[ANN][DASH] Dash (dash.org) | First Self-Funding Self-Governing Crypto Currency

[TanteStefana]

BTW, the DarkCoin clone, Hirocoin...... a lot of people over there are excited by the fact that it uses X11, and its low power usage.

Clearly a big selling point over here also, but they seem to be doing a good job at marketing the X11.  I see X11 written around the place a lot more than here.  Just a thought ... As it seems that X11 is getting a decent amount of attention now.

I'm the developer of Hirocoin and I want to help position X11 as the next home of GPU miners. I remember what the GPU miners moving from SHA-256 to Scrypt did for Scrypt based coins like Litecoin. There will come a point where Scrypt ASICs are common and GPU miners will need to move on. Making X11 the standard to move to will be huge news for Darkcoin and Hirocoin. Plus it will bring better tools for our coins.

By the way, Hirocoin is more of a Litecoin clone that uses X11. Darkcoin offers anonymity and unique difficulty handling where Hirocoin is your conventional offering but done well. Check GitHub for the thorough work that went into it.

Launching Hirocoin helps solidify X11 place in crypto. If Darkcoin is the sole user of X11 it will not get the tractions it needs. Darkcoin is successful and I plan to make Hirocoin successful to, this will bring more attention to X11 and more coins using this solution. Now is the time to push  Evan's X11 to secure long term success for Darkcoin.

I don't understand why X-11 has to be "solidified"?

[TanteStefana]

EDIT: I have removed the bit where I say Hirocoin is conventional compared to Darkcoin. I hope this improves the situation for you.

Oh, I don't think you have to worry about us dear 

[lixxy]

Should update the original post mentioning moolah. Darkcoin is accepted there. It is primarily a store front for people, and you can pay in whatever coin you like (that is accepted) and moolah transfers it for the merchant. They will also have a fiat/DRK exchange. That is big news imo.

Also, I have a question, what are the biggest pools for DRK?

[TanteStefana]

Id also tip on temps or voltage. I got a i5 2500K at 4600mhz with an alpenföhn cooler running at 70-80 degrees, the case is very well cooled.
On the otehr hand, why not get a linux distro and try it there? Dualboot is installed in like 15 minutes, if its not working there you know its the cpu.

I want an alpenföhn cooler!  Just for the name!

(sorry, my silly side coming out again, that sounds so silly to the ear, rofl, like Farfegnugen, LOL. (I'm first generation German, no offence, really aber es ist lustig)

[TanteStefana]

After much thought....I decided not to buy one of these and instead focus on Darkcoin mining. But it is very tempting.



EDIT - this summer will be dominated by ASICs for scrypt. Expect more GPU miners on Darkcoin.

Actually, that should really benefit us, though the difficulty will rise exponentially, it will really distribute the coin!

[TanteStefana]

Also, someone slap me if I'm way off base here, but if the difficulty keeps going up, doesn't that imply that more people are mining it, increasing the net hash rate? That hardly sounds like spiraling into oblivion.

PROFITABILITY is going into oblivion.

which is much better when it is stable

look at the chart I posted. it has been going down since day 1. where is the stability on that chart. Look at the god damn image.

http://postimg.org/image/kylsqtkm1

probably a good long term investment but horrible for daily miner-dumpers like me.

That's such a warped zoomed in section of an oddly spread out chart.  If you look at a more normal chart, like this one, over time, yes there has been a downward trend, but it's not a big one in the scheme of things, and its pretty darn flat after the C-cex incident:

https://coinmarketcap.com/drk_30.html

So, whatever.  To me it shows incredible stability compared to most others:

Maxcoin: https://coinmarketcap.com/max_30.html

AuroraCoin: https://coinmarketcap.com/btc_30.html

Peercoin: https://coinmarketcap.com/ppc_30.html

DogeCoin: https://coinmarketcap.com/doge_30.html

Even Bitcoin has been more volatile, by a lot!  https://coinmarketcap.com/btc_30.html

Hell, we're the only stable coin out there!  and practically brand new!

[HammerHedd]

Also, someone slap me if I'm way off base here, but if the difficulty keeps going up, doesn't that imply that more people are mining it, increasing the net hash rate? That hardly sounds like spiraling into oblivion.

PROFITABILITY is going into oblivion.

which is much better when it is stable

look at the chart I posted. it has been going down since day 1. where is the stability on that chart. Look at the god damn image.

http://postimg.org/image/kylsqtkm1

probably a good long term investment but horrible for daily miner-dumpers like me.

