[ANN][DASH] Dash (dash.org) | First Self-Funding Self-Governing Crypto Currency

[coins101]

DarkSend should embrace the community....Those who wish to attack go straight in for the kill, cold.

DarkSend needs to have some economic disincentives.  Fees for participation, penalties for misbehaving, minimum values for election.

Why not choose random nodes that have shown community engagement? Length of service, etc. Allowed to make small transactions when new, then slowly build-up to larger transactions - Almost like a PoS, or posting on bitcointalk - in terms of reputation establishment?

[eduffield]

I don't know if Darkcoin is designed to allow you to send over Tor.

Even if it is, Tor will not hide your IP reliably from snooping agencies. Tor is better than nothing, but there are designs which can hide your IP absolutely and reliably. I don't think anyone has implemented such a design yet for the way we need to use it.

There is a Sr. Member who posted couple of functional DRK Tor nodes a few pages back. Any coin using the bitcoin source can Tor

Code:

darkcoind --help

Everyone needs to use it. So it needs to be turned on by default. Because as the participants in your Darksend mix lose anonymity, then you lose anonymity too even if you used Tor.

The only feature of Darkcoin is claimed anonymity now correct? The cpu-only aspect is crossed out on the web page.

Thus shouldn't your anonymity be actually stronger otherwise an altcoin is simply going to do it better than Darksend.

Don't worry about Zerocash, it takes 9ms verification per transaction (Zerocoin is 500msec). That won't scale. Your competition won't come from Zerocash. It will come from another altcoin.

Higher end CPUs still mine nearly as well as the GPUs do. I don't think anything says "CPU only" anymore.

Would you feel Darkcoin is threatened if another altcoin has true cpu-only and very strong anonymity?

Any way I am happy to read below you are thinking about how to improve the anonymity. Your prior reply had me worried that you actually wanted to make it weaker on purpose.  Now I see you are open to improving it.

Tor + Multiple rounds of DarkSend should be nearly perfect anonymity. Even the NSA says they have problems breaking through Tor. (http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document)

That is 2012 document. Many think NSA has control over most or many of the nodes on Tor. Remember these servers cost a lot of money and who is providing that for free and getting nothing in return?

Warning FAQ: Tor doesn't protect you from a global adversary:
https://tails.boum.org/doc/about/warning/index.en.html#index7h1

http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29#Exit_node_eavesdropping

"If you actually look in to where these Tor nodes are hosted and how big they are, some of these nodes cost thousands of dollars each month just to host because they're using lots of bandwidth, they're heavy-duty servers and so on. Who would pay for this and be anonymous?"

https://www.schneier.com/blog/archives/2013/03/our_internet_su.html#c1238550

Attacking Tor: How the NSA Targets Users' Online Anonymity:
https://www.schneier.com/essay-455.html

I was thinking more about Divide and Conquer, I believe it's vulnerable to Sybil attacks. I don't think you can do decentralized DarkSend without collateral, otherwise what would stop 100 nodes from taking up 80% of the spots per DarkSend session and forcing the divide and conquer algorithm to go 20 or 30 levels before filtering them out (EVERY SESSION)?

Agreed it is. I think I had figured that out before when I mentioned it in the CoinJoin thread and dismissed it. I apparently forgot that since.

I have a new idea for you. You could force each input to be accompanied by an anonymous proof-of-work that costs considerable computing time. Then move the collateral payment to accompany outputs stage.

I think most users wouldn't mind expending 5 minutes computing time before they send a mix transaction.

I have another idea as well. On failure only, every input into the mix could reveal which collateral payment they sent in the output stage, so you can isolate the input that was the adversary. Then you blacklist that input. The inputs anonymity is destroyed because no mix transaction was completed. But how can you blacklist system wide? How can you trust that node didn't lie just so it could blacklist someone's coins?

Of course I want something that is as secure as possible. But there are lots of trade offs that need to be made to ensure that most users needs are covered while keeping usability at it's maximum.

Using a PoW like that was one of my first ideas to protecting against a Sybil attack

So what is the cost?

