[ANN][DASH] Dash (dash.org) | First Self-Funding Self-Governing Crypto Currency

[AnonyMint]

Based on these numbers (despite not factoring in sybil inputs), it seems clear that a high level of anonymity can be achieved by increasing the number of pooling stages to 10+, even if the attacker controls > 50% of nodes.

Depends. Because 50% means that your anonymity set is reduced by 50% on each round as I explained in my other post above.

Example. If you are mixed with 10 others on each round, then only 5 will be anonymous (and one of the five might be you), so that means have 50% + 20% (1 in 5) chance to be non-anonymous. So 70% per round. You will need more rounds or you need larger mix sizes.

This is actually not correct. A distinction needs to be made between the risk of being unmasked completely, and the reduction in the size of the set of anonymous entities in a pool.

As an illustration: say we have a ballot with only two voters. We would know with 50% certainty the identity behind each vote. It's a small anonymous set of identities, but the vote is still anonymous. The lack of certainty represents a break in the causal chain. This is important for various reasons, but doesn't diminish the importance of having a large pool of anonymous identities (likewise for various reasons). So for strong anonymity we need some level of certainty of not being unmasked completely AND a sufficiently large pool of anonymous users.

I posit that the distinction is meaningless as the outcomes are pushed out to the edges of the causality graph at economies-of-scale. Because at economies-of-scale, the adversary doesn't have perfect identities data, rather the NSA has statistically overlapping data sets (e.g. Tor breaks, browser fingerprints, etc), that when correlated generate identities. The NSA is not just targeting a few millionaires to know where all the wealth is being stored (so the G20 can confiscate it after 2016 as the world descends into a nightmare debt collapse), rather they are saving everything in Utah and targeting all the millionaires.

Anonymity is never an all-or-nothing proposition, rather is a degree of anonymity. That is why the distinction I made between privacy and anonymity upthread has blended and disappeared as we have discussed Darksend more. (that was your point too )

Also you have to factor in the non-anonymous rate of Tor and those inputs who didn't use Tor at all are not anonymous. This reduces your anonymity set, even if you use Tor.

This is important and I don't think the ramifications of IP addresses unmasking anonymity have been adequately discussed here yet.

What would be required to unmask an otherwise anonymous darksend transaction if the IP addresses were available at each of the compromised nodes?

I surmise that you mean to say is if a Darksend does not pass through a compromised Masternode, then how can interception of IP address by a Tor node impact anonymity of a Darksend. Correct?

If so, then my analysis is that if you see the same IP address sending the input and signing the outputs, you still don't know which output that was, because the output signing is blinded cryptographically. But it depends on how the outputs are collected. If the outputs are first sent by each IP, then separate the collection signed, then output can be correlated to IP. But if the outputs are blinded signed as they are collected using ring signatures, then knowing the IP doesn't help the adversary.

So we need to ask Evan if he is using ring signatures?

However even if he is using ring signatures, there is another way that interception of IP can break anonymity.

When you spend the output of a Darksend, then your IP can correlate your identity to the same one as the input, and thus anonymity is broken.

So yes not obfuscating IP, breaks anonymity of the Darksend.

Also there is another way to break anonymity of the Darksend. If I merge two or more outputs of Darksends to form the inputs spent on a transaction, then I have correlated that those outputs share one identity (since they will look different than a Darksend mix transaction which has a constant amount and matching # of inputs and outputs).

[coins101]

I think we need to start planning some milestone objectives in terms of PR.

I know there are bounties for obtaining contacts for the media and there is a bounty for articles in magazines.

What I don't think we have is a timeline.

ZeroCash is going public in a few months time ~20 May. Regardless of whether they have anything tangible or just a published paper, they will get the headlines again and Darkcoin won't. We have already seen this happen once with this article in coindesk http://www.coindesk.com/taxonomy-bitcoin-mixing-services-policymakers/

This isn't about rushing the development of DarkSend. It's ready, when it's ready.

This is about not being drowned out and then being considered a clone. A hole which is difficulty to dig yourself out of once people have formed a first impression and then moved on. Again, we saw this with the recent coindesk article.  Everyone scrambled to post comments in the article and the writer took time to post on twitter, but by then history had been written and darkcoin was effectively written out.

Publishers will be looking to tie up column inches around the launch of Zerocash - the Zerocash paper or their paper and a live coin project. We should make sure we have something ready for this point as a minimum.

Zerocash will have some positive spin. They will talk about e-cash and anonymity. What they won't talk about are the problems with the project. We not only need to have some PR ready, but we should have a reason for people to consider Darkcoin as a serious contender and why it may overcome some problems with zerocash.