First, the image is oddly cropped, with no axes explaining what is being shown... That certainly doesn't look like any chart I've seen recently with darkcoin's value.

Second, yes, it probably does suck for miner/dumpers - or speculators, if you prefer that term. I can understand that. I'm not currently investing to make a quick profit, I'm investing in the infrastructre, because I can see where the coin is going. So yes, oblivion for speculators, but stability for us long term supporters. You have read the signs correctly.

[TanteStefana]

Yes these are valid points to consider. But, instead of sitting back and waiting for merchants to accept Darkcoin we should bring Darkcoin to them. We can do this very easily if someone has experience coding and is willing to put in a little work.

1. We can create a wordpress Darkcoin plugin for Woocommerce or Commerce Wordpress themed checkouts. (Similar to what Bitcoin has). If this existed it would drive a lot of merchants to use Darkcoin.

2. We can create a stand-alone API payment plugin for standard merchant sites that do not use Wordpress or Woocommerce.

Does anyone have experience doing this kind of stuff that would want to take this on? Maybe there can be a bounty set for this by the person who controls the promotion fund.

Great idea.  Aside from cheerleading, I'm pretty much dead weight to this community, LOL, but wish I could do this!  Perhaps this is what LimLims should replace the "new mining pool" bounty with?

[nextgencoin]

I have kind of a bombshell here. I got a friend who has a friend working at the investment company mentioned in this article (Ribbit Capital) My buddy has heard they are investing steadily in Bitcoin. But here's the big one. There is massive interest in Darkcoin due to its anonymity and they are planning on dropping serious money on buying the coin. I actually heard about this last week but now I see the article I know its true.

I have no idea how much this could move the price, but I'm guessing a lot!!!

http://www.ihavebitcoins.com/featured/major-bitcoin-action-anticipated-pantera-joining-forces-fortress-benchmark-ribbit/

[eltito]

I have kind of a bombshell here. I got a friend who has a friend working at the investment company mentioned in this article (Ribbit Capital) My buddy has heard they are investing steadily in Bitcoin. But here's the big one. There is massive interest in Darkcoin due to its anonymity and they are planning on dropping serious money on buying the coin. I actually heard about this last week but now I see the article I know its true.

I have no idea how much this could move the price, but I'm guessing a lot!!!

http://www.ihavebitcoins.com/featured/major-bitcoin-action-anticipated-pantera-joining-forces-fortress-benchmark-ribbit/

If true it's not surprising.  My assumption has been that serious speculators large and small (who are aware of DRK) are waiting for darksend to be properly vetted.

[Cryddit]

It seems to me that with the current darksend/denominate implementation it is dangerous to just dump the change from a darksend back into the wallet and use it with the rest of the balance. See the following chart for an example:

If the above diagram is how Darksend works, then I have identified an easily-corrected flaw.

The reverse of the above situation -- in which the Darksend itself "denominates" its outputs -- is simpler and more secure.  Everybody can see whose coins are going into the Darksend, denominated or not, because everybody can see the blockchain.  Denominating them doesn't really help all that much.  

Darksends are examples of the knapsack problem.  Denominating the coins allows the solution to the knapsack problem of the Darksend to be non-trivial.  IE, you can't break it into distinct subproblems because the inputs are equal-sized. So the number of possible solutions is guaranteed to be at least as large as the number of inputs.  But it doesn't guarantee that the solution is Hard, because different size outputs still leak partitioning information.  Worse, the partitioning information can be combined with other information at a later time, to associate the partitions with the inputs, potentially resulting in a unique solution.  Which would mean successfully tracing all the coins through the Darksend.

As an example of what I'm talking about, let's say Alice puts a 10-coin input into the Darksend, along with Bob and Carol and Dave.  And the outputs are 1, 2, 3, 4, 6, 7, 8, and 9 coins.  40 total in, 40 total out.  (I'm ignoring fees for the moment; bear with me). Now Eve, looking at the blockchain, doesn't know who got which coins.   But she knows that the same person who controlled where the 1 went also controlled where the 9 went.  She knows that the same person who controlled the 2 also controlled the 8.  She knows that the same person who controlled the 3 also controlled the 7.  And she knows that the same person who controlled the 4 also controlled the 6.  Because no other combination adds up to everybody controlling the same amount they put in as an input.  There are other ways to make 10 -- for example, 7,2,1 or 6,3,1.  But Eve knows that nobody got those combinations of outputs because that would mean that somebody else didn't get 10.  

