Ultimate Bitcoin Privacy - Discussion

[JollyGood]

Yes you have been open and transparent about Whirlwind and your posts demonstrate it. I think that is what people here appreciate when a team member or owner interacts with them in a transparent manner taking the time to provide explanations and answer questions no matter how difficult to explain or articulate.

As you stated, members only have your word to go by but the reviews and feedback of the website are positive and as your service progresses members will begin to make their own judgements in increasing numbers about the service and quality of service you provide. I tested the service and posted my review, it is a very simple service to use.

As for mixers seemingly launching on a daily basis, I have to say I cannot recall a time here when this many were being promoted via signature campaigns or a time when this many were using ANN threads frequently. It does provide competition for each other but if you have created something unique from your competitors from a technical perspective then they will have to play catch up.

After a quick navigation of the website anybody can see it is simple to use and the Fast or Notes options are extremely easy to select. It is a basic no-nonsense to the point website that is easy to navigate and that is a plus for end users and that should play a very important part as your business grows.

Having said that one of the fears people must have is about sending funds to mixers at the unfortunate time the mixer decides to exit scam (and to my knowledge it does happen from to time because people end up posting about getting scammed). Keeping that in mind this would be a very difficult question to answer but what can you say here and now to give confidence to forum members that a future exit scam is the furthest thing from your mind and what your very long term strategy is?

It's impossible to answer this question in a way that would have any sort of weight and I don't want to appear like I'm asking users to trust me just because I'm writing some messages here. My expertise/intentions will become clear from my actions as time goes on and that's the only way I can prove myself other than decentralizing the service.

I've been very transparent about every detail of Whirlwind, I've built everything from the ground up. I took the time to analyze every aspect of this business and I believe I came up with something unique in the Bitcoin space, something that our competitors don't even come close to from a technical standpoint.

It seems like a different mixer launches every day, but if you have a more in-depth look you will notice that each one of them has some major issues.
Use of [banned mixer] as their backend/very weak privacy set/ use of Cloudflare/ use of mixing codes which basically means keeping logs.

Even though I could have taken a lot of shortcuts in order to get the service out in 10x less time,  I chose to do everything the right way and made no compromises at all.

[1714499955]

1714499955

[1714499955]

1714499955

[LoyceV]

Even though I don't believe I have anything to worry about, I'd still prefer to add more signers to the multi-sig so I don't have full control anymore. This would make it safer for everyone, I really do not like the fact that users have to trust me.

Let's assume there are multiple trusted signers, and the system is nicely decentralized. Would it still be possible for you to pull an exit scam by creating notes that give you access to large funds? Wouldn't the signers just sign it? And if not: how would the signers know whether or not the note was created legitimately after a deposit?

[whirlwindmoney]

Even though I don't believe I have anything to worry about, I'd still prefer to add more signers to the multi-sig so I don't have full control anymore. This would make it safer for everyone, I really do not like the fact that users have to trust me.

Let's assume there are multiple trusted signers, and the system is nicely decentralized. Would it still be possible for you to pull an exit scam by creating notes that give you access to large funds? Wouldn't the signers just sign it? And if not: how would the signers know whether or not the note was created legitimately after a deposit?

Great question - the short answer is no, it wouldn't be possible for us to exit scam at that point.

Technical explanation

Whirlwind is based on a backend + validator (signer) model. The backend interacts with users by generating deposit addresses and processing withdrawals, while the validators (signers) validate all of the backend's actions. Whenever a withdraw transaction is being sent, the signatures must be retrieved from all validators which are able to verify the transaction is correct.

When a user deposits BTC using the fast withdraw method, the backend sends the deposit hash to the validators and whitelists the receiving addresses. After the signature is sent to the backend, the validators delete all proofs of those receiving addresses, keeping only the deposit transaction hash so that they would not accept a “duplicate proof”.

When a user deposits BTC using the Note method, the backend sends the deposit hash to the validators and they assign credit to the Note’s public key. When the user wants to withdraw his BTC, he must send a signature to the backend which will process this. This signature will also be sent to the validators which will check it and remove credit from the note’s public key and whitelist the receiving addresses.

If an attacker compromises the backend server, he would not be able to forge user Note signatures in order to fool a validator to send him funds, because only the users have access to the Note’s private keys. Again, the proofs are deleted after their use.

Comments

As explained above the signers are doing way more than just signing transactions, that's why I previously said that the only way we could get exploited is if an attacker gains access to all signers at once without us noticing.
Everything I said above would be provable at that point since the whole codebase would be open-source (if not open-source then at the very least all signers would have complete access to frontend/backend/signers code)

[whirlwindmoney]

Crossposting this - very important update!

Changelog

04.09.2023 00:00:00 AM UTC
-Fee is now optional and will be treated as a donation, you can choose any amount between 0% and 4%
-Withdraw fee for each output address was lowered by another 25% from 0.0001BTC to 0.000075BTC
-Most of clearnet stability issues solved - still actively monitoring and testing
-Frontend responsive on mobile
-Backend-signers connection issues solved (the reason some withdrawals were delayed)
-FAQ updated

Update completed - everything is back online working in normal conditions | Please keep in mind that if you experience issues with the Clearnet version it's most likely because of our DDoS protection system, I am still tweaking it while we are under attack continuously. I'll sort it out without a doubt but it takes some time to do that, so until everything is set please use the Tor version if you experience any issues on Clearnet, that will most likely work without any issues at all.

I am working on displaying the anonymity set on the main page for each one of your selected outputs (number of deposits it could have originated from), so users know exactly how anonymous their bitcoin really is after using our service. I still feel like most users are not yet aware of how Whirlwind actually works and why it's the superior choice from a privacy perspective, so understanding what anonymity set means and seeing it grow each time you enter the website should make it easier for everyone to grasp the concept. It's just a matter of time until everyone gets used to the system and understands the undeniable advantages it offers.