Rather than just point stuff out and sit back, I will write a frame for some PR articles and editors notes over the coming two weeks. We can then put that up for edits, comments, etc.

Can we agree on an overall suitable time horizon? Or is this pointless?

I think we should lead with this:



It's a Satoshi address. Maybe a little prickly for the community?

[AnonyMint]

The summary thus far of my analysis of Darksend is that Evan has put into place adequate mechanisms to disincentivize theft of the collateral payments and to disincentivize Sybil attacking the inputs to a Darksend with legitimate Darksends.

The weaknesses (w.r.t. to anonymity) are that Masternodes can be purchased and if the adversary has too many of them, they can reduce your probability of anonymity unless you send your funds through dozens of Darksends between each receipt or spend transaction. If the adversary controlled 90% of the Masternodes, it would nearly impossible to be anonymous more than say 99% of the time, i.e. 1 in 100 of your spends would lose anonymity. Evan argues that attaining a lot of Masternodes is too expensive. Well probably so for the common criminal, but I am not convinced that is so for the NSA.

1 in 100 may not sound bad, but remember that loss of anonymity tends to domino cascade (for the holistic reasons I pointed out in my reply to LimLims on this page). And that is for the person who is extremely diligent to do dozens of Darksends between each spend. Most users are not so perfectionist. So for them anonymity could drop significantly if the adversary has such huge resources.

The other weakness is that it is not yet mandatory to use an IP mixer such as Tor with Darksend, and if not all of the participants to the Darksend are obfuscating their IP, then the anonymity probability declines. Note that even if Darksend makes Tor mandatory, Tor is not the best we can do for an IP mixer. It is unknown how effective Tor is. Some might estimate 80 - 95%. Others might pull 50% out of their arse. I really don't know, but I don't trust Tor entirely. This combined with say 20% of the Masternodes compromised (and a little bit of normal human error on your part such as forgetting to send dozens of Darksends for each coin your receive) can also make it unrealistic to repeatedly sustain very military grade strength of anonymity. (But who said you wanted military grade assurance? Some do, some may not require it)

Darksend has anonymity. Darkcoin is an anonymity coin. The strength of the anonymity depends on the resources and resolve of the adversary versus the Darkcoin user.

I am still trying to think of suggestions to improve it.

[AnonyMint]

I hope readers find my posts helpful?

ZeroCash is going public in a few months time ~20 May. Regardless of whether they have anything tangible or just a published paper,

I don't think they will have beta-test level code then.

This is about not being drowned out and then being considered a clone.

No way Darkcoin can be considered a clone, as Zerocash completely hides the payer, payee, and the amount of transactions. The block chain is a complete fog. Zerocoin doesn't do this.

Zerocash will have some positive spin. They will talk about e-cash and anonymity.

They will make the point I just wrote above.

What they won't talk about are the problems with the project.

The main weakness of Zerocash is it adds an additional 3 minutes between check out and completion of payment. (Add that on top of Bitcoin's 10 - 60 minutes, or Litecoins 2.5 - 15 minutes). Zerocoin doesn't have this problem.

The main weakness of Zerocash and Zerocoin are they depend on new crypto which hasn't been subjected to years of cryptanalysis, and if you put it on the block chain, then it is later cracked, the entire coin is potentially F.U.B.A.R..

Whereas Darksends are offchain! Even if you crack the crypto of Darksend (which uses very old well vetted crypto), the block chain remains uncracked!

The other weakness of Zerocash and Zerocoin is they depend on a trusted party to create the master parameters. If anyone retains that information (even if they snooped it using the NSA's air gap detection mechanisms), they in the case of Zerocash they can create unlimited coins and nobody will even know it! In other words, the coin supply becomes unknowable!! I am not exaggerating!!

Another counter point may be that each Zerocash transaction takes 9ms to verify (500ms for Zerocoin). Thus they can only put 111 transactions in a block per second per core of the CPU on the miner. Visa does 2,000 - 4,000 transactions per second, so for Zerocash to scale to global transactions needs 40 CPU cores per miner (e.g. 10 iCore i7 CPUs), not including denial-of-service transaction spam. Transaction spam could be really bad if they don't have a transaction fee or other means to control it. Any way, 40 CPU cores is not really a big problem if mining will be done only in pools.

But crypto-currencies are hoping to enable microtransactions, thus the transactions per second would explode by orders-of-magnitude.