This is "partition information" -- there are relatively few solutions to which outputs went together, even if you don't know who controlled which set.  Maybe there are multiple solutions, especially if two or more parties asked for the same denominations of outputs.  But you'll usually find surprisingly few solutions to the partitioning problem.  Additional information can come from later spends and eliminate subsets of the solution space.  A surprisingly small number of spends later, Eve will have the information to reconstruct the Darksend transaction and trace the movement of coins through it.

In order to guarantee that the solution to the Darksend is Hard, it is necessary for it to produce equal-sized outputs.  With equal-sized outputs there is no partitioning information to be had, so a later spend can't provide any new information about the movement of other coins through the Darksend.  

Consider a Darksend where Alice, Bob, Carol, and Dave all put in a single 10 coin input.  It produces a dozen 3.33 coin outputs.  Now, Eve knows that each participant got 3 outputs.  But even if she later associates one of the outputs with an 'Alice' transaction, that doesn't give her any new information about which of the *OTHER* outputs Alice has, or spent, nor allow her to eliminate any possibilities as to which outputs Bob, Carol, and Dave have, or spent.  The partitioning problem is Hard, and remains Hard.

This remains true even if Alice, Bob, Carol, and Dave all put in undenominated inputs that total up to exactly 10 coins each.  Security here is in equality of the amount input, not in the size of the individual txins. Remember, Eve already knows who's putting in which inputs, denominated or not.  As long as each participant puts in a like amount, and the outputs are identically-sized, Eve has no information about the disposition of coins after the send.  

Anyway, my point here is that you can make the problem Hard by doing it the other way round.  Use the Darksend to denominate the coins into equal-size outputs that all come back to you, but then spend those outputs (along with NO OTHER OUTPUTS, not even outputs from other Darksends) in regular transactions, and those regular transactions will be conditionally untraceable. To make them completely untraceable, you don't spend the change from those transactions either; gather the change together until you have a 'denomination-worth' of input, send that into another Darksend, and get a new set of outputs.

[anonymousxx1503]

It seems to me that with the current darksend/denominate implementation it is dangerous to just dump the change from a darksend back into the wallet and use it with the rest of the balance. See the following chart for an example:

If the above diagram is how Darksend works, then I have identified an easily-corrected flaw.

The reverse of the above situation -- in which the Darksend itself "denominates" its outputs -- is simpler and more secure.  Everybody can see whose coins are going into the Darksend, denominated or not, because everybody can see the blockchain.  Denominating them doesn't really help all that much.  

Darksends are examples of the knapsack problem.  Denominating the coins allows the solution to the knapsack problem of the Darksend to be non-trivial.  IE, you can't break it into distinct subproblems because the inputs are equal-sized. So the number of possible solutions is guaranteed to be at least as large as the number of inputs.  But it doesn't guarantee that the solution is Hard, because different size outputs still leak partitioning information.  Worse, the partitioning information can be combined with other information at a later time, to associate the partitions with the inputs, potentially resulting in a unique solution.  Which would mean successfully tracing all the coins through the Darksend.

As an example of what I'm talking about, let's say Alice puts a 10-coin input into the Darksend, along with Bob and Carol and Dave.  And the outputs are 1, 2, 3, 4, 6, 7, 8, and 9 coins.  40 total in, 40 total out.  (I'm ignoring fees for the moment; bear with me). Now Eve, looking at the blockchain, doesn't know who got which coins.   But she knows that the same person who controlled where the 1 went also controlled where the 9 went.  She knows that the same person who controlled the 2 also controlled the 8.  She knows that the same person who controlled the 3 also controlled the 7.  And she knows that the same person who controlled the 4 also controlled the 6.  Because no other combination adds up to everybody controlling the same amount they put in as an input.  There are other ways to make 10 -- for example, 7,2,1 or 6,3,1.  But Eve knows that nobody got those combinations of outputs because that would mean that somebody else didn't get 10.  

This is "partition information" -- there are relatively few solutions to which outputs went together, even if you don't know who controlled which set.  Maybe there are multiple solutions, especially if two or more parties asked for the same denominations of outputs.  But you'll usually find surprisingly few solutions to the partitioning problem.  Additional information can come from later spends and eliminate subsets of the solution space.  A surprisingly small number of spends later, Eve will have the information to reconstruct the Darksend transaction and trace the movement of coins through it.

