ㅤ

[Wind_FURY]

Would you say it's "OK" for them to use some mixer that could taint their coins if all they want is mere privacy?

Well, first of all, the anonymity set of 'all UTXOs' is much larger than 'only the clean ones', so by definition, not caring about taint gives you more privacy. Do note that not all 'tainters' have the same definition; which means to be 'really on the safe side', you need to take the intersection of all 'clean pools' and try to get a UTXO out of there. I believe it will prove pretty difficult. I mean, what's the utility if you get a 'clean coinbase utxo' which you can only send back to Coinbase, because other exchanges have a different definition and according to them, it is tainted?

What would you say to them if they're coins are withheld by an exchange because of taint?

You just told me your friends care about privacy, but then you are telling me they use a centralized exchange. This doesn't add up. If they care about privacy, they are using a decentralized exchange which doesn't care about some arbitrary party's definition of taint.

I have deleted my original post, in reply to you. I don't want to be offensive, but get the real context of my original point. "My friends" are ordinary users who merely want to make their transactions sent to porn sites, and sex toy merchants to be untraceable from their wallets. They don't care about privacy as "privacy in an idealistic sense". They merely want privacy in a practical sense.

[1714662229]

1714662229

[1714662229]

1714662229

[1714662229]

1714662229

[n0nce]

Would you say it's "OK" for them to use some mixer that could taint their coins if all they want is mere privacy?

Well, first of all, the anonymity set of 'all UTXOs' is much larger than 'only the clean ones', so by definition, not caring about taint gives you more privacy. Do note that not all 'tainters' have the same definition; which means to be 'really on the safe side', you need to take the intersection of all 'clean pools' and try to get a UTXO out of there. I believe it will prove pretty difficult. I mean, what's the utility if you get a 'clean coinbase utxo' which you can only send back to Coinbase, because other exchanges have a different definition and according to them, it is tainted?

What would you say to them if they're coins are withheld by an exchange because of taint?

You just told me your friends care about privacy, but then you are telling me they use a centralized exchange. This doesn't add up. If they care about privacy, they are using a decentralized exchange which doesn't care about some arbitrary party's definition of taint.

I have deleted my original post, in reply to you. I don't want to be offensive, but get the real context of my original point. "My friends" are ordinary users who merely want to make their transactions sent to porn sites, and sex toy merchants to be untraceable from their wallets. They don't care about privacy as "privacy in an idealistic sense". They merely want privacy in a practical sense.

Hey, no need to delete anything, please! We're just discussing, it's all good. I understand; they want privacy from their significant other or something like that - well for that prepaid cards could suffice or maybe they should just sort out their personal issues. Anyhow; if they do buy something that has to be secret in their marriage (but also possibly country / community / social circle), do note that if they buy through a centralized exchange, their wife could get the withdrawal address from the exchange by calling them. Then she could trace the payment. Is this why they would want to use CoinJoin (through Wasabi)? If the wife wouldn't go to such lengths, the only 'privacy issue' would be that the exchange knows they're buying adult material; why is that an issue? If it's not a marital issue but indeed a political one, they should be much more careful and really avoid a centralized exchange; no matter if coinjoining or not.
So while I get your point in a way, personally I try not only telling people about Bitcoin but also how / where to get it and why. They should get a full understanding of what they're pouring their hard earned money into, and not live in an illusion of privacy or security when there is none.

[Wind_FURY]

Would you say it's "OK" for them to use some mixer that could taint their coins if all they want is mere privacy?

Well, first of all, the anonymity set of 'all UTXOs' is much larger than 'only the clean ones', so by definition, not caring about taint gives you more privacy. Do note that not all 'tainters' have the same definition; which means to be 'really on the safe side', you need to take the intersection of all 'clean pools' and try to get a UTXO out of there. I believe it will prove pretty difficult. I mean, what's the utility if you get a 'clean coinbase utxo' which you can only send back to Coinbase, because other exchanges have a different definition and according to them, it is tainted?

