Bitcoin Forum
December 14, 2024, 11:40:28 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 ... 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 [857] 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 ... 7012 »
  Print  
Author Topic: [ANN][DASH] Dash (dash.org) | First Self-Funding Self-Governing Crypto Currency  (Read 9723728 times)
humanitee
Hero Member
*****
Offline Offline

Activity: 1302
Merit: 502



View Profile
April 30, 2014, 03:15:31 AM
Last edit: April 30, 2014, 03:45:09 AM by humanitee
 #17121

I came up with a way better solution to this issue than my previous idea. Plus it's already supported by DarkSend, I'll just enforce it in RC3

John darksends 2.5 coins from A to C, gets 7.5 back as change on address X, Y, V, Z  (X = 5DRK, Y = 1DRK, V = 1DRK, Z=0.5DRK )
Joe darksends 3 coins from E to G, gets 7 back as change on address W, K, J  (W = 5DRK, K = 1DRK, J = 1DRK)
Suzie darksends 3.5 coins from K to Q, gets 6.5 back as change on address F, G, H  (F = 5DRK, G = 1DRK, H = 0.5DRK)

Change is denominated into units of 5, 1, 0.5, 0.25, 0.1, 0.05, and 0.01 DRK. I'll introduce the precision limitation back again of 0.01DRK. So if you get 7.5 DRK of change back, you'll end up with 5DRK+1DRK+1DRK+0.5DRK.

You could still possible do taint analysis on denominations only used once, but this would be solved with multiple rounds in DarkSend.

I'm taking partial credit for it!  Grin Cheesy

This is similar to what I was trying to achieve with stealth sending, minus the denomination of receiving addresses. Usually users want to send to a pre-existing address, optimally DarkSend would be able to denominate the receiving party's amount as well. Stealth addresses allow you to generate infinitely many addresses from one receiving address. Sadly, the only way to see if you have coins in a stealth address is to have the private keys in memory which destroys cold storage completely. You would not be able to see whether or not someone had sent you coins. Without stealth sending though, the master node would have to issue new addresses which cannot happen for obvious reasons. If someone can think of a way to fully denominate the receiving party's amount it would push the coin into complete darkness. When combined with Evan's I2P implementation Dark would be as anonymous/private as possible.


▄▄▄██████▄▄▄
▄███▀▀▀▀▀████▄▄ █▄▄
▄▄          ▀▀████▄  ██▄
█████▄            ▀█████  ██▄
▄█████████           ▀█████ ███▄
▄█████████▀▀           ▀█████ ███▄
▄███  █████             ▀█████ ████
███  █████                █████ ████
███ █████                  ████  ████
███ █████                ▄████  ████
███ █████                ███████████
▀██ █████▄                █████████
▀██ ██████▄                ▀█████
▀██ ███████                  ▀▀▀
▀██ ██████▄▄                 
▀██ ██████▄▄▄▄▄▄▄▄▄▄▄▄███▀
▀▀ █████████████████▀
▀▀▀██████▀▀▀▀

Fast, Secure, and Fully

DecentralizeTrading
BACKED BY:
─────────────────────────
BINANCE
─────── LAB
&█████████████████████████████████ █  ███
█▀    ▀█  ███▀▀▀▀▀████████  ████▀▀███▀ █
█  █████    ▄▄▄▄▄  █  ▀  █    ███  █  ██
█▄    ▀█  ██       █  ▄███  ██████   ███
█████  █  ██  ███  █  ████  ████  ▄  ███
█▄    ▄█▄  ▄█▄     ▀  ████▄  ▄█   ██  ██
████████████████████████████████████████


  Whitepaper
 Medium
Reddit
Kai Proctor
Hero Member
*****
Offline Offline

Activity: 546
Merit: 500


01100100 01100001 01110011 01101000


View Profile
April 30, 2014, 03:35:25 AM
 #17122

TanteStefana
Full Member
***
Offline Offline

Activity: 280
Merit: 100


The Future Of Work


View Profile
April 30, 2014, 03:37:13 AM
 #17123

Ok, I tried my hand at a flow chart again.  I'm not sure this is accurate, but I think it works this way ??  Cheesy