In order to guarantee that the solution to the Darksend is Hard, it is necessary for it to produce equal-sized outputs.  With equal-sized outputs there is no partitioning information to be had, so a later spend can't provide any new information about the movement of other coins through the Darksend.  

Consider a Darksend where Alice, Bob, Carol, and Dave all put in a single 10 coin input.  It produces a dozen 3.33 coin outputs.  Now, Eve knows that each participant got 3 outputs.  But even if she later associates one of the outputs with an 'Alice' transaction, that doesn't give her any new information about which of the *OTHER* outputs Alice has, or spent, nor allow her to eliminate any possibilities as to which outputs Bob, Carol, and Dave have, or spent.  The partitioning problem is Hard, and remains Hard.

This remains true even if Alice, Bob, Carol, and Dave all put in undenominated inputs that total up to exactly 10 coins each.  Security here is in equality of the amount input, not in the size of the individual txins. Remember, Eve already knows who's putting in which inputs, denominated or not.  As long as each participant puts in a like amount, and the outputs are identically-sized, Eve has no information about the disposition of coins after the send.  

Anyway, my point here is that you can make the problem Hard by doing it the other way round.  Use the Darksend to denominate the coins into equal-size outputs that all come back to you, but then spend those outputs (along with NO OTHER OUTPUTS, not even outputs from other Darksends) in regular transactions, and those regular transactions will be conditionally untraceable. To make them completely untraceable, you don't spend the change from those transactions either; gather the change together until you have a 'denomination-worth' of input, send that into another Darksend, and get a new set of outputs.

This is not how darksend works, it was someone who made a suggestion.

on another note

CRYPSTY STILL HASN'T FIXED DUST TRANSACTIONS THAT ARE DRIVING DOWN THE PRICE OF DARKCOIN ARTIFICIALLY

[humanitee]

If the above diagram is how Darksend works, then I have identified an easily-corrected flaw.

The reverse of the above situation -- in which the Darksend itself "denominates" its outputs -- is simpler and more secure.  Everybody can see whose coins are going into the Darksend, denominated or not, because everybody can see the blockchain.  Denominating them doesn't really help all that much.  

Darksends are examples of the knapsack problem.  Denominating the coins allows the solution to the knapsack problem of the Darksend to be non-trivial.  IE, you can't break it into distinct subproblems because the inputs are equal-sized. So the number of possible solutions is guaranteed to be at least as large as the number of inputs.  But it doesn't guarantee that the solution is Hard, because different size outputs still leak partitioning information.  Worse, the partitioning information can be combined with other information at a later time, to associate the partitions with the inputs, potentially resulting in a unique solution.  Which would mean successfully tracing all the coins through the Darksend.

As an example of what I'm talking about, let's say Alice puts a 10-coin input into the Darksend, along with Bob and Carol and Dave.  And the outputs are 1, 2, 3, 4, 6, 7, 8, and 9 coins.  40 total in, 40 total out.  (I'm ignoring fees for the moment; bear with me). Now Eve, looking at the blockchain, doesn't know who got which coins.   But she knows that the same person who controlled where the 1 went also controlled where the 9 went.  She knows that the same person who controlled the 2 also controlled the 8.  She knows that the same person who controlled the 3 also controlled the 7.  And she knows that the same person who controlled the 4 also controlled the 6.  Because no other combination adds up to everybody controlling the same amount they put in as an input.  There are other ways to make 10 -- for example, 7,2,1 or 6,3,1.  But Eve knows that nobody got those combinations of outputs because that would mean that somebody else didn't get 10.  

This is "partition information" -- there are relatively few solutions to which outputs went together, even if you don't know who controlled which set.  Maybe there are multiple solutions, especially if two or more parties asked for the same denominations of outputs.  But you'll usually find surprisingly few solutions to the partitioning problem.  Additional information can come from later spends and eliminate subsets of the solution space.  A surprisingly small number of spends later, Eve will have the information to reconstruct the Darksend transaction and trace the movement of coins through it.

In order to guarantee that the solution to the Darksend is Hard, it is necessary for it to produce equal-sized outputs.  With equal-sized outputs there is no partitioning information to be had, so a later spend can't provide any new information about the movement of other coins through the Darksend.  