There must be a cost to using this anonymous network, otherwise like you say there will be issues with millions of accounts popping up. I’m not dead set on which solution(s) to implement, but here’s a couple ideas:

Burnt Identities

Higher difficulty shares to the current block would be mined and then stored in the blockchain permanently. Multiple of these would be used for each transaction and would be “burnt” when misused, causing the attacker to have to mine them again.  

The problem with PoW type solutions is the NSA and other powerful entities would have cheap access to large amounts of processing power. Plus, making a user do that hinders the usability of the product.

I like collateral transactions because it accomplishes the same thing and they can be increases to a point where attacking the network becomes way too expensive to do efficiently. Plus, if someone was attacking the network we could ban their collateral inputs by tracing the payments back to the source and isolating them individually.  

[sha0908]

When people asked him about what he was working on, he would now say "his coin is the best of X and Y"

I was waiting for this foul mouth retard to arrive.

Actually what I said is that I promised never to release nor endorse any altcoin.

So slyA has proven he is a liar. Now you can trust him.

Who can make the community clean up
We hate to everything we do
We should stick together
Believe me

[AlexGR]

Tor is not the solution in my opinion. It is not mainstream and may be too much for folks to learn about proxies and routers for non-browser tor usage.

In a good, user-friendly solution, all that a user should do is just tick a checkbox and be ok, with the client taking care of everything.

IP obfuscation (TOR or something else, I don't know) will have to be integrated next for the same reason as the one I mentioned earlier: It will be a market weakness. Someone else will take DarkSend, integrate IP obfuscation and claim to solve the IP issue that DRK had in order to take the market.

Btw, enjoying the brainstorming between Evan & Anonymint.

Anoncoin already has IP obfuscation.

Yes, I've read so. Are they using anything good? In general, do you have any suggestions on what might be good for the purpose of a cryptocurrency network?

[apple_talk]

noticed you guys listed it as 0.9.1 version while it is still on old 0.8.6
It is not even 0.9.0

seems misleading, is their any update on when we can expect 0.9.0.x core or newer version.

[Acidyo]

This new X11 algo is very interesting for me.
I'll spend some time to study on it.

The new algorithm will always attract more people's eyes
Get more attention
Hope that the new algorithm can solve many problems
Give us hope
 

x11 is my favorite, and I'm sure my gpu's feel the same way.

[conf]

hi
Off-topic(but important)
We (crypto) are "fighting" against this > BIS (bank for international settlements)

https://www.bis.org/

Do you ever heard about it?

http://www.investorsinsight.com/blogs/what_we_now_know/archive/2006/03/07/the-most-powerful-bank-you-ve-never-heard-of.aspx

"it helps central banks construct and implement financial policy decisions, in concert with one another. And it acts as a third party in transactions, facilitating the flow of money and other financial instruments, including gold.
It accomplishes this through control of currencies. It currently holds 7% of the world's available foreign exchange funds, whose unit of account was switched in March of 2003 from the Swiss gold franc to Special Drawing Rights (SDR), an artificial fiat "money" with a value based on a basket of currencies (44% U.S. dollar, 34% euro, 11% Japanese yen, 11% pound sterling)."

The bank also controls a huge amount of gold, which it both stores and lends out, giving it great leverage over the metal's price and the marketplace power that brings, since gold is still the only universal currency. BIS gold reserves were listed on its 2005 annual report (the most recent) as 712 tons. How that breaks down into member banks' deposits and the BIS personal stash is unknown.
By controlling foreign exchange currency, plus gold, the BIS can go a long way toward determining the economic conditions in any given country.

In 1974, the Basel Committee on Banking Supervision was created by the central bank Governors of the Group of Ten nations (now expanded to twenty). The BIS provides the twelve-member Secretariat for the Committee. The Committee, in turn, sets the rules for banking globally, including capital requirements and reserve controls. In a 2003 article titled “The Bank for International Settlements Calls for Global Currency,” Joan Veon wrote:

“The BIS is where all of the world’s central banks meet to analyze the global economy and determine what course of action they will take next to put more money in their pockets, since they control the amount of money in circulation and how much interest they are going to charge governments and banks for borrowing from them. . . .
“When you understand that the BIS pulls the strings of the world’s monetary system, you then understand that they have the ability to create a financial boom or bust in a country. If that country is not doing what the money lenders want, then all they have to do is sell its currency.”

http://www.globalresearch.ca/the-tower-of-basel-secretive-plans-for-the-issuing-of-a-global-currency/13239


Do some research about it ( if you want) and be prepared...
my 2 cent.