█ ANN THREAD █
﹝Whitepaper﹞
【BLACKBOX OS】
The Future of Work. Decentralized.
TELEGRAM﹞﹝FACEBOOK
TWITTERYOUTUBE
daddeo
Full Member
***
Offline Offline

Activity: 129
Merit: 100


View Profile
April 30, 2014, 04:05:55 AM
 #17124

Ok, I tried my hand at a flow chart again.  I'm not sure this is accurate, but I think it works this way ??  Cheesy



So in your example, the "change" is also being mixed through several masternodes along with the actual balance of the tx. This, along with further denomination of the "change" before it comes back to your wallet as Evan stated above, would be enough to break the trail?
adaseb
Legendary
*
Offline Offline

Activity: 3878
Merit: 1733


View Profile
April 30, 2014, 04:08:45 AM
 #17125

Anyone know why it takes sgminer 45 minutes to start mining Darkcoin.

I am using XUBUNTO


Each and every time takes 45 mins to start.
Simcom
Sr. Member
****
Offline Offline

Activity: 336
Merit: 250


View Profile
April 30, 2014, 04:12:24 AM
 #17126

I spent a fair amount of time thinking about the discussion with dime, humanitee, luigi1111, camosoul and others yesterday about the anonymity of Darksend.  I suspected that the logic behind darksend as currently implemented was not sound, and I thought it would be best to determine how exactly darksend was working, and do an in-depth analysis of a mixing cycle and the transactions that follow mixing.

...

Best,
Sim

Wow! This is great. About 400+ pages ago I talked about having a different kind of pool for change outputs only. Put in all of your change outputs and you'll get new fresh clean inputs of 10DRK. The client could automatically do this after each darksend, which would also get you new inputs for the next round.

I'm currently embedded in patching stratum and p2pool to support the masternode payments, which is why I haven't been around. It takes a lot of work to make something so different from anything else out there, dare I say, revolutionary?


On second thought, I'm not sure this solves the problem.  My understanding is that you want to accumulate the dirty change in the wallet until it breaches a certain amount (say 10 for example), then it is washed in a "change only" wash with a bunch of "10" transactions.  The problem I see is that even the clean coins could be linked to the original transaction.  Just to explain:

John darksends 2 coins from A to C, gets 8 back as change on address X
a few days later..
John darksends 8 coins from B to D, gets 2 back as change on address Y

Y+X are submitted to the change mixing pool (10 coins), and come out "clean" at address Z.

The problem is that the coins at address Z are not clean really, they are "suspect", they could have possibly participated in any darksends that generated the dirty coins that composed the "change washing" pool.

Now when Johns wants to spend coins from A, B, and Z in the same transaction.

So if John wants to send coins from A+B+Z in one transaction, the fact that Z participated in a pool that contained X and Y is enough to expose A and B as the original participants in the darksend transaction.

Really it leaves us at the same position that we were at previously after the original darksends.

I hope that made sense.

I came up with a way better solution to this issue than my previous idea. Plus it's already supported by DarkSend, I'll just enforce it in RC3

John darksends 2.5 coins from A to C, gets 7.5 back as change on address X, Y, V, Z  (X = 5DRK, Y = 1DRK, V = 1DRK, Z=0.5DRK )
Joe darksends 3 coins from E to G, gets 7 back as change on address W, K, J  (W = 5DRK, K = 1DRK, J = 1DRK)
Suzie darksends 3.5 coins from K to Q, gets 6.5 back as change on address F, G, H  (F = 5DRK, G = 1DRK, H = 0.5DRK)

Change is denominated into units of 5, 1, 0.5, 0.25, 0.1, 0.05, and 0.01 DRK. I'll introduce the precision limitation back again of 0.01DRK. So if you get 7.5 DRK of change back, you'll end up with 5DRK+1DRK+1DRK+0.5DRK.