Consider a Darksend where Alice, Bob, Carol, and Dave all put in a single 10 coin input.  It produces a dozen 3.33 coin outputs.  Now, Eve knows that each participant got 3 outputs.  But even if she later associates one of the outputs with an 'Alice' transaction, that doesn't give her any new information about which of the *OTHER* outputs Alice has, or spent, nor allow her to eliminate any possibilities as to which outputs Bob, Carol, and Dave have, or spent.  The partitioning problem is Hard, and remains Hard.

This remains true even if Alice, Bob, Carol, and Dave all put in undenominated inputs that total up to exactly 10 coins each.  Security here is in equality of the amount input, not in the size of the individual txins. Remember, Eve already knows who's putting in which inputs, denominated or not.  As long as each participant puts in a like amount, and the outputs are identically-sized, Eve has no information about the disposition of coins after the send.  

Anyway, my point here is that you can make the problem Hard by doing it the other way round.  Use the Darksend to denominate the coins into equal-size outputs that all come back to you, but then spend those outputs (along with NO OTHER OUTPUTS, not even outputs from other Darksends) in regular transactions, and those regular transactions will be conditionally untraceable. To make them completely untraceable, you don't spend the change from those transactions either; gather the change together until you have a 'denomination-worth' of input, send that into another Darksend, and get a new set of outputs.

This is not how darksend works, it was someone who made a suggestion.

on another note

CRYPSTY STILL HASN'T FIXED DUST TRANSACTIONS THAT ARE DRIVING DOWN THE PRICE OF DARKCOIN ARTIFICIALLY

Actually this is exactly how DarkSend works. The same implications that drove Cryddit to make that beautiful, detailed post are the same reasons why I made this post yesterday:

I had an idea so I created a diagram for it. I think it would help further obfuscate amounts being sent using DarkSend. Furthermore, the amounts would already be denominated for future DarkSends.

I hadn't thought of that before, very interesting idea.

Consider it! I think it makes Dark the most anonymous coin by a longshot. Pretty much complete anonymity. With DarkSend you have plausible deniability, but the ability to assemble transaction history via amount matching makes it a binary search tree (mostly, assuming people aren't sending to more than one address, as most users will do) that can still be somewhat traced (becoming increasingly hard to track further back in the transaction history). This implementation destroys that ability completely.


edit:
If you wanted you could bake the functionality into the clients themselves. They could generate the addresses and do the denominating, passing that information to the master node as regular transactions - as you do now. I see in the whitepaper that you have the clients check with the master node before signing to verify no funny business, so this angle might be easier to implement on top of your pre-existing code. The master node would just need to verify that all outputs were denominated amounts, until the amount was below the lowest denomination.

[jl777]

without encryption, a determined attacker can extract at least partial information from every darksend. Even with encryption you still have to worry about timing attacks and knapsacking attacks. Over time higher and higher probabilities will be obtained. However, this is not something an ordinary person would have to worry about.

.....

DRK is the coin that provides anonymity for the ordinary people. So you dont have to worry about your neighbors snooping on your finances. So people wont find out about stuff they have no business finding out about!

Anything that can be done manually can also be automated if it doesn't involve too much human judgement. What I mean by that is that if a determined attacker has a way to tell that A went to B after thorough "investigation" into a transaction, you can't be really certain that this is good enough for the average Joe either. It would seem that it is (using the rationale "ok, who will do this kind of thorough investigation, time after time, for every transaction") but it is not.

As I see it, if the analysis process can be done with a relative degree of confidence, then it's simply a matter of scripting to automate the procedure of understanding one transaction and do it with other transactions. And that will be done without the manual-effort cost concern which would otherwise protect most people, since it will be done automatically.

Once this is done, you'll have the obfuscated blockchain and another site which is running a script and analyzes, in somewhat-realtime (perhaps lagging a few blocks to allow for the mixing to occur), the blockchain transactions for what they really are, rather than their mixing or noise. Imagine the scenario of an alternative block explorer which is de-obfuscating stuff and then assigning a probability percentage for each transaction. If DRK is a smash and it has many transactions, I bet someone will make this kind of "service".

I have to disagree...
The level of anonymity that DRK can achieve, especially if combined with some of my upcoming NXT based services, will require MORE data than is available in the public blockchains.

Dark is a good word, some of the data paths wont be in the light, eg. blockchain websites.