[LimLims]

An example of 1. could be, "To mount an attack that would break the anonymity of 20% of DS transactions, assuming that there currently exist 1000 uncompromised full nodes capable of being elected a master node, and assuming 3 levels of pooling, we would require approx 58.5% of the network (i.e. cube root of 20%), i.e. 1410 Sybil nodes, each requiring at least 1000 DRK, to a total of 1.41M DRK."

Would you accept that 20% of your coins are not anonymous?

If you are trying to hide from an oppressive totalitarian regime where death or jail time waits you if you are discovered, then you want something 1 in million, not 20%.

20% is analogous to pulling the trigger on a 5 round revolver with one bullet pointed at your head, i.e. Russian Roulette.

Try redoing your calculation with 1%, 0.1%, 0.01%, etc.

So this is exactly the kind of question that informs a risk analysis. We might ask, "what percentage risk am I willing to take that my anonymity is broken in this transaction, given [set of assumptions]?"

And the solution might be as simple as specifying the required number of stages of pooling in the client to meet our acceptable level of risk.

[edit] the numbers I chose for the 20% calculation are fairly arbitrary and probably not realistic, but going with those same numbers, it'd take ~17 rounds of pooling to achieve a 0.01% chance of anonymity being broken for a given transaction.

[InternetApe]

An example of 1. could be, "To mount an attack that would break the anonymity of 20% of DS transactions, assuming that there currently exist 1000 uncompromised full nodes capable of being elected a master node, and assuming 3 levels of pooling, we would require approx 58.5% of the network (i.e. cube root of 20%), i.e. 1410 Sybil nodes, each requiring at least 1000 DRK, to a total of 1.41M DRK."

Would you accept that 20% of your coins are not anonymous?

If you are trying to hide from an oppressive totalitarian regime where death or jail time waits you if you are discovered, then you want something 1 in million, not 20%.

20% is analogous to pulling the trigger on a 5 round revolver with one bullet pointed at your head, i.e. Russian Roulette.

Try redoing your calculation with 1%, 0.1%, 0.01%, etc.

If you are worrying about that you have alot bigger problems!

This wasnt designed for that! Thats just idiotic.

[coins101]

DarkSend should embrace the community....Those who wish to attack go straight in for the kill, cold.

DarkSend needs to have some economic disincentives.  Fees for participation, penalties for misbehaving, minimum values for election.

Why not choose random nodes that have shown community engagement? Length of service, etc. Allowed to make small transactions when new, then slowly build-up to larger transactions - Almost like a PoS, or posting on bitcointalk - in terms of reputation establishment?

Why not Pow and PoS, where PoS is tied to fees earned from serving the nework?

ASIC for bitcoin is an arms race because people are spending cash on hardware trying to make as much as possible. Why not have a similar system for nodes? Create an arms race for being honest nodes and deploying as many as possible to fend off or diminish attacks?

[AnonyMint]

I don't know if Darkcoin is designed to allow you to send over Tor.

Even if it is, Tor will not hide your IP reliably from snooping agencies. Tor is better than nothing, but there are designs which can hide your IP absolutely and reliably. I don't think anyone has implemented such a design yet for the way we need to use it.

There is a Sr. Member who posted couple of functional DRK Tor nodes a few pages back. Any coin using the bitcoin source can Tor

Code:

darkcoind --help

Everyone needs to use it. So it needs to be turned on by default. Because as the participants in your Darksend mix lose anonymity, then you lose anonymity too even if you used Tor.

The only feature of Darkcoin is claimed anonymity now correct? The cpu-only aspect is crossed out on the web page.

Thus shouldn't your anonymity be actually stronger otherwise an altcoin is simply going to do it better than Darksend.

Don't worry about Zerocash, it takes 9ms verification per transaction (Zerocoin is 500msec). That won't scale. Your competition won't come from Zerocash. It will come from another altcoin.

Higher end CPUs still mine nearly as well as the GPUs do. I don't think anything says "CPU only" anymore.

Would you feel Darkcoin is threatened if another altcoin has true cpu-only and very strong anonymity?