You could still possible do taint analysis on denominations only used once, but this would be solved with multiple rounds in DarkSend.

Ok, well I think this is a great solution, definitely the best idea proposed so far.  I have spent several hours thinking about ways to break it but I can't seem to come up with an Achilles heel.

A couple suggestions off the top of my head.  I think it would help if there was some randomness added to the way things are denominated. Ie sometimes 1.5 is denomated 1+0.5 - sometimes it is denominated 1+0.25+0.1+0.1+.05 sometimes it is denominated 0.5+0.5+0.5.  This would make it substantially harder to figure out what is going on in the blockchain

My other concern is that whoever gets the biggest amount of change is put in a precarious position.  In the above example this would be John. If John sends X+Y+V+Z+A he is outing A as the sender to C.  Even if John Darksends these coins he is still outing address A. Then once he outs himself, Joe (as the second largest change recipient (7DRK) is at risk of outing himself if he sends (or darksends) W+K+J+E. I suppose this whole scenario is a non-issue if we consider that more than one transaction can be sent into the pool from the same wallet, so it would be impossible to tell for certain who got the most change, as someone could have submitted multiple transactions and received 20,30,40 change coins to the same wallet.  

Seriously though, this is a fantastic solution, I'm relatively certain the logic is sound, and the level of anonymity will be very high. I'll sleep well tonight for sure Cheesy
Simcom
Sr. Member
****
Offline Offline

Activity: 336
Merit: 250


View Profile
April 30, 2014, 04:20:53 AM
Last edit: April 30, 2014, 04:35:51 AM by Simcom
 #17127

I came up with a way better solution to this issue than my previous idea. Plus it's already supported by DarkSend, I'll just enforce it in RC3

John darksends 2.5 coins from A to C, gets 7.5 back as change on address X, Y, V, Z  (X = 5DRK, Y = 1DRK, V = 1DRK, Z=0.5DRK )
Joe darksends 3 coins from E to G, gets 7 back as change on address W, K, J  (W = 5DRK, K = 1DRK, J = 1DRK)
Suzie darksends 3.5 coins from K to Q, gets 6.5 back as change on address F, G, H  (F = 5DRK, G = 1DRK, H = 0.5DRK)

Change is denominated into units of 5, 1, 0.5, 0.25, 0.1, 0.05, and 0.01 DRK. I'll introduce the precision limitation back again of 0.01DRK. So if you get 7.5 DRK of change back, you'll end up with 5DRK+1DRK+1DRK+0.5DRK.

You could still possible do taint analysis on denominations only used once, but this would be solved with multiple rounds in DarkSend.

I'm taking partial credit for it!  Grin Cheesy

This is similar to what I was trying to achieve with stealth sending, minus the denomination of receiving addresses. Usually users want to send to a pre-existing address, optimally DarkSend would be able to denominate the receiving party's amount as well. Stealth addresses allow you to generate infinitely many addresses from one receiving address. Sadly, the only way to see if you have coins in a stealth address is to have the private keys in memory which destroys cold storage completely. You would not be able to see whether or not someone had sent you coins. Without stealth sending though, the master node would have to issue new addresses which cannot happen for obvious reasons. If someone can think of a way to fully denominate the receiving party's amount it would push the coin into complete darkness. When combined with Evan's I2P implementation Dark would be as anonymous/private as possible.

...

