%. I address this in the whitepaper, I propose some users run a script to add entropy to the pools and push transactions though: Improved Pool Anonymity Users who want to increase the anonymity of the pools can run scripts to “push” DarkSend transactions through the pool by sending money to themselves with DarkSend. This will allow them to take up a space in the pool to ensure the anonymity of other users. If enough users run scripts like this one, the speed of transactions and the anonymity of the network will be increased.
|
Dash - Digital Cash | dash.org | dashfoundation.io | dashgo.io
|
|
|
rickraw
|
|
April 01, 2014, 07:44:23 PM |
|
Awesome discussion in here today, really enjoying this and beginning to understand DarkSend more clearly now.
|
|
|
|
AnonyMint
|
|
April 01, 2014, 07:46:04 PM |
|
You must also factor that your participants might be a Sybil attack. In that case, the number of rounds doesn't help you increase the anonymity set nor decrease the percentage.
That is factored in -- in fact that's the point of this calculation. The assumption being made here (for the sake of getting some hard numbers): 1410 sybil nodes, 1000 non-sybil nodes. We only need one non-sybil node in the pooling chain to retain anonymity. The longer the chain, the greater the likelihood of this. No you misunderstood my point. I mean the participants who are sending inputs to the CoinJoin mix. Those inputs can be Sybil attacked. If you are the only non-Sybil input, then your output is known with 100% certainty. If there are 50% Sybil inputs, then the anonymity set of outputs that you are mixed with is reduced by 50%. Ok, gotcha. That could be mitigated in a similar way by the community running scripts to act as inputs to push DS transactions through. I think Evan suggested this a while back. Can you explain more? I don't understand. Based on these numbers (despite not factoring in sybil inputs), it seems clear that a high level of anonymity can be achieved by increasing the number of pooling stages to 10+, even if the attacker controls > 50% of nodes.
Depends. Because 50% means that your anonymity set is reduced by 50% on each round as I explained in my other post above. Example. If you are mixed with 10 others on each round, then only 5 will be anonymous (and one of the five might be you), so that means have 50% + 20% (1 in 5) chance to be non-anonymous. So 70% per round. You will need more rounds or you need larger mix sizes. Also if it is same 10 you are mixed with every round (or any overlap), then anonymity is reduced. If always same 10 on every round, then you attain no better than 20% non-anonymous no matter how many rounds you use. Also you have to factor in the non-anonymous rate of Tor and those inputs who didn't use Tor at all are not anonymous. This reduces your anonymity set, even if you use Tor.
|
|
|
|
coins101
Legendary
Offline
Activity: 1456
Merit: 1000
|
|
April 01, 2014, 07:49:11 PM |
|
Why isn't DarkSend default payment option?
|
|
|
|
AnonyMint
|
|
April 01, 2014, 07:57:10 PM |
|
You must also factor that your participants might be a Sybil attack. In that case, the number of rounds doesn't help you increase the anonymity set nor decrease the percentage.
That is factored in -- in fact that's the point of this calculation. The assumption being made here (for the sake of getting some hard numbers): 1410 sybil nodes, 1000 non-sybil nodes. We only need one non-sybil node in the pooling chain to retain anonymity. The longer the chain, the greater the likelihood of this. No you misunderstood my point. I mean the participants who are sending inputs to the CoinJoin mix. Those inputs can be Sybil attacked. If you are the only non-Sybil input, then your output is known with 100% certainty. If there are 50% Sybil inputs, then the anonymity set of outputs that you are mixed with is reduced by 50%. I address this in the whitepaper, I propose some users run a script to add entropy to the pools and push transactions though: Improved Pool Anonymity Users who want to increase the anonymity of the pools can run scripts to “push” DarkSend transactions through the pool by sending money to themselves with DarkSend. This will allow them to take up a space in the pool to ensure the anonymity of other users. If enough users run scripts like this one, the speed of transactions and the anonymity of the network will be increased. Essentially you are saying that users should send Darksends as much as possible. A script can automate for them. Potential threat with this (don't know how realistic) is that the more they send deterministically (scripted), then the more incentive to hack them (they are always online) and turn them into a Sybil node. Deterministic is not really same as entropy. If everyone is doing it, then probably not reasonable to hack everyone. But if only a few are doing it, it might be a low hanging fruit attack vector. Add: they need to not reuse addresses ever.