What would you say to them if they're coins are withheld by an exchange because of taint?

You just told me your friends care about privacy, but then you are telling me they use a centralized exchange. This doesn't add up. If they care about privacy, they are using a decentralized exchange which doesn't care about some arbitrary party's definition of taint.

I have deleted my original post, in reply to you. I don't want to be offensive, but get the real context of my original point. "My friends" are ordinary users who merely want to make their transactions sent to porn sites, and sex toy merchants to be untraceable from their wallets. They don't care about privacy as "privacy in an idealistic sense". They merely want privacy in a practical sense.

Hey, no need to delete anything, please! We're just discussing, it's all good. I understand; they want privacy from their significant other or something like that - well for that prepaid cards could suffice or maybe they should just sort out their personal issues. Anyhow; if they do buy something that has to be secret in their marriage (but also possibly country / community / social circle), do note that if they buy through a centralized exchange, their wife could get the withdrawal address from the exchange by calling them. Then she could trace the payment. Is this why they would want to use CoinJoin (through Wasabi)? If the wife wouldn't go to such lengths, the only 'privacy issue' would be that the exchange knows they're buying adult material; why is that an issue? If it's not a marital issue but indeed a political one, they should be much more careful and really avoid a centralized exchange; no matter if coinjoining or not.
So while I get your point in a way, personally I try not only telling people about Bitcoin but also how / where to get it and why. They should get a full understanding of what they're pouring their hard earned money into, and not live in an illusion of privacy or security when there is none.

Ser, you're nitpicking, and you're trying to take the discussion out of context, therefore creating a straw man. That post of yours is not the point. The point is there will be Bitcoin users who merely want a little privacy/untraceablity without the danger of the taint. Does everything have to be in an idealistic sense? If you believe yes, then would you recommend everyone to buy and HODL Monero? I believe they are very idealistic about privacy.

[o_e_l_e_o]

The point is there will be Bitcoin users who merely want a little privacy/untraceablity without the danger of the taint.

And what we are saying is that if you buy your coins on a centralized exchange, or mix them using a wallet which is employing a blockchain analysis company to spy on its users and correlate that information against various government blacklists and databases, then you will have absolutely zero privacy or untraceability. You might have protection against the most cursory of searches on a standard block explorer, but you will have no privacy in any real sense of the word and your data will be in the hands of plenty of third parties.

[Wind_FURY]

The point is there will be Bitcoin users who merely want a little privacy/untraceablity without the danger of the taint.

And what we are saying is that if you buy your coins on a centralized exchange, or mix them using a wallet which is employing a blockchain analysis company to spy on its users and correlate that information against various government blacklists and databases, then you will have absolutely zero privacy or untraceability. You might have protection against the most cursory of searches on a standard block explorer, but you will have no privacy in any real sense of the word and your data will be in the hands of plenty of third parties.

The question for nopara73 then is, can the said blockchain analysis company trace those coins after they were mixed in Wasabi? My friends don't want their sex toy purchases found on the blockchain by their wives, or possibly seen by their employers. They work in a religious organization!

[BlackHatCoiner]

can the said blockchain analysis company trace those coins after they were mixed in Wasabi?

Wasabi coordinator doesn't know anything that isn't known by the public. A chain analysis can trace the coins as they're all connected in a single transaction; it only obfuscates the final outcome. What zkSNACKs did in the recent update, is to blacklist certain outputs from being mixed, making therefore chain analysis easier.

My friends don't want their sex toy purchases found on the blockchain by their wives

Good. Bitcoin transactions do not contain information of any purchase beyond the amounts transacted, so there's no need for mixing. Just go with coin selection.

or possibly seen by their employers.

What kind of employers search the blockchain for their employees' sex toy preferences? Proper coin selection should do fine. If they don't feel confident, they should use a mixing service.

[Pmalek]

My friends don't want their sex toy purchases found on the blockchain by their wives, or possibly seen by their employers. They work in a religious organization!