I spent a decent amount of time thinking about how to denominate the receiving address as well.  One solution I thought of, is not nearly as fancy as what you describe but sort of works.  You could just have the recipient provide a concatenated list of addresses from his wallet than can be used to do denominate the transaction.  This could be called a "Dark" address or something else equally silly  Grin. and would look something like this:

ABCDEFGHIJK

where each letter represents a different address in the receiving wallet. The "Dark" address would be long as fuck, but it would get the job done - on the blockchain there would be no record of a special "Dark" address ever existing, only the individual addresses, A, B, C etc.
luigi1111
Legendary
*
Offline Offline

Activity: 1105
Merit: 1000



View Profile
April 30, 2014, 04:41:34 AM
 #17128

I spent a fair amount of time thinking about the discussion with dime, humanitee, luigi1111, camosoul and others yesterday about the anonymity of Darksend.  I suspected that the logic behind darksend as currently implemented was not sound, and I thought it would be best to determine how exactly darksend was working, and do an in-depth analysis of a mixing cycle and the transactions that follow mixing.

...

Best,
Sim

Wow! This is great. About 400+ pages ago I talked about having a different kind of pool for change outputs only. Put in all of your change outputs and you'll get new fresh clean inputs of 10DRK. The client could automatically do this after each darksend, which would also get you new inputs for the next round.

I'm currently embedded in patching stratum and p2pool to support the masternode payments, which is why I haven't been around. It takes a lot of work to make something so different from anything else out there, dare I say, revolutionary?


On second thought, I'm not sure this solves the problem.  My understanding is that you want to accumulate the dirty change in the wallet until it breaches a certain amount (say 10 for example), then it is washed in a "change only" wash with a bunch of "10" transactions.  The problem I see is that even the clean coins could be linked to the original transaction.  Just to explain:

John darksends 2 coins from A to C, gets 8 back as change on address X
a few days later..
John darksends 8 coins from B to D, gets 2 back as change on address Y

Y+X are submitted to the change mixing pool (10 coins), and come out "clean" at address Z.

The problem is that the coins at address Z are not clean really, they are "suspect", they could have possibly participated in any darksends that generated the dirty coins that composed the "change washing" pool.

Now when Johns wants to spend coins from A, B, and Z in the same transaction.

So if John wants to send coins from A+B+Z in one transaction, the fact that Z participated in a pool that contained X and Y is enough to expose A and B as the original participants in the darksend transaction.

Really it leaves us at the same position that we were at previously after the original darksends.

I hope that made sense.

I came up with a way better solution to this issue than my previous idea. Plus it's already supported by DarkSend, I'll just enforce it in RC3

John darksends 2.5 coins from A to C, gets 7.5 back as change on address X, Y, V, Z  (X = 5DRK, Y = 1DRK, V = 1DRK, Z=0.5DRK )
Joe darksends 3 coins from E to G, gets 7 back as change on address W, K, J  (W = 5DRK, K = 1DRK, J = 1DRK)
Suzie darksends 3.5 coins from K to Q, gets 6.5 back as change on address F, G, H  (F = 5DRK, G = 1DRK, H = 0.5DRK)

Change is denominated into units of 5, 1, 0.5, 0.25, 0.1, 0.05, and 0.01 DRK. I'll introduce the precision limitation back again of 0.01DRK. So if you get 7.5 DRK of change back, you'll end up with 5DRK+1DRK+1DRK+0.5DRK.

You could still possible do taint analysis on denominations only used once, but this would be solved with multiple rounds in DarkSend.

Ok, well I think this is a great solution, definitely the best idea proposed so far.  I have spent several hours thinking about ways to break it but I can't seem to come up with an Achilles heel.

A couple suggestions off the top of my head.  I think it would help if there was some randomness added to the way things are denominated. Ie sometimes 1.5 is denomated 1+0.5 - sometimes it is denominated 1+0.25+0.1+0.1+.05 sometimes it is denominated 0.5+0.5+0.5.  This would make it substantially harder to figure out what is going on in the blockchain

My other concern is that whoever gets the biggest amount of change is put in a precarious position.  In the above example this would be John. If John sends X+Y+V+Z+A he is outing A as the sender to C.  Even if John Darksends these coins he is still outing address A. Then once he outs himself, Joe (as the second largest change recipient (7DRK) is at risk of outing himself if he sends (or darksends) W+K+J+E. I suppose this whole scenario is a non-issue if we consider that more than one transaction can be sent into the pool from the same wallet, so it would be impossible to tell for certain who got the most change, as someone could have submitted multiple transactions and received 20,30,40 change coins to the same wallet.  