Also keep in mind that NXT has no txouts -> txins that creates a lifetime historical chain. That is really the fundamental reason why bitcoin is so transparent. So, if identical amounts are coming into a single NXT based acct and identical amounts leave, there is only random statistical probabilities that can be used, eg guessing.

Have to be very careful about smoothing out the amounts being sent and received as even with random guessing, over time you can build a better and better statistical model. It wont be as simple as putting in a source address and getting a destination address to some website that anybody can use. What you get is a probability distribution of the possible destinations.

When there are meaningful number of transactions, the theoretical website of yours will be spewing out tons of possible destination addresses. Not useless, but unless it is a really determined attacker, not much value.

What will be required is data not available in the blockchain, eg. IP packet sniffers that have large percentage of the Internet flowing through them. This is why I said encryption is needed, plus a lot more, to make it 99.9999% anonymous. Still there is no solution to physical surveilance...

I doubt anybody that has this resource (TLA's) will be making a public website for Aunt Flo to snoop on you!

Reaching 100% Anonymity is like reaching the speed of light. The closer you get, the harder it gets to get closer.
My assessment is that with current and near future incarnations, DRK will be anonymous enough for personal privacy use. However, it will be a mere annoyance to a determined attacker with globally positioned packet sniffers and a large server farm to crunch trillions of calculations to unravel all payment paths. Additionally, they are working on creating a database of every internet address with a social security number/physical address. I think legislation in the works to make KYC required for all bitcoin transactions. Welcome to Big Brother 2014, puts the 1984 version to shame.

If they havent already, they will soon have almost the entire history of bitcoin transactions fully mapped to individual social security numbers. Now, at some point I can see a website that comes out that will let anybody see all the info from this. DRK is clearly needed!!!

James

P.S. Please dont feel that I am an anonymity competitor, in the anonymity biz we are all friends as we can help each other achieve better anonymity. Plus I did manage to get a decent amount of DRK mined with my mini server farm before the GPU era

[AlexGR]

on another note

CRYPSTY STILL HASN'T FIXED DUST TRANSACTIONS THAT ARE DRIVING DOWN THE PRICE OF DARKCOIN ARTIFICIALLY

I think the price is where it should be right now, given the market forces (buyers and sellers) no matter the 1-4% fluctuations by the bot. The whale buyers seem to have constant buying orders of ~5-10 BTC providing very strong support. After last time when I wrote that the buyers should move lower to make the dumping more costly for the one who dumps, they wisely re-positioned themselves from .0013 to 0.0012 and now to 0.00117. In this way the dumper whale will have to get the same BTC by losing more coins and that's good because his coin supply will run out earlier. No need for the buyers to buy their way up to 0.0014 when they can get 20% more coins.

As for large investment interest mentioned earlier, that's natural: The "transparent" market cap of bitcoin and alts is 10 billion USD. The anonymous market is peanuts: 4mn USD (1mn anoncoin + 3mn darkcoin). When the anonymous market delivers, if even 1% of the transparent money move to privacy-centric coins, we are talking about 100mn marketcap to be shared between anonymous coins. You can't go wrong there, although from an investment perspective I doubt they are talking exclusively about DRK. It would probably be a portfolio of coins with unique anonymity characteristics. That would also serve as a hedge to a potential loss in the bitcoin and alt market which would seem as problematic for being transparent. This type of money involved as investment and hedging is more important for coin price than market adoption in commercial trades done with DarkSend, simply due to the enormous volume of USD that are involved. Adoption in transactions will be slow. Today you can't even buy things with Bitcoins (except 0.01% of the cases), so the issue of adoption of altcoins is in itself somewhat of an oxymoron. But there will be a day when this will change.

[jl777]

It seems to me that with the current darksend/denominate implementation it is dangerous to just dump the change from a darksend back into the wallet and use it with the rest of the balance. See the following chart for an example:

If the above diagram is how Darksend works, then I have identified an easily-corrected flaw.

The reverse of the above situation -- in which the Darksend itself "denominates" its outputs -- is simpler and more secure.  Everybody can see whose coins are going into the Darksend, denominated or not, because everybody can see the blockchain.  Denominating them doesn't really help all that much.  

Darksends are examples of the knapsack problem.  Denominating the coins allows the solution to the knapsack problem of the Darksend to be non-trivial.  IE, you can't break it into distinct subproblems because the inputs are equal-sized. So the number of possible solutions is guaranteed to be at least as large as the number of inputs.  But it doesn't guarantee that the solution is Hard, because different size outputs still leak partitioning information.  Worse, the partitioning information can be combined with other information at a later time, to associate the partitions with the inputs, potentially resulting in a unique solution.  Which would mean successfully tracing all the coins through the Darksend.