|
|
|
|
eduffield (OP)
Legendary
Offline
Activity: 1176
Merit: 1036
Dash Developer
|
|
April 01, 2014, 08:02:07 PM |
|
Depends. Because 50% means that your anonymity set is reduced by 50% on each round as I explained in my other post above.
Example. If you are mixed with 10 others on each round, then only 5 will be anonymous (and one of the five might be you), so that means have 50% + 20% (1 in 5) chance to be non-anonymous. So 70% per round. You will need more rounds or you need larger mix sizes.
Also if it is same 10 you are mixed with every round (or any overlap), then anonymity is reduced. If always same 10 on every round, then you attain no better than 20% non-anonymous no matter how many rounds you use.
Also you have to factor in the non-anonymous rate of Tor and those inputs who didn't use Tor at all are not anonymous. This reduces your anonymity set, even if you use Tor.
I believe you've reversed the math, if each round offers a 50% chance of anonymity then five rounds should offer a 0.5^5 of being non-anonymous at the end, a 96.8% chance of remaining anonymous. You must be identified each round for you to be followed through, right? Also, I don't agree with the numbers for the sybil attack. All other nodes must be sybil in order for them to identify you, otherwise the master node must be comprised. So in each stage one of those 2 conditions is required, which gets increasingly smaller the more rounds you use.
|
Dash - Digital Cash | dash.org | dashfoundation.io | dashgo.io
|
|
|
AnonyMint
|
|
April 01, 2014, 08:15:54 PM Last edit: April 01, 2014, 09:12:13 PM by AnonyMint |
|
Depends. Because 50% means that your anonymity set is reduced by 50% on each round as I explained in my other post above.
Example. If you are mixed with 10 others on each round, then only 5 will be anonymous (and one of the five might be you), so that means have 50% + 20% (1 in 5) chance to be non-anonymous. So 70% per round. You will need more rounds or you need larger mix sizes.
Also if it is same 10 you are mixed with every round (or any overlap), then anonymity is reduced. If always same 10 on every round, then you attain no better than 20% non-anonymous no matter how many rounds you use.
Also you have to factor in the non-anonymous rate of Tor and those inputs who didn't use Tor at all are not anonymous. This reduces your anonymity set, even if you use Tor.
I believe you've reversed the math, if each round offers a 50% chance of anonymity then five rounds should offer a 0.5^5 of being non-anonymous at the end, a 96.8% chance of remaining anonymous. You must be identified each round for you to be followed through, right? Let me try again. I am getting very sleepy. LimLims wrote if 20% non-anonymity for 3 rounds, then adversary needs cube root of .20 or 58.5% adversarial node coverage. I normally do it like this. It would be 80% anonymity over 3 rounds requires 41.5% non-adversarial node coverage, i.e. allows 58.5% adversarial coverage, 0.585 ^ 3 = 0.20. You can calculate it either way. I prefer your way, but I was following LimLims. The above is for Sybil attack on nodes. Now I discuss about Sybil attack on the inputs. My point remains that the size of anonymity set is also a factor (which can be reduced by Sybil and by the adversarial node coverage), not just the adversarial node coverage alone. I am talking about Sybil attack on the inputs not on the nodes. If there are only 10 inputs to a CoinJoin, then you have a 1 in 10 chance to be identified correct just by random selection. If 5 of the inputs are Sybil, then reduce the non-Sybil to 5, so now 1 in 5 or 20% chance to be identified by random choice. This might sound silly until you realize that over time people in your mix may be identified and thus the anonymity set reduces over time. The anonymity set size is not irrelevant. Otherwise we could simply mix with one other person every time. And because the analysis of the adversary might have data such as "I know these 3 outputs are correlated to these 3 inputs". So as overlapping anonymity sets decrease in size, then they can pinpoint identity.