Seriously though, this is a fantastic solution, I'm relatively certain the logic is sound, and the level of anonymity will be very high. I'll sleep well tonight for sure Cheesy

I was in the middle of going through this very logic myself, when I refreshed and saw your post. Smiley

I agree with the basic analysis: this proposed method seems to me to be flawless unless and until the largest change holder sends from all his change addresses associated with a particular DarkSend simultaneously with balance from his "main" address.

I'm still going to have to think about it more, because what if we DON'T consider the last sentence in your 3rd paragraph? Aren't we still *potentially* impacting anonymity?

I'm falling asleep right now, but I can't think of how you could actually secure this if the largest change holder did what you describe above. Even additional mixing wouldn't help as you could just track inputs and outputs all the way back once John did the bad deed.

I guess my point is: there's probably a large chance of additional "noise" being created that would make our potential analysis of John's coins impossible, but what if in a particular case this noise doesn't exist?

Or I'm just tired. Smiley
luigi1111
Legendary
*
Offline Offline

Activity: 1105
Merit: 1000



View Profile
April 30, 2014, 04:44:18 AM
 #17129

I came up with a way better solution to this issue than my previous idea. Plus it's already supported by DarkSend, I'll just enforce it in RC3

John darksends 2.5 coins from A to C, gets 7.5 back as change on address X, Y, V, Z  (X = 5DRK, Y = 1DRK, V = 1DRK, Z=0.5DRK )
Joe darksends 3 coins from E to G, gets 7 back as change on address W, K, J  (W = 5DRK, K = 1DRK, J = 1DRK)
Suzie darksends 3.5 coins from K to Q, gets 6.5 back as change on address F, G, H  (F = 5DRK, G = 1DRK, H = 0.5DRK)

Change is denominated into units of 5, 1, 0.5, 0.25, 0.1, 0.05, and 0.01 DRK. I'll introduce the precision limitation back again of 0.01DRK. So if you get 7.5 DRK of change back, you'll end up with 5DRK+1DRK+1DRK+0.5DRK.

You could still possible do taint analysis on denominations only used once, but this would be solved with multiple rounds in DarkSend.

I'm taking partial credit for it!  Grin Cheesy

This is similar to what I was trying to achieve with stealth sending, minus the denomination of receiving addresses. Usually users want to send to a pre-existing address, optimally DarkSend would be able to denominate the receiving party's amount as well. Stealth addresses allow you to generate infinitely many addresses from one receiving address. Sadly, the only way to see if you have coins in a stealth address is to have the private keys in memory which destroys cold storage completely. You would not be able to see whether or not someone had sent you coins. Without stealth sending though, the master node would have to issue new addresses which cannot happen for obvious reasons. If someone can think of a way to fully denominate the receiving party's amount it would push the coin into complete darkness. When combined with Evan's I2P implementation Dark would be as anonymous/private as possible.



This really is brilliant and completely removes the problems we've been brainstorming about (or I'm just tired again (always have an excuse Wink)). Too bad there's not a practical way of implementing it, right? Right?  Huh
Wh1teKn1ght
Sr. Member
****
Offline Offline

Activity: 339
Merit: 251


View Profile
April 30, 2014, 04:55:00 AM
 #17130

out of curiousity, is there any chance in reducing the block time for 2.5mins? There are alot of coins that have much faster block times now which would lend to be better accepted as a currency for every day purchases in the future.
Lauda
Legendary
*
Offline Offline

Activity: 2674
Merit: 3000


Terminated.