As an example of what I'm talking about, let's say Alice puts a 10-coin input into the Darksend, along with Bob and Carol and Dave.  And the outputs are 1, 2, 3, 4, 6, 7, 8, and 9 coins.  40 total in, 40 total out.  (I'm ignoring fees for the moment; bear with me). Now Eve, looking at the blockchain, doesn't know who got which coins.   But she knows that the same person who controlled where the 1 went also controlled where the 9 went.  She knows that the same person who controlled the 2 also controlled the 8.  She knows that the same person who controlled the 3 also controlled the 7.  And she knows that the same person who controlled the 4 also controlled the 6.  Because no other combination adds up to everybody controlling the same amount they put in as an input.  There are other ways to make 10 -- for example, 7,2,1 or 6,3,1.  But Eve knows that nobody got those combinations of outputs because that would mean that somebody else didn't get 10.  

This is "partition information" -- there are relatively few solutions to which outputs went together, even if you don't know who controlled which set.  Maybe there are multiple solutions, especially if two or more parties asked for the same denominations of outputs.  But you'll usually find surprisingly few solutions to the partitioning problem.  Additional information can come from later spends and eliminate subsets of the solution space.  A surprisingly small number of spends later, Eve will have the information to reconstruct the Darksend transaction and trace the movement of coins through it.

In order to guarantee that the solution to the Darksend is Hard, it is necessary for it to produce equal-sized outputs.  With equal-sized outputs there is no partitioning information to be had, so a later spend can't provide any new information about the movement of other coins through the Darksend.  

Consider a Darksend where Alice, Bob, Carol, and Dave all put in a single 10 coin input.  It produces a dozen 3.33 coin outputs.  Now, Eve knows that each participant got 3 outputs.  But even if she later associates one of the outputs with an 'Alice' transaction, that doesn't give her any new information about which of the *OTHER* outputs Alice has, or spent, nor allow her to eliminate any possibilities as to which outputs Bob, Carol, and Dave have, or spent.  The partitioning problem is Hard, and remains Hard.

This remains true even if Alice, Bob, Carol, and Dave all put in undenominated inputs that total up to exactly 10 coins each.  Security here is in equality of the amount input, not in the size of the individual txins. Remember, Eve already knows who's putting in which inputs, denominated or not.  As long as each participant puts in a like amount, and the outputs are identically-sized, Eve has no information about the disposition of coins after the send.  

Anyway, my point here is that you can make the problem Hard by doing it the other way round.  Use the Darksend to denominate the coins into equal-size outputs that all come back to you, but then spend those outputs (along with NO OTHER OUTPUTS, not even outputs from other Darksends) in regular transactions, and those regular transactions will be conditionally untraceable. To make them completely untraceable, you don't spend the change from those transactions either; gather the change together until you have a 'denomination-worth' of input, send that into another Darksend, and get a new set of outputs.

I am glad to see indepth posts on anonymity! This is the DRK thread and while all the GPU mining info is of practical concern, the primary thing about DRK is the anonymity and it will benefit the most from thoughtful discussions. Especially since Evan seems to magically add all the new capabilities each week

All these txout and txin issues are avoided if the spending step goes through a BTC bridge, with proper intermediate steps. From a practical standpoint, it adds a new blockchain that needs to be correlated. Theoretically, not much, but practically speaking another dataset that needs to be processed. There can be LTC bridges and other altcoin bridges too.

All the inputs into the BTC bridge will have the same denomination, then they all get deposited into a single account. In NXT accounts are just a single number. So this allows sending from the merged acct different amounts to the BTC destination address.

You might say, "Wait!" the BTC destinations can be knapsack analyzed with the original DRK sends into the BTC bridge. While this is true if people didnt send the same amounts, it can be avoided by having the change just kept in the BTC bridge until the next transaction. This way, all DRK sends coming in are of the same amount and I dont see a way to correlate the BTC receiving address. Also, there will be a DRK to BTC conversion at market prices and by slightly randomizing this conversion price it will add more noise.