Thus appears to me Zerocash is incompatible with microtransactions unless mining becomes very centralized among a few powerful pools.

Centralization of mining is a severe problem with Bitcoin having onetwo or three pool with 51% of the hash power now.

[coins101]

Thanks. That is very helpful.

[humanitee]

snip

I want to commend your efforts and demeanour in the recent discussion, it has been very informative and insightful. A few weeks ago I went through a lot of your post history (100+ posts) over the course of a few nights and was delighted, until I got to the IQ based insults, which seemed to go on ad nauseum at some points.

When you aren't crassly attacking obvious losers and boasting about your intelligence, I very much enjoy your posts. It's apparent to any technically inclined reader that you are very intelligent and very experienced.

Thanks again for taking the recent time to state your case, it has made me twice as excited about the future of this coin! I look forward to reading more quality posts by you.

[AnonyMint]

I edited my summary of the anonymity situation in Darkcoin. Please re-read.

[eduffield]

The summary thus far of my analysis of Darksend is that Evan has put into place adequate mechanisms to disincentivize theft of the collateral payments and to disincentivize Sybil attacking the inputs to a Darksend with legitimate Darksends.

The weaknesses (w.r.t. to anonymity) are that Masternodes can be purchased and if the adversary has too many of them, they can reduce your probability of anonymity unless you send your funds through dozens of Darksends between each receipt or spend transaction. If the adversary controlled 90% of the Masternodes, it would nearly impossible to be anonymous more than say 99% of the time, i.e. 1 in 100 of your spends would lose anonymity. Evan argues that attaining a lot of Masternodes is too expensive. Well probably so for the common criminal, but I am not convinced that is so for the NSA.

1 in 100 may not sound bad, but remember that loss of anonymity tends to domino cascade (for the holistic reasons I pointed out in my reply to LimLims on this page). And that is for the person who is extremely diligent to do dozens of Darksends between each spend. Most users are not so perfectionist. So for them anonymity could drop significantly.

The other weakness is that it is not yet mandatory to use an IP mixer such as Tor with Darksend, and if not all of the participants to the Darksend are obfuscating their IP, then the anonymity probability declines. Note that even if Darksend makes Tor mandatory, Tor is not the best we can do for an IP mixer. It is unknown how effective Tor is. Some might estimate 80 - 95%. Others might pull 50% out of their arse. I really don't know, but I don't trust Tor entirely. This combined with say 20% of the Masternodes compromised (and a little bit of normal human error on your part such as forgetting to send dozens of Darksends for each coin your receive) can also make it unrealistic to repeatedly sustain very military grade strength of anonymity. (But who said you wanted military grade assurance? Some do, some may not require it)

Darksend has anonymity. Darkcoin is an anonymity coin. The strength of the anonymity depends on the resources and resolve of the adversary versus the Darkcoin user.

I am still trying to think of suggestions to improve it.

I think the current state of things will be great for a V1 release, however what about the following strategy for V2:

Step 1: Users submit their inputs to master node, with collateral
Step 2: Users submit outputs and blind signature
Step 3: If missing an output, the master node will ask for users to send inputs/outputs. The missing user in step 2 will be charged collateral, then step 1 begins again without the bad actor.

To attack this, you must be in control of the master node and would have to pay the collateral to de-anonymize.

edit: nm, the master node could just lie and deanonymize everything it sees

[Lordoftherigs]

So what's the next step for darkcoin in terms of development/acceptance ?

[eduffield]

So what's the next step for darkcoin in terms of development/acceptance ?

As for development, I'm working on the next beta version. In a couple more versions we're going to need to do some large scale testing to find bugs. It should start getting pretty stable here soon.

[AnonyMint]

The summary thus far of my analysis of Darksend is that Evan has put into place adequate mechanisms to disincentivize theft of the collateral payments and to disincentivize Sybil attacking the inputs to a Darksend with legitimate Darksends.

The weaknesses (w.r.t. to anonymity) are that Masternodes can be purchased and if the adversary has too many of them, they can reduce your probability of anonymity unless you send your funds through dozens of Darksends between each receipt or spend transaction. If the adversary controlled 90% of the Masternodes, it would nearly impossible to be anonymous more than say 99% of the time, i.e. 1 in 100 of your spends would lose anonymity. Evan argues that attaining a lot of Masternodes is too expensive. Well probably so for the common criminal, but I am not convinced that is so for the NSA.

1 in 100 may not sound bad, but remember that loss of anonymity tends to domino cascade (for the holistic reasons I pointed out in my reply to LimLims on this page). And that is for the person who is extremely diligent to do dozens of Darksends between each spend. Most users are not so perfectionist. So for them anonymity could drop significantly.