Wives and employers won't be able to follow the trail from the source to what was purchased. They also can't acquire this information by asking Wasabi or blockchain analysis firms. Analysis companies feed their data to government institutions and other 3rd parties. It remains private in a way that the wife and employer won't be told about it.   

[witcher_sense]

Wasabi coordinator doesn't know anything that isn't known by the public. A chain analysis can trace the coins as they're all connected in a single transaction; it only obfuscates the final outcome. What zkSNACKs did in the recent update, is to blacklist certain outputs from being mixed, making therefore chain analysis easier.

Actually, a CoinJoin coordinator knows more than the public, and that "knowledge," if shared with blockchain surveillance firms, law enforcement agencies, or government, can definitely harm users. You are connecting to a coordinator through Tor, so it won't know your real IP address. That is not a problem. However, the problem is that all the inputs that you share with a coordinator will come from a single Tor identity, and a coordinator will learn that certain inputs belong to the same user. Inputs may not be connected to each other on the blockchain (publicly available information) but can be linked to each other during input consolidation (information unknown to the public). For instance, if one of your inputs is KYCed (tied to real identity) and the others are in a blacklist, then a coordinator or blockchain surveillance firm will learn to whom blacklisted coins belong.

[BlackHatCoiner]

That is not a problem. However, the problem is that all the inputs that you share with a coordinator will come from a single Tor identity, and a coordinator will learn that certain inputs belong to the same user. Inputs may not be connected to each other on the blockchain (publicly available information) but can be linked to each other during input consolidation (information unknown to the public).

I thought of the same, but then I saw this:

We didn't explain, because it's trivial. By architecture, the Wasabi coordinator cannot breach the privacy of its users. It does not mean the coordinator chooses to not collect data, but it means it couldn't collect even if it wanted to. The coordinator only knows of the UTXOs to take part in coinjoins - so does the public - and that's not a privacy leak.

Which makes me believe that Wasabi wallet, which is open source, works in a different way, making coordinators just single points that help the users gather. I haven't fully understood how it works, so I don't hold my breath about it. Perhaps, one more knowledgeable can give us a helping hand here.

[witcher_sense]

Which makes me believe that Wasabi wallet, which is open source, works in a different way, making coordinators just single points that help the users gather. I haven't fully understood how it works, so I don't hold my breath about it. Perhaps, one more knowledgeable can give us a helping hand here.

I made my first assumption about how it works here, and later my concerns were confirmed by Max Hillebrand on Stephan Livera podcast:

Just, of course—we don’t know that you’re Stephan. We just see a random TOR identity popping up and registering a single coin. Another interesting thing is: if you have, let’s say, five coins that you want to register and one of them is risk factor 10 but the other four are not. The cool thing—what we fixed with WabiSabi—is that there is no longer input consolidation in the coordination protocol. Whereas ZeroLink, you had to provide one API request with one TOR identity where you list all of the inputs that you want to consolidate in this round.

They claim to have fixed this vulnerability in their new WabiSabi protocol but now I can't see a point in verifying that.

We didn't explain, because it's trivial. By architecture, the Wasabi coordinator cannot breach the privacy of its users. It does not mean the coordinator chooses to not collect data, but it means it couldn't collect even if it wanted to. The coordinator only knows of the UTXOs to take part in coinjoins - so does the public - and that's not a privacy leak.

If what Max says is true, then bold part is a lie.

[o_e_l_e_o]

Wasabi coordinator doesn't know anything that isn't known by the public.

Keep in mind that in addition to what has been discussed above, the Wasabi coordinator is now working with and sharing information with blockchain analysis companies, who will be drawing on a variety of non-public sources of information.

Wives and employers won't be able to follow the trail from the source to what was purchased. They also can't acquire this information by asking Wasabi or blockchain analysis firms.

Maybe they can. Wasabi's implementation of coinjoin has reportedly been breached:

Still, it seems that Wasabi has never been as safe as we all think:

Using a capability that is being disclosed here for the first time, Chainalysis de-mixed the Wasabi transactions and tracked their output to four exchanges.