Any way I am happy to read below you are thinking about how to improve the anonymity. Your prior reply had me worried that you actually wanted to make it weaker on purpose.  Now I see you are open to improving it.

Tor + Multiple rounds of DarkSend should be nearly perfect anonymity. Even the NSA says they have problems breaking through Tor. (http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document)

That is 2012 document. Many think NSA has control over most or many of the nodes on Tor. Remember these servers cost a lot of money and who is providing that for free and getting nothing in return?

Warning FAQ: Tor doesn't protect you from a global adversary:
https://tails.boum.org/doc/about/warning/index.en.html#index7h1

http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29#Exit_node_eavesdropping

"If you actually look in to where these Tor nodes are hosted and how big they are, some of these nodes cost thousands of dollars each month just to host because they're using lots of bandwidth, they're heavy-duty servers and so on. Who would pay for this and be anonymous?"

https://www.schneier.com/blog/archives/2013/03/our_internet_su.html#c1238550

Attacking Tor: How the NSA Targets Users' Online Anonymity:
https://www.schneier.com/essay-455.html

I was thinking more about Divide and Conquer, I believe it's vulnerable to Sybil attacks. I don't think you can do decentralized DarkSend without collateral, otherwise what would stop 100 nodes from taking up 80% of the spots per DarkSend session and forcing the divide and conquer algorithm to go 20 or 30 levels before filtering them out (EVERY SESSION)?

Agreed it is. I think I had figured that out before when I mentioned it in the CoinJoin thread and dismissed it. I apparently forgot that since.

I have a new idea for you. You could force each input to be accompanied by an anonymous proof-of-work that costs considerable computing time. Then move the collateral payment to accompany outputs stage.

I think most users wouldn't mind expending 5 minutes computing time before they send a mix transaction.

I have another idea as well. On failure only, every input into the mix could reveal which collateral payment they sent in the output stage, so you can isolate the input that was the adversary. Then you blacklist that input. The inputs anonymity isisn't destroyed because no mix transaction was completed. But how can you blacklist system wide? How can you trust that node didn't lie just so it could blacklist someone's coins?

I'm getting very sleepy. I meant to write above "anonymity isn't destroyed". I corrected my original post that you quoted from.

Of course I want something that is as secure as possible. But there are lots of trade offs that need to be made to ensure that most users needs are covered while keeping usability at it's maximum.

Of course. I understand that too. That is why I was reasonably sure (educated hunch) you had done something to reduce anonymity in order to make it work more deterministically. That is why I had been negative on CoinJoin and looking for something totally different for a solution.

If there is any way we can improve what you have, then I am trying to see if we can brainstorm it.

Using a PoW like that was one of my first ideas to protecting against a Sybil attack

So what is the cost?

There must be a cost to using this anonymous network, otherwise like you say there will be issues with millions of accounts popping up. I’m not dead set on which solution(s) to implement, but here’s a couple ideas:

Burnt Identities

Higher difficulty shares to the current block would be mined and then stored in the blockchain permanently. Multiple of these would be used for each transaction and would be “burnt” when misused, causing the attacker to have to mine them again.  

The problem with PoW type solutions is the NSA and other powerful entities would have cheap access to large amounts of processing power. Plus, making a user do that hinders the usability of the product.

I like collateral transactions because it accomplishes the same thing and they can be increases to a point where attacking the network becomes way too expensive to do efficiently. Plus, if someone was attacking the network we could ban their collateral inputs by tracing the payments back to the source and isolating them individually.  

In my prior message, I explained how you can isolate the input that is stalling the collateral payment submission in the 2nd stage (you move the collateral submission to the 2nd stage). This fixes the anonymity.

But the problem is how can you blacklist that input? Don't you have to trust the master node not to lie to the other master nodes?

But aren't you also in your current design trusting the master node not to steal the collateral inputs?

[eduffield]

An example of 1. could be, "To mount an attack that would break the anonymity of 20% of DS transactions, assuming that there currently exist 1000 uncompromised full nodes capable of being elected a master node, and assuming 3 levels of pooling, we would require approx 58.5% of the network (i.e. cube root of 20%), i.e. 1410 Sybil nodes, each requiring at least 1000 DRK, to a total of 1.41M DRK."