The other weakness is that it is not yet mandatory to use an IP mixer such as Tor with Darksend, and if not all of the participants to the Darksend are obfuscating their IP, then the anonymity probability declines. Note that even if Darksend makes Tor mandatory, Tor is not the best we can do for an IP mixer. It is unknown how effective Tor is. Some might estimate 80 - 95%. Others might pull 50% out of their arse. I really don't know, but I don't trust Tor entirely. This combined with say 20% of the Masternodes compromised (and a little bit of normal human error on your part such as forgetting to send dozens of Darksends for each coin your receive) can also make it unrealistic to repeatedly sustain very military grade strength of anonymity. (But who said you wanted military grade assurance? Some do, some may not require it)

Darksend has anonymity. Darkcoin is an anonymity coin. The strength of the anonymity depends on the resources and resolve of the adversary versus the Darkcoin user.

I am still trying to think of suggestions to improve it.

I think the current state of things will be great for a V1 release, however what about the following strategy for V2:

Step 1: Users submit their inputs to master node, with collateral
Step 2: Users submit outputs and blind signature
Step 3: If missing an output, the master node will ask for users to send inputs/outputs. The missing user in step 2 will be charged collateral, then step 1 begins again without the bad actor.

To attack this, you must be in control of the master node and would have to pay the collateral to de-anonymize.

edit: nm, the master node could just lie and deanonymize everything it sees

Also don't forget the Masternode can't correlate a blinded output if the collateral doesn't accompany the blinded output. That one keeps getting me too, which is why I wrote it down in a post as follows so I wouldn't forget:

In case readers don't understand why the collateral payments can't be associated only with the inputs and not the outputs, it is because the outputs are blind signed. So if output signing fails, then there is no way for inputs to prove they signed the outputs in order to isolate the adversary(ies) who didn't.

So this is why output signing has to be correlated to inputs. This is what breaks the anonymity in terms of allowing Sybil attacks on master nodes (see my calculation example upthread).

Then apparently we also have the problem that collateral payments can be stolen by Sybil attacking master nodes (and miners/pools if the payments go to them), but still waiting to finish that discussion.

[AnonyMint]

The crypto in Zerocash is really neat (quadratic span programs, et al). But both Zerocash and Zerocoin are not immune if ever the NSA (or any one) has a quantum computer because they use bilinear pairings and double discrete logarithm trapdoors respectively which are factorable with Shor's algorithm. We would need instead Zero Knowledge employing a McEliece or Niederreiter binary Goppa codes style trapdoor instead, which so far remain theoretically immune to complexity reduction with a quantum algorithm.

Remember this. It is impossible to do Zero Knowledge Proof without a trap door. Thus a one-way hash (like SHA256) can't be used to do ZKP. Zerocash uses hashes but these are not the trapdoor.

I could explain this and Fiat-Shamir's transform to the average reader here, but I don't have time. And I think they don't really need to know.

[TanteStefana]

...cut...
It doesn't need to be NSA-proof from day one (don't even know if that's even possible with their resources) but a plan with gradual introduction of further layers and features could work. But since we've not reached final deployment, it's good that ideas are thrown around so that it can be the best it can get in the core functionality without having to rewrite the main code to something different. ...cut...

Two of the biggest problems Darkcoin faces right now are:

1.  We need to get a working DarkSend completed.
2.  The more layers we stack on DarkSend, the bulkier the blockchain.

Finally, it is impossible to make it 100% anonymous.  What you do is increase the improbability that anything can be traced basically due to the cost involved.

Besides, DarkSend doesn't have to be "Completed" it can evolve, with people being able to use it as it does evolve.  In fact, that's probably the healthiest way for the development of the coin to go.  Trying to make things so complex, with such a reduction in rewards (0.000001% more anonymity) invites bugs that will be super hard to detect.  Lets build on a great foundation.  I think it's the wisest approach.

[AnonyMint]

Definitely make the cost vs. level of anonymity calculation. Wise.

[TanteStefana]

I am a little confused at this point. I don't know what I missed. Could somebody give me a raw explanation? Because, I see:
- an interesting coin concept (it came with a unique anti-ASIC hashing algo, new diff retarget algo, and here is the DarkSend beta, etc)
- an active developer
- an active bitcointalk forum community (several hundreds of pages / months)
- DRK trading pairs on several big exchanges

I don't know, I'm mining because I'm lazy and I don't know what else to mine.  But I'm stupid, not everyone can be stupid like me?  LOL, so who knows?