James

[Jungian]

P.S. Please dont feel that I am an anonymity competitor, in the anonymity biz we are all friends as we can help each other achieve better anonymity. Plus I did manage to get a decent amount of DRK mined with my mini server farm before the GPU era

This can not be stressed enough in my mind. Even as in investor, keep in mind that it's pretty easy to bet on all the horses in this race. It's not a zero-sum game, so we can afford to experiment and have a few losing bets

[Kai Proctor]

500 ! That much pages is a good sign in my book

[humanitee]

I am glad to see indepth posts on anonymity! This is the DRK thread and while all the GPU mining info is of practical concern, the primary thing about DRK is the anonymity and it will benefit the most from thoughtful discussions. Especially since Evan seems to magically add all the new capabilities each week

All these txout and txin issues are avoided if the spending step goes through a BTC bridge, with proper intermediate steps. From a practical standpoint, it adds a new blockchain that needs to be correlated. Theoretically, not much, but practically speaking another dataset that needs to be processed. There can be LTC bridges and other altcoin bridges too.

All the inputs into the BTC bridge will have the same denomination, then they all get deposited into a single account. In NXT accounts are just a single number. So this allows sending from the merged acct different amounts to the BTC destination address.

You might say, "Wait!" the BTC destinations can be knapsack analyzed with the original DRK sends into the BTC bridge. While this is true if people didnt send the same amounts, it can be avoided by having the change just kept in the BTC bridge until the next transaction. This way, all DRK sends coming in are of the same amount and I dont see a way to correlate the BTC receiving address. Also, there will be a DRK to BTC conversion at market prices and by slightly randomizing this conversion price it will add more noise.

James

Look at my diagram above and give me your thoughts, if you don't mind.

Why wouldn't that alone suffice? With a denomination pool to combine all smaller inputs into larger inputs, you effectively have complete anonymity. Evan has indicated he would like to work on anonymous transaction broadcasting further down the road. TOR is already in the client, it's just not on by default. With my diagram + TOR I can't see any possible way a user could be tracked.

[jl777]

on another note

CRYPSTY STILL HASN'T FIXED DUST TRANSACTIONS THAT ARE DRIVING DOWN THE PRICE OF DARKCOIN ARTIFICIALLY

I think the price is where it should be right now, given the market forces (buyers and sellers) no matter the 1-4% fluctuations by the bot. The whale buyers seem to have constant buying orders of ~5-10 BTC providing very strong support. After last time when I wrote that the buyers should move lower to make the dumping more costly for the one who dumps, they wisely re-positioned themselves from .0013 to 0.0012 and now to 0.00117. In this way the dumper whale will have to get the same BTC by losing more coins and that's good because his coin supply will run out earlier. No need for the buyers to buy their way up to 0.0014 when they can get 20% more coins.

As for large investment interest mentioned earlier, that's natural: The "transparent" market cap of bitcoin and alts is 10 billion USD. The anonymous market is peanuts: 4mn USD (1mn anoncoin + 3mn darkcoin). When the anonymous market delivers, if even 1% of the transparent money move to privacy-centric coins, we are talking about 100mn marketcap to be shared between anonymous coins. You can't go wrong there, although from an investment perspective I doubt they are talking exclusively about DRK. It would probably be a portfolio of coins with unique anonymity characteristics. That would also serve as a hedge to a potential loss in the bitcoin and alt market which would seem as problematic for being transparent. This type of money involved as investment and hedging is more important for coin price than market adoption in commercial trades done with DarkSend, simply due to the enormous volume of USD that are involved. Adoption in transactions will be slow. Today you can't even buy things with Bitcoins (except 0.01% of the cases), so the issue of adoption of altcoins is in itself somewhat of an oxymoron. But there will be a day when this will change.

Thanks for the price advice by the way, picked up a few at .001175

From a practical point, not only will anonymity investors diversify across all the viable options, the best anonymity will be achieved by combining them. Unless each coin is implementing anonymity identically, sending payments from one to the other to the other will create greater privacy.

This is why I said that all anonymity providers are automatically friends. The stronger any of us gets, the stronger we all get as we will be used in combination. At least any sensible anonymity seeker would.

If anyone has ideas on features they want in an DRK -> BTC anonymity bridge, I am definitely open to ideas as it is just in the concept stage now. The current concept is that you send BTC address with payment amount (rounded) in DRK -> bridge -> <tbd process> -> BTC address

I am surprised that nobody has expressed any opinion on being able to send DRK to any place that accepts BTC, effectively getting DRK accepted at all places BTC is accepted, while adding more anonymity to the spend process.

James