|
|
|
|
apple_talk
Sr. Member
Offline
Activity: 473
Merit: 250
"Proof-of-Asset Protocol"
|
|
April 01, 2014, 08:22:53 PM |
|
noticed you guys listed it as 0.9.1 version while it is still on old 0.8.6 It is not even 0.9.0
seems misleading, is their any update on when we can expect 0.9.0.x core or newer version.
Any response?
|
|
|
|
humanitee
|
|
April 01, 2014, 08:23:26 PM |
|
noticed you guys listed it as 0.9.1 version while it is still on old 0.8.6 It is not even 0.9.0
seems misleading, is their any update on when we can expect 0.9.0.x core or newer version.
Any response? The beta link is in the DarkSend pdf.
|
| | | Fast, Secure, and Fully
Decentralized Trading | BACKED BY: ─────────────────────────
| BINANCE ─────── LAB | & | █████████████████████████████████ █ ███ █▀ ▀█ ███▀▀▀▀▀████████ ████▀▀███▀ █ █ █████ ▄▄▄▄▄ █ ▀ █ ███ █ ██ █▄ ▀█ ██ █ ▄███ ██████ ███ █████ █ ██ ███ █ ████ ████ ▄ ███ █▄ ▄█▄ ▄█▄ ▀ ████▄ ▄█ ██ ██ ████████████████████████████████████████ |
|
|
| Whitepaper Medium Reddit
|
|
|
|
mahowi
|
|
April 01, 2014, 08:26:41 PM |
|
noticed you guys listed it as 0.9.1 version while it is still on old 0.8.6 It is not even 0.9.0
seems misleading, is their any update on when we can expect 0.9.0.x core or newer version.
Any response? The beta link is in the DarkSend pdf. Latest version is v0.9.1.0-unk-beta. ( http://darkcoin.io/downloads/darkcoin-qt.exe as stated in first post) Beta builds of the wallet can be found here: http://darkcoin.io/beta.php (currently v0.10.0.0-unk-beta)
|
DRK: Xeojbw5gDNtvCbUK7VXaDqfyNU29ahqavB BTC: 1K5hJ1wiRJ9mAWwn9pLzjst18jTa1benHT LTC: LiUgyndo4sibahGEyuw8ymphciaq7tbS9a
|
|
|
apple_talk
Sr. Member
Offline
Activity: 473
Merit: 250
"Proof-of-Asset Protocol"
|
|
April 01, 2014, 08:30:41 PM |
|
noticed you guys listed it as 0.9.1 version while it is still on old 0.8.6 It is not even 0.9.0
seems misleading, is their any update on when we can expect 0.9.0.x core or newer version.
Any response? The beta link is in the DarkSend pdf. Beta builds of the wallet can be found here: http://darkcoin.io/beta.php (currently v0.10.0.0-unk-beta) appreciate, will give that a try.
|
|
|
|
jakecrow
|
|
April 01, 2014, 08:50:42 PM |
|
Been watching all this discussion and I think we're hitting on some really great stuff lately. Anonymint thanks for your contributions (even though you're just a wee bit egotistical ), I think they can help push DarkSend to be the best it can be.
|
|
|
|
AnonyMint
|
|
April 01, 2014, 08:51:54 PM Last edit: April 01, 2014, 09:09:23 PM by AnonyMint |
|
Let me try to do a calculation to explain my point.
Let's say adversary has 20% of the master nodes that are randomly chosen to process a Darksend.
Let's say I mix with 10 others on each Darksend. And I never mix with the same user twice.
Let's say adversary Sybil attacks (i.e. provides) 50% of the inputs on each Darksend.
Let's say my adversary is a snooping agency that defeats Tor 20% of the time.