Would you accept that 20% of your coins are not anonymous?

If you are trying to hide from an oppressive totalitarian regime where death or jail time waits you if you are discovered, then you want something 1 in million, not 20%.

20% is analogous to pulling the trigger on a 5 round revolver with one bullet pointed at your head, i.e. Russian Roulette.

Try redoing your calculation with 1%, 0.1%, 0.01%, etc.

1 in a million can be achieved with a solution like this:

User 1 -> Change Address 1 (master node 1, tor ip 1)
Request new tor IP (which Darkcoin could do automatically)
Change Address 1 -> Change Address 2 (master node 2, tor ip 2)
Request new tor IP
Change Address 2 -> Change Address 3 (master node 3, tor ip 3)
Change Address 3 -> Change Address 4 (master node 4, tor ip 4)
Change Address 4 -> Change Address 5 (master node 5, tor ip 5)
Change Address 5 -> Destination (master node 6, tor ip 6)

[AnonyMint]

An example of 1. could be, "To mount an attack that would break the anonymity of 20% of DS transactions, assuming that there currently exist 1000 uncompromised full nodes capable of being elected a master node, and assuming 3 levels of pooling, we would require approx 58.5% of the network (i.e. cube root of 20%), i.e. 1410 Sybil nodes, each requiring at least 1000 DRK, to a total of 1.41M DRK."

Would you accept that 20% of your coins are not anonymous?

If you are trying to hide from an oppressive totalitarian regime where death or jail time waits you if you are discovered, then you want something 1 in million, not 20%.

20% is analogous to pulling the trigger on a 5 round revolver with one bullet pointed at your head, i.e. Russian Roulette.

Try redoing your calculation with 1%, 0.1%, 0.01%, etc.

If you are worrying about that you have alot bigger problems!

This wasnt designed for that! Thats just idiotic.

Agreed we have really big problems coming to all of us. And yes the dying debt collapse of socialism is really idiotic. I wish society hadn't done that. Too late now.

I want 999 in 1000 anonymity minimum (only 1 in 1000 not anonymous).

[AnonyMint]

An example of 1. could be, "To mount an attack that would break the anonymity of 20% of DS transactions, assuming that there currently exist 1000 uncompromised full nodes capable of being elected a master node, and assuming 3 levels of pooling, we would require approx 58.5% of the network (i.e. cube root of 20%), i.e. 1410 Sybil nodes, each requiring at least 1000 DRK, to a total of 1.41M DRK."

Would you accept that 20% of your coins are not anonymous?

If you are trying to hide from an oppressive totalitarian regime where death or jail time waits you if you are discovered, then you want something 1 in million, not 20%.

20% is analogous to pulling the trigger on a 5 round revolver with one bullet pointed at your head, i.e. Russian Roulette.

Try redoing your calculation with 1%, 0.1%, 0.01%, etc.

So this is exactly the kind of question that informs a risk analysis. We might ask, "what percentage risk am I willing to take that my anonymity is broken in this transaction, given [set of assumptions]?"

And the solution might be as simple as specifying the required number of stages of pooling in the client to meet our acceptable level of risk.

[edit] the numbers I chose for the 20% calculation are fairly arbitrary and probably not realistic, but going with those same numbers, it'd take ~17 rounds of pooling to achieve a 0.01% chance of anonymity being broken for a given transaction.

You must also factor that your participants might be a Sybil attack. In that case, the number of rounds doesn't help you increase the anonymity set nor decrease the percentage.

[LimLims]

You must also factor that your participants might be a Sybil attack. In that case, the number of rounds doesn't help you increase the anonymity set nor decrease the percentage.

That is factored in -- in fact that's the point of this calculation. The assumption being made here (for the sake of getting some hard numbers): 1410 sybil nodes, 1000 non-sybil nodes.

We only need one non-sybil node in the pooling chain to retain anonymity. The longer the chain, the greater the likelihood of this.

[edit] or perhaps you mean the participants in the pooling -- in which case, I don't see how they can affect anonymity one way or the other, since trust is only required of the master node.

[AnonyMint]

Tor is not the solution in my opinion. It is not mainstream and may be too much for folks to learn about proxies and routers for non-browser tor usage.