Also, maybe your settings are not quite right?  Lowering the intensity sometimes increases actual hash rate, you  might want to try that?

[InternetApe]

The crypto in Zerocash is really neat (quadratic span programs, et al). But both Zerocash and Zerocoin are not immune if ever the NSA (or any one) has a quantum computer because they use bilinear pairings and double discrete logarithm trapdoors respectively which are factorable with Shor's algorithm. We would need instead Zero Knowledge employing a McEliece or Niederreiter binary Goppa codes style trapdoor instead, which so far remain theoretically immune to complexity reduction with a quantum algorithm.

Remember this. It is impossible to do Zero Knowledge Proof without a trap door. Thus a one-way hash (like SHA256) can't be used to do ZKP. Zerocash uses hashes but these are not the trapdoor.

I could explain this and Fiat-Shamir's transform to the average reader here, but I don't have time. And I think they don't really need to know.

Our upgraded model now offers balanced strategic programming. At base level, this just comes down to regenerated transitional matrix approaches.

It's time that we became uber-efficient with our four-dimensional strategic processing.

Come on Only geeks stuck in the 90s still go for millennial administrative hardware.

[AnonyMint]

The crypto in Zerocash is really neat (quadratic span programs, et al). But both Zerocash and Zerocoin are not immune if ever the NSA (or any one) has a quantum computer because they use bilinear pairings and double discrete logarithm trapdoors respectively which are factorable with Shor's algorithm. We would need instead Zero Knowledge employing a McEliece or Niederreiter binary Goppa codes style trapdoor instead, which so far remain theoretically immune to complexity reduction with a quantum algorithm.

Remember this. It is impossible to do Zero Knowledge Proof without a trap door. Thus a one-way hash (like SHA256) can't be used to do ZKP. Zerocash uses hashes but these are not the trapdoor.

I could explain this and Fiat-Shamir's transform to the average reader here, but I don't have time. And I think they don't really need to know.

Our upgraded model now offers balanced strategic programming. At base level, this just comes down to regenerated transitional matrix approaches.

It's time that we became uber-efficient with our four-dimensional strategic processing.

Come on Only geeks stuck in the 90s still go for millennial administrative hardware.

Is it still April fools where you are?  

(readers mine was not technobabble, really  )

[eltito]

The crypto in Zerocash is really neat (quadratic span programs, et al). But both Zerocash and Zerocoin are not immune if ever the NSA (or any one) has a quantum computer because they use bilinear pairings and double discrete logarithm trapdoors respectively which are factorable with Shor's algorithm. We would need instead Zero Knowledge employing a McEliece or Niederreiter binary Goppa codes style trapdoor instead, which so far remain theoretically immune to complexity reduction with a quantum algorithm.

Remember this. It is impossible to do Zero Knowledge Proof without a trap door. Thus a one-way hash (like SHA256) can't be used to do ZKP. Zerocash uses hashes but these are not the trapdoor.

I could explain this and Fiat-Shamir's transform to the average reader here, but I don't have time. And I think they don't really need to know.

...uhh, yes.  Well, I liek boobies.  So I got that goin' for me.

[coins101]

Not too technobabbly for most of us.

But the NSA, GCHQ, Satoshi and a few of the devs would be able to keep up. That's all that matters.

[InternetApe]

The crypto in Zerocash is really neat (quadratic span programs, et al). But both Zerocash and Zerocoin are not immune if ever the NSA (or any one) has a quantum computer because they use bilinear pairings and double discrete logarithm trapdoors respectively which are factorable with Shor's algorithm. We would need instead Zero Knowledge employing a McEliece or Niederreiter binary Goppa codes style trapdoor instead, which so far remain theoretically immune to complexity reduction with a quantum algorithm.

Remember this. It is impossible to do Zero Knowledge Proof without a trap door. Thus a one-way hash (like SHA256) can't be used to do ZKP. Zerocash uses hashes but these are not the trapdoor.

I could explain this and Fiat-Shamir's transform to the average reader here, but I don't have time. And I think they don't really need to know.

Our upgraded model now offers balanced strategic programming. At base level, this just comes down to regenerated transitional matrix approaches.

It's time that we became uber-efficient with our four-dimensional strategic processing.

Come on Only geeks stuck in the 90s still go for millennial administrative hardware.

Is it still April fools where you are?  

(readers mine was not technobabble, really  )

I know your wasnt, It just sounded funny to me. I'm a computer geek but that was more than I know about. At least Evan understood....