Let's say only 40% of users use Tor. And the snooping agency can see IP addresses 100% of the time when Tor is not used.
So on each round there are 5 non-Sybil inputs, 0.4 x 5 = 2 don't use Tor, and so I have 1 in 3 = 33% chance to be randomly identified from the small anonymity set. But when the adversary doesn't identify me with nodes and Tor, then my anonymity set shrinks by 3 x (0.20 + 0.20) = 1 thus 1 in 2 or 50% chance.
Thus on each Darksend, the adversary has a 0.20 + 0.20 + 0.50 = 90% chance of identifying me.
Thus after 10 Darksends, adversary has a 0.90^10 = 1 in 3 chance of identifying me.
So 1 in 3 of my coins will not be anonymous.
And this does not factor in when I spend 2 or more of my coins together in one transaction (since Darksend requires me to break coins into constant amounts). That further reduces anonymity.
You see that attaining 1 in 1000 anonymity could be difficult with this type of design depending on the capabilities of the adversary.
It is this sort of calculation that made me really not like CoinJoin too much.
|
|
|
|
apple_talk
Sr. Member
Offline
Activity: 473
Merit: 250
"Proof-of-Asset Protocol"
|
|
April 01, 2014, 08:52:44 PM |
|
noticed you guys listed it as 0.9.1 version while it is still on old 0.8.6 It is not even 0.9.0
seems misleading, is their any update on when we can expect 0.9.0.x core or newer version.
Any response? The beta link is in the DarkSend pdf. Beta builds of the wallet can be found here: http://darkcoin.io/beta.php (currently v0.10.0.0-unk-beta) appreciate, will give that a try. I gave that a try, it is running of same core version 0.8.6 0.9.0 offers new features, which still missing in existing version.
|
|
|
|
eduffield (OP)
Legendary
Offline
Activity: 1176
Merit: 1036
Dash Developer
|
|
April 01, 2014, 08:54:34 PM |
|
there is a 28BTC buy order at cryptsy...fake or not its amazing It's me. I'm a huge DarkCoin supporter. I want to own 1% of all DRK and I want to drive the price up. That's awesome, welcome. That's enough to run a few master nodes and earn fees
|
Dash - Digital Cash | dash.org | dashfoundation.io | dashgo.io
|
|
|
eduffield (OP)
Legendary
Offline
Activity: 1176
Merit: 1036
Dash Developer
|
|
April 01, 2014, 08:56:25 PM |
|
noticed you guys listed it as 0.9.1 version while it is still on old 0.8.6 It is not even 0.9.0
seems misleading, is their any update on when we can expect 0.9.0.x core or newer version.
Any response? The beta link is in the DarkSend pdf. Beta builds of the wallet can be found here: http://darkcoin.io/beta.php (currently v0.10.0.0-unk-beta) appreciate, will give that a try. I gave that a try, it is running of same core version 0.8.6 0.9.0 offers new features, which still missing in existing version. Where are you seeing the core version? getinfo shows this (I'm on testnet):  { "version" : 100000, "protocolversion" : 70009, "walletversion" : 60000, "balance" : 8935.99500000, "blocks" : 87, "timeoffset" : 0, "connections" : 2, "proxy" : "", "difficulty" : 0.00024414, "testnet" : true, "keypoololdest" : 1396359040, "keypoolsize" : 103, "paytxfee" : 0.00000000, "mininput" : 0.00001000, "errors" : "" }
|
Dash - Digital Cash | dash.org | dashfoundation.io | dashgo.io
|
|
|
mahowi
|
|
April 01, 2014, 08:57:15 PM |
|
noticed you guys listed it as 0.9.1 version while it is still on old 0.8.6 It is not even 0.9.0
seems misleading, is their any update on when we can expect 0.9.0.x core or newer version.