In a good, user-friendly solution, all that a user should do is just tick a checkbox and be ok, with the client taking care of everything.

IP obfuscation (TOR or something else, I don't know) will have to be integrated next for the same reason as the one I mentioned earlier: It will be a market weakness. Someone else will take DarkSend, integrate IP obfuscation and claim to solve the IP issue that DRK had in order to take the market.

Btw, enjoying the brainstorming between Evan & Anonymint.

Anoncoin already has IP obfuscation.

Yes, I've read so. Are they using anything good? In general, do you have any suggestions on what might be good for the purpose of a cryptocurrency network?

Anoncoin employs the i2p which is a low-latency chaum mix net similar to Tor but operates at a lower network stack layer protocol (IP). I don't think it will really resolve the weakness of Tor, because they have same the problem that low-latency mixnets can be analyzed with traffic analysis.  I don't know if i2p is p2p wherein users are the nodes, instead of others providing expensive servers for free. We need something like that, because I don't trust the Tor servers. And we need more hops. Tor is only 3 (or 5 for Tor service).

For transaction mixing, I am trying to see if we can find a way to make CoinJoin work better. The only other thing available is Zerocash or Zerocoin.

[AnonyMint]

You must also factor that your participants might be a Sybil attack. In that case, the number of rounds doesn't help you increase the anonymity set nor decrease the percentage.

That is factored in -- in fact that's the point of this calculation. The assumption being made here (for the sake of getting some hard numbers): 1410 sybil nodes, 1000 non-sybil nodes.

We only need one non-sybil node in the pooling chain to retain anonymity. The longer the chain, the greater the likelihood of this.

No you misunderstood my point. I mean the participants who are sending inputs to the CoinJoin mix. Those inputs can be Sybil attacked. If you are the only non-Sybil input, then your output is known with 100% certainty.

If there are 50% Sybil inputs, then the anonymity set of outputs that you are mixed with is reduced by 50%.

[AnonyMint]

You must also factor that your participants might be a Sybil attack. In that case, the number of rounds doesn't help you increase the anonymity set nor decrease the percentage.

That is factored in -- in fact that's the point of this calculation. The assumption being made here (for the sake of getting some hard numbers): 1410 sybil nodes, 1000 non-sybil nodes.

We only need one non-sybil node in the pooling chain to retain anonymity. The longer the chain, the greater the likelihood of this.

No you misunderstood my point. I mean the participants who are sending inputs to the CoinJoin mix. Those inputs can be Sybil attacked. If you are the only non-Sybil input, then your output is known with 100% certainty.

If there are 50% Sybil inputs, then the anonymity set of outputs that you are mixed with is reduced by 50%.

And there is another complexity to factor into your calculation. If there is a 58% chance (as you suggested) that each input into each of your mixers can be non-anonymous, then your anonymity set is reduced by 58%.

[eduffield]

But aren't you also in your current design trusting the master node not to steal the collateral inputs?

The whitepaper has my proposed solution to that in the "Defending Against Attack" section: http://www.darkcoin.io/downloads/DarkcoinWhitepaper.pdf

Things have changed since then, so we'll have to come up with something else.

[LimLims]

You must also factor that your participants might be a Sybil attack. In that case, the number of rounds doesn't help you increase the anonymity set nor decrease the percentage.

That is factored in -- in fact that's the point of this calculation. The assumption being made here (for the sake of getting some hard numbers): 1410 sybil nodes, 1000 non-sybil nodes.

We only need one non-sybil node in the pooling chain to retain anonymity. The longer the chain, the greater the likelihood of this.

No you misunderstood my point. I mean the participants who are sending inputs to the CoinJoin mix. Those inputs can be Sybil attacked. If you are the only non-Sybil input, then your output is known with 100% certainty.

If there are 50% Sybil inputs, then the anonymity set of outputs that you are mixed with is reduced by 50%.

Ok, gotcha. That could be mitigated in a similar way by the community running scripts to act as inputs to push DS transactions through. I think Evan suggested this a while back.

Based on these numbers (despite not factoring in sybil inputs), it seems clear that a high level of anonymity can be achieved by increasing the number of pooling stages to 10+, even if the attacker controls > 50% of nodes.