View Profile WWW
April 30, 2014, 04:55:22 AM
 #17131

this could be good por DRK publicity but not so good if the govt try and make a point to shut DRK down.

I really liked the idea posted a few pages back about using crypto/DRK to move money within and in and out of 3rd world countries.  Getting a piece of the Western Union market would be phenomenal.  They charge a ridiculous fee to send money back and forth and to be able to offer people a simple app that works on (almost) any phone to send funds to family members etc could be huge.

I get so excited by this thread, i truly think Evan is a genius and that DRK will be a revolutionary coin.   Nice work people.
Genius is a too strong word. He i just a developer, a real one. DRK might be one of the top coins, it surely has potential.

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
😼 Bitcoin Core (onion)
TanteStefana
Full Member
***
Offline Offline

Activity: 280
Merit: 100


The Future Of Work


View Profile
April 30, 2014, 04:57:49 AM
 #17132

This is similar to what I was trying to achieve with stealth sending, minus the denomination of receiving addresses. Usually users want to send to a pre-existing address, optimally DarkSend would be able to denominate the receiving party's amount as well. Stealth addresses allow you to generate infinitely many addresses from one receiving address.

Sadly, the only way to see if you have coins in a stealth address is to have the private keys in memory which destroys cold storage completely. You would not be able to see whether or not someone had sent you coins. Without stealth sending though, the master node would have to issue new addresses which cannot happen for obvious reasons. If someone can think of a way to fully denominate the receiving party's amount it would push the coin into complete darkness. When combined with Evan's I2P implementation Dark would be as anonymous/private as possible.
+1000.

This is the thing.  It already seems to work this way.  I've used DarkSend to send funds to a second wallet via an address1.  When I try to see the balance afterwards of address1, I get 0, but I can see in my wallet that the funds have arrived.  I'm trying to understand what happens so that I can get this flowchart to be correct!

█ ANN THREAD █
﹝Whitepaper﹞
【BLACKBOX OS】
The Future of Work. Decentralized.
TELEGRAM﹞﹝FACEBOOK
TWITTERYOUTUBE
TanteStefana
Full Member
***
Offline Offline

Activity: 280
Merit: 100


The Future Of Work


View Profile
April 30, 2014, 05:02:50 AM
 #17133


So in your example, the "change" is also being mixed through several masternodes along with the actual balance of the tx. This, along with further denomination of the "change" before it comes back to your wallet as Evan stated above, would be enough to break the trail?

Yah, I don't have it right yet... Ugh! I think the layers of Masternodes was to obfuscate the IP address which might be snooped out by a Masternode.  So I'm guessing, the first Masternode can only receive the coin and pass on the instructions to another Masternode, so that no Masternode can have all the information?  Maybe several Masternodes will pass the funds and instructions along so that the possibility of having control of enough Masternodes to retain the information is pretty much nil.  Then the final MasterNode, who can only know the IP address of the last MasterNode, is allowed to "open" the instructions, and sends the amounts to their recipients.

Huh  I'll post another flow chart in a moment which might be how Evan is doing this or going to do this??

█ ANN THREAD █
﹝Whitepaper﹞
【BLACKBOX OS】
The Future of Work. Decentralized.
TELEGRAM﹞﹝FACEBOOK
TWITTERYOUTUBE
Lauda
Legendary
*
Offline Offline

Activity: 2674
Merit: 3000


Terminated.


View Profile WWW
April 30, 2014, 05:06:31 AM
 #17134

out of curiousity, is there any chance in reducing the block time for 2.5mins? There are alot of coins that have much faster block times now which would lend to be better accepted as a currency for every day purchases in the future.
No. This is wrong and people shouldn't practice it. Bitcoin is fine with 10 minute block as well.