Anyone else find it somewhat suspicious that Wasabi is compromised by blockchain analysis at the same time as they start working hand-in-hand with blockchain analysis firms?

[Pmalek]

Maybe they can. Wasabi's implementation of coinjoin has reportedly been breached:

Still, it seems that Wasabi has never been as safe as we all think:

Using a capability that is being disclosed here for the first time, Chainalysis de-mixed the Wasabi transactions and tracked their output to four exchanges.

So the guy found a vulnerability in the DAO and reported his findings. But he wasn't taken seriously and the developers thought it couldn't be exploited. To prove them wrong, he hacks the protocol and creates havoc for Ethereum. It really could be that German/Austrian lad. Even so, the article doesn't explain how he did it in a way for a non-computer and tech savvy housewife to use similar methods to discover what her husband has been buying.   

[BlackHatCoiner]

If what Max says is true, then bold part is a lie.

In ZeroLink - Sybil Attack's general schema, he says that Alice gives the coordinators her inputs of the pre-mix wallet and her blinded output(s). Doesn't this mean that the coordinator knows everyone's inputs and blinded outputs? Can't he sell this info to chain analysis companies right away? Why hustling and bustling with blacklisting?

[witcher_sense]

In ZeroLink - Sybil Attack's general schema, he says that Alice gives the coordinators her inputs of the pre-mix wallet and her blinded output(s). Doesn't this mean that the coordinator knows everyone's inputs and blinded outputs? Can't he sell this info to chain analysis companies right away? Why hustling and bustling with blacklisting?

Without blockchain surveillance firms and their arbitrary lists of "illegal" addresses and UTXOs, a CoinJoin coordinator won't know which inputs are worth reporting and selling. Without a CoinJoin coordinator that acts as a big honeypot for "criminals", blockchain surveillance firms won't know which "clean" inputs have a connection to "dirty" ones. It is a mutually beneficial collaboration in which both parties [can] make a profit by selling users' data to governments or whoever else pays more. However, the problem is that inputs are just half of a transaction, neither coordinators nor blockchain analysis firms can map inputs with outputs unless malicious developers introduce some vulnerabilities or backdoors into the protocol which will weaken the coinjoin process and make links between inputs and outputs less non-deterministic.

[BlackHatCoiner]

neither coordinators nor blockchain analysis firms can map inputs with outputs

But, isn't the blind output known by the coordinator according to the github link?

[witcher_sense]

But, isn't the blind output known by the coordinator according to the github link?

Sorry, I am not sure what you mean. From the github link you provided the process of CoinJoin consists of four steps:

Simplified workflow:

    1. User provides its input and a blinded output to the Tumbler.
    2. Tumbler signs the blinded output and gives it back to the User.
    3. User unblinds the signed blinded output and provides the server the signed output through a different anonymity network identity.
    4. The Tumbler constructs the CoinJoin transaction and gives out to the Users for signing.

Please pay attention to the highlighted part. That means you register your inputs and blind outputs with one Tor identity, but your unblinded outputs with another Tor identity.

[BlackHatCoiner]

That means you register your inputs and blind outputs with one Tor identity, but your unblinded outputs with another Tor identity.

Indeed, the coordinator knows nothing about who owns what. Although, it isn't so simple to comprehend at first sight, the two parties can hide their outputs (hence why "blinded outputs") using blind signature. And according to a BlindCoin's paper, older bitcoin mixers such as Bitcoin Fog, Bit Laundry and Blockchain.info hadn't used it.

It's also explained in the wiki:

Don't the users learn which inputs match up to which outputs?

In the simplest possible implementation where users meet up on IRC over tor or the like, yes they do. The next simplest implementation is where the users send their input and output information to some meeting point server, and the server creates the transaction and asks people to sign it. The server learns the mapping, but no one else does, and the server still can't steal the coins.

More complicated implementations are possible where even the server doesn't learn the mapping.