Any response? The beta link is in the DarkSend pdf. Beta builds of the wallet can be found here: http://darkcoin.io/beta.php (currently v0.10.0.0-unk-beta) appreciate, will give that a try. I gave that a try, it is running of same core version 0.8.6 0.9.0 offers new features, which still missing in existing version. How do you see it's core version 0.8.6? I'm running the beta and it says: "version" : 100000, "protocolversion" : 70009, "walletversion" : 60000 BTW: latest version from first post is v0.9.1.
|
DRK: Xeojbw5gDNtvCbUK7VXaDqfyNU29ahqavB BTC: 1K5hJ1wiRJ9mAWwn9pLzjst18jTa1benHT LTC: LiUgyndo4sibahGEyuw8ymphciaq7tbS9a
|
|
|
apple_talk
Sr. Member
Offline
Activity: 473
Merit: 250
"Proof-of-Asset Protocol"
|
|
April 01, 2014, 09:12:39 PM |
|
noticed you guys listed it as 0.9.1 version while it is still on old 0.8.6 It is not even 0.9.0
seems misleading, is their any update on when we can expect 0.9.0.x core or newer version.
Any response? The beta link is in the DarkSend pdf. Beta builds of the wallet can be found here: http://darkcoin.io/beta.php (currently v0.10.0.0-unk-beta) appreciate, will give that a try. I gave that a try, it is running of same core version 0.8.6 0.9.0 offers new features, which still missing in existing version. How do you see it's core version 0.8.6? I'm running the beta and it says: "version" : 100000, "protocolversion" : 70009, "walletversion" : 60000 BTW: latest version from first post is v0.9.1. code]"version" : 100000 is just a label, but the code it is still running of from fork 0.8.6. Open up any interface of 0.8.6 core version coins, they all are same, whereas 0.9.0 has many visible features. Thanks
|
|
|
|
AnonyMint
|
|
April 01, 2014, 09:13:57 PM |
|
You must also factor that your participants might be a Sybil attack. In that case, the number of rounds doesn't help you increase the anonymity set nor decrease the percentage.
That is factored in -- in fact that's the point of this calculation. The assumption being made here (for the sake of getting some hard numbers): 1410 sybil nodes, 1000 non-sybil nodes. We only need one non-sybil node in the pooling chain to retain anonymity. The longer the chain, the greater the likelihood of this. No you misunderstood my point. I mean the participants who are sending inputs to the CoinJoin mix. Those inputs can be Sybil attacked. If you are the only non-Sybil input, then your output is known with 100% certainty. If there are 50% Sybil inputs, then the anonymity set of outputs that you are mixed with is reduced by 50%. I address this in the whitepaper, I propose some users run a script to add entropy to the pools and push transactions though: Improved Pool Anonymity Users who want to increase the anonymity of the pools can run scripts to “push” DarkSend transactions through the pool by sending money to themselves with DarkSend. This will allow them to take up a space in the pool to ensure the anonymity of other users. If enough users run scripts like this one, the speed of transactions and the anonymity of the network will be increased. Essentially you are saying that users should send Darksends as much as possible. A script can automate for them. Potential threat with this (don't know how realistic) is that the more they send deterministically (scripted), then the more incentive to hack them (they are always online) and turn them into a Sybil node. Deterministic is not really same as entropy. If everyone is doing it, then probably not reasonable to hack everyone. But if only a few are doing it, it might be a low hanging fruit attack vector. Add: they need to not reuse addresses ever. In case I wasn't clear, that Sybil node would be sending Sybil inputs, not a Sybil master node. Then see my prior post on the effect of Sybil inputs on anonymity set size.
|
|
|
|
Minotaur26
Legendary
Offline
Activity: 1092
Merit: 1000
|
|
April 01, 2014, 09:17:33 PM |
|
there is a 28BTC buy order at cryptsy...fake or not its amazing It's me. I'm a huge DarkCoin supporter. I want to own 1% of all DRK and I want to drive the price up. That's awesome, welcome. That's enough to run a few master nodes and earn fees What does one need to do to run some master nodes? I am interested.
|
|
|
|
|