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
😼 Bitcoin Core (onion)
Simcom
Sr. Member
****
Offline Offline

Activity: 336
Merit: 250


View Profile
April 30, 2014, 05:10:46 AM
Last edit: April 30, 2014, 05:56:47 AM by Simcom
 #17135

I spent a fair amount of time thinking about the discussion with dime, humanitee, luigi1111, camosoul and others yesterday about the anonymity of Darksend.  I suspected that the logic behind darksend as currently implemented was not sound, and I thought it would be best to determine how exactly darksend was working, and do an in-depth analysis of a mixing cycle and the transactions that follow mixing.

...

Best,
Sim

Wow! This is great. About 400+ pages ago I talked about having a different kind of pool for change outputs only. Put in all of your change outputs and you'll get new fresh clean inputs of 10DRK. The client could automatically do this after each darksend, which would also get you new inputs for the next round.

I'm currently embedded in patching stratum and p2pool to support the masternode payments, which is why I haven't been around. It takes a lot of work to make something so different from anything else out there, dare I say, revolutionary?


On second thought, I'm not sure this solves the problem.  My understanding is that you want to accumulate the dirty change in the wallet until it breaches a certain amount (say 10 for example), then it is washed in a "change only" wash with a bunch of "10" transactions.  The problem I see is that even the clean coins could be linked to the original transaction.  Just to explain:

John darksends 2 coins from A to C, gets 8 back as change on address X
a few days later..
John darksends 8 coins from B to D, gets 2 back as change on address Y

Y+X are submitted to the change mixing pool (10 coins), and come out "clean" at address Z.

The problem is that the coins at address Z are not clean really, they are "suspect", they could have possibly participated in any darksends that generated the dirty coins that composed the "change washing" pool.

Now when Johns wants to spend coins from A, B, and Z in the same transaction.

So if John wants to send coins from A+B+Z in one transaction, the fact that Z participated in a pool that contained X and Y is enough to expose A and B as the original participants in the darksend transaction.

Really it leaves us at the same position that we were at previously after the original darksends.

I hope that made sense.

I came up with a way better solution to this issue than my previous idea. Plus it's already supported by DarkSend, I'll just enforce it in RC3

John darksends 2.5 coins from A to C, gets 7.5 back as change on address X, Y, V, Z  (X = 5DRK, Y = 1DRK, V = 1DRK, Z=0.5DRK )
Joe darksends 3 coins from E to G, gets 7 back as change on address W, K, J  (W = 5DRK, K = 1DRK, J = 1DRK)
Suzie darksends 3.5 coins from K to Q, gets 6.5 back as change on address F, G, H  (F = 5DRK, G = 1DRK, H = 0.5DRK)

Change is denominated into units of 5, 1, 0.5, 0.25, 0.1, 0.05, and 0.01 DRK. I'll introduce the precision limitation back again of 0.01DRK. So if you get 7.5 DRK of change back, you'll end up with 5DRK+1DRK+1DRK+0.5DRK.

You could still possible do taint analysis on denominations only used once, but this would be solved with multiple rounds in DarkSend.

Ok, well I think this is a great solution, definitely the best idea proposed so far.  I have spent several hours thinking about ways to break it but I can't seem to come up with an Achilles heel.

A couple suggestions off the top of my head.  I think it would help if there was some randomness added to the way things are denominated. Ie sometimes 1.5 is denomated 1+0.5 - sometimes it is denominated 1+0.25+0.1+0.1+.05 sometimes it is denominated 0.5+0.5+0.5.  This would make it substantially harder to figure out what is going on in the blockchain

My other concern is that whoever gets the biggest amount of change is put in a precarious position.  In the above example this would be John. If John sends X+Y+V+Z+A he is outing A as the sender to C.  Even if John Darksends these coins he is still outing address A. Then once he outs himself, Joe (as the second largest change recipient (7DRK) is at risk of outing himself if he sends (or darksends) W+K+J+E. I suppose this whole scenario is a non-issue if we consider that more than one transaction can be sent into the pool from the same wallet, so it would be impossible to tell for certain who got the most change, as someone could have submitted multiple transactions and received 20,30,40 change coins to the same wallet.  