E.g. Using chaum blind signatures: The users connect and provide inputs (and change addresses) and a cryptographically-blinded version of the address they want their private coins to go to; the server signs the tokens and returns them. The users anonymously reconnect, unblind their output addresses, and return them to the server. The server can see that all the outputs were signed by it and so all the outputs had to come from valid participants. Later people reconnect and sign.

Similar things can be accomplished with various zero-knowledge proof systems.

It's nice to read all these proposals and papers which were written overtime, trying to make it function better. Bitcoin has, undeniably, come a long way in such short period.


However, I think this requires a small edit. 

Wasabi works thanks to a CoinJoin coordinator (run by zkSNACKs Ltd., the company that is sponsoring the development of Wasabi) who cannot steal from, nor breach the privacy of the participants. The company makes its income by taking a fee (0.003% * anonymity set) from each CoinJoin transaction.

[Pmalek]

However, I think this requires a small edit.  

Wasabi works thanks to a CoinJoin coordinator (run by zkSNACKs Ltd., the company that is sponsoring the development of Wasabi) who cannot steal from, nor breach the privacy of the participants. The company makes its income by taking a fee (0.003% * anonymity set) from each CoinJoin transaction.

It should say that the company is working to make Bitcoin non-fungible. We are also introducing taint and giving ourselves the right to censor and restrict our users from using the services being offered. You will be deanonymized, your data will be collected, sold, and shared with government agencies and third parties. And nobody is forcing us to do it, we have made this decision ourselves.

[o_e_l_e_o]

Even so, the article doesn't explain how he did it in a way for a non-computer and tech savvy housewife to use similar methods to discover what her husband has been buying.

Sure it does. Email Chainanlysis, ask them to de-anonymize a few Wasabi transactions for you, pay their fee, job done.

However, the problem is that inputs are just half of a transaction, neither coordinators nor blockchain analysis firms can map inputs with outputs unless malicious developers introduce some vulnerabilities or backdoors into the protocol which will weaken the coinjoin process and make links between inputs and outputs less non-deterministic.

A way of doing this, which is trivially easy when the coordinator is working hand-in-hand with a blockchain analysis company as is happening here, is for the blockchain analysis company to put forward a few dozen of their own inputs to be coinjoined. The coordinator then picks (for example) 19 inputs belonging to the blockchain analysis company and 1 input belonging to you. You think your outputs are obfuscated, but the blockchain analysis company knows exactly which ones are yours by process of elimination.

It should say that the company is working to make Bitcoin fungible.

Non-fungible.

[nopara73]

A way of doing this, which is trivially easy when the coordinator is working hand-in-hand with a blockchain analysis company as is happening here, is for the blockchain analysis company to put forward a few dozen of their own inputs to be coinjoined. The coordinator then picks (for example) 19 inputs belonging to the blockchain analysis company and 1 input belonging to you. You think your outputs are obfuscated, but the blockchain analysis company knows exactly which ones are yours by process of elimination.

What you are describing is called a targeted sybil attack, which is a known attack vector of all centrally coordinated coinjoins. In fact this is the only sybil attack that as far as I know is feasible to do, although it'd still be noticeable and it's still not a cheap attack. The coordinator has to provide hundreds of inputs and outputs (equivalent to hundreds of normal bitcoin transactions) to deanonymize a single UTXO. In fact double that cost as the attacker must prepare the UTXOs in advance by making transactions. Furthermore, it's also detectable by looking at the remixes in the coinjoin. If the remix ratio is different from other coinjoins then we would know the attack happened. You might think then the attacker should spend more money on fees to pre-mix coins to make the remix ratio perfect. But even then there would be a pattern with the timing of the pre-mixes that would clearly differ from normal coinjoin volume. Executing such attack in an unnoticeable fashion would cost an extraordinary amount of resources since to hide all the patterns the attack would have to keep participating in every single coinjoin with many inputs until the target UTXO would decide to mix so the attack can be cleanly executed.

This has nothing to do with blockchain analysis tho.