Seriously though, this is a fantastic solution, I'm relatively certain the logic is sound, and the level of anonymity will be very high. I'll sleep well tonight for sure Cheesy

I was in the middle of going through this very logic myself, when I refreshed and saw your post. Smiley

I agree with the basic analysis: this proposed method seems to me to be flawless unless and until the largest change holder sends from all his change addresses associated with a particular DarkSend simultaneously with balance from his "main" address.

I'm still going to have to think about it more, because what if we DON'T consider the last sentence in your 3rd paragraph? Aren't we still *potentially* impacting anonymity?

I'm falling asleep right now, but I can't think of how you could actually secure this if the largest change holder did what you describe above. Even additional mixing wouldn't help as you could just track inputs and outputs all the way back once John did the bad deed.

I guess my point is: there's probably a large chance of additional "noise" being created that would make our potential analysis of John's coins impossible, but what if in a particular case this noise doesn't exist?

Or I'm just tired. Smiley


Yes if it we knew for sure that each 10 coins came from a separate wallet, there would be a big problem with the logic. But because multiple inputs can come from the same wallet and hopefully the denominization will be semi-random, so the logic is sound.  If X+Y+V+Z+A shows up in a darksend, A is not necessarily outed because even though X+Y+V+Z adds up to 7.5 and there was a 2.5 output, it is possible that the Joe&Suzie transactions came from the same wallet and we are actually looking at W+K+G+H+A not X+Y+V+Z+A.  It would be impossible to differentiate between X+Y+V+Z+A and A+W+K+G+H because both of these possible "change" combinations add up to 7.5  Grin  It is quite an eloquent solution actually.

There is still the problem evan mentions: if only one instance of a denomination is present it will be easy to out that person, but this seems like it would be an unlikely event once there are more than 4-5 people participating in the pool. Evan could even completely ablate this problem by coding it so that the darksend mixing won't start until there are at least 2 of every denomination represented.
TanteStefana
Full Member
***
Offline Offline

Activity: 280
Merit: 100


The Future Of Work


View Profile
April 30, 2014, 05:12:21 AM
Last edit: April 30, 2014, 05:27:15 AM by TanteStefana
 #17136

Ok, here is another attempt:



Remember, I'm just trying to put down what I believe Evan is actually doing

█ ANN THREAD █
﹝Whitepaper﹞
【BLACKBOX OS】
The Future of Work. Decentralized.
TELEGRAM﹞﹝FACEBOOK
TWITTERYOUTUBE
TanteStefana
Full Member
***
Offline Offline

Activity: 280
Merit: 100


The Future Of Work


View Profile
April 30, 2014, 05:32:00 AM
 #17137

My head hurts.....  Cheesy  Grin

█ ANN THREAD █
﹝Whitepaper﹞
【BLACKBOX OS】
The Future of Work. Decentralized.
TELEGRAM﹞﹝FACEBOOK
TWITTERYOUTUBE
Simcom
Sr. Member
****
Offline Offline

Activity: 336
Merit: 250


View Profile
April 30, 2014, 05:41:10 AM
 #17138

My head hurts.....  Cheesy  Grin

Your next task is to update the chart with the plans Evan has for RC3 Cheesy 

Denomitated change addresses!  Grin
RoyBtc
Newbie
*
Offline Offline

Activity: 37
Merit: 0


View Profile
April 30, 2014, 05:44:10 AM
 #17139

instresting
aleix
Legendary
*
Offline Offline

Activity: 1789
Merit: 1100



View Profile
April 30, 2014, 05:54:40 AM
 #17140

Dark Wallet article in Wired Magazine:

‘Dark Wallet’ Is About to Make Bitcoin Money Laundering Easier Than Ever

http://www.wired.com/2014/04/dark-wallet/?mbid=social_fb

Pages: « 1 ... 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 [857] 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 ... 7012 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!