I believe the decision to make the fees optional is wise for 2 reasons:
1. The only disadvantage of Whirlwind's mechanism is that at the start of the service the privacy set is weak due to the fact that there are few deposits. Making the fees optional should encourage more users to give the service a try, and by doing this they are helping all future users by increasing the anonymity set, making everything more secure.
2. A donation based business model was already proven to work before

The current plan is to leave the fees optional indefinitely, but if we won't generate enough revenue to be sustainable after the first 3 months we will have to implement a minimum fee again.

I'll answer any question or concern you might have!

[nioctib_100]

I hate the word "revolutionize," so I mean it when I say that blind certificates could actually revolutionize the mixer industry. They're going to be important to understand if you're in this space, so as a weekend project, I tried my best to create an easy-to-understand explanation graphic. Of course my guide simplifies the info a little, but it's meant to explain this stuff to beginners. There's more to add at a later date, but this should be a good start!

[whirlwindmoney]

I hate the word "revolutionize," so I mean it when I say that blind certificates could actually revolutionize the mixer industry. They're going to be important to understand if you're in this space, so as a weekend project, I tried my best to create an easy-to-understand explanation graphic. Of course my guide simplifies the info a little, but it's meant to explain this stuff to beginners. There's more to add at a later date, but this should be a good start!

Great explanation and I'm glad you found the idea interesting enough to allocate time for this!

I want to mention that while we certainly could store logs about every transaction and we can't prove that we don't, in case you believe that we don't then I'll tell you how the current system works: we only store a Notes public key and balance in the database, when you generate a Note that is its corresponding private key. So in the database the Notes are not stored in chronological order, it's random. There is no link between a Note's public key and its corresponding deposit because we don't store anything about that. If you want to take it a step further you could withdraw a small percentage of the Note or combine 2 of them together so you alter the link between the exact deposit amount and Note public key balance in our database.

Whirlwind is built in a way that makes it possible to implement Blind Certificates, as an example our version would look like this:

There will be 5 Blind Certificates denominations, 10BTC | 1BTC | 0.1BTC | 0.01BTC | 0.001BTC

Each one will have it's own Anonymity set, which means that if there are 100 x 1BTC Blind Certificates issued, if you redeem one of them it could be any of the 100 issued certificates from Whirlwind's perspective. The only known information to anyone including us is that one of the 100 issued certificates was redeemed.

The flow looks like this: User deposits 1.1BTC using the Note method and now holds a private key. With this private key he would then issue two Blind Certificates, one of them for 1BTC, and the other for 0.1BTC. Now his deposit is provably anonymous. Whenever he wants to withdraw, he redeems the two Blind Certificates for one or more Notes, and he follows the normal Note withdrawal procedure. In this case the user would be protected by 2 Anonymity sets, the public one which is the one that is now shown on the website, and by the Blind Certificates one, which proves beyond any doubt that you indeed got complete anonymity using the service.

For the moment I'll wait until people understand how Whirlwind works in it's current form and the service starts to see some more serious usage, and if this concept generates interest until then I'll implement it in a fairly short timeframe.

[nioctib_100]

I want to mention that while we certainly could store logs about every transaction and we can't prove that we don't, in case you believe that we don't then I'll tell you how the current system works: we only store a Notes public key and balance in the database, when you generate a Note that is its corresponding private key. So in the database the Notes are not stored in chronological order, it's random. There is no link between a Note's public key and its corresponding deposit because we don't store anything about that. If you want to take it a step further you could withdraw a small percentage of the Note or combine 2 of them together so you alter the link between the exact deposit amount and Note public key balance in our database.

Absolutely, it's important to understand that Whirlwind goes above and beyond the standard, generic mixer, assuming we trust their word, which I do (but that's up to everyone here to make their own decision).

Great explanation and I'm glad you found the idea interesting enough to allocate time for this!

Thanks! What I think is so industry-changing about the blind certificate model is how these blind certificates are as good as cash, so they're transferrable, fungible, and they store value. No other mixer creates something like that. You could have secondary markets built where people could swap around their blind certificates to further enhance their privacy, which is something Theymos proposed back in 2018 when he briefly discussed blind certificates. It's exciting to be a witness to the beginning of all of this because for once, it's something bigger than just a single mixer. If successful, it creates an entirely new, layered system where others can build off the blind certificate model that Whirlwind creates.

Another thing that is so interesting IMO is how applying blind certificates to payments/money was first proposed 40 years ago. You have to wonder "how has this not been built before?" I think once in a lifetime, you might get lucky and stumble upon sort of "ancient wisdom" (for lack of a better term) that has been merely forgotten until now. My favorite entrepreneur example of this sort of thing is Gose: a type of beer that is becoming very popular only in recent years, yet it was invented in the 1200s. It went completely extinct before being rediscovered and reintroduced in the 1980s by a normal man who owned a pretty small pub in Germany. This was a man who searched through history to find an "ancient wisdom" sort of drink and reintroduce roughly the same formula in modern time. And boom, he became a multi-millionaire. That's what we're seeing happen with this blind certificate model - something that was first proposed very publicly 40 years ago, but then for one reason or another, no one stepped up to actually put it into practice.

If we could debate the reasons why, I'd argue that the corporate banking system has had a hand in suppressing this technology. It's utterly a direct threat to their existence. There's no other way to put it.

[NotATether]

I hate the word "revolutionize," so I mean it when I say that blind certificates could actually revolutionize the mixer industry. They're going to be important to understand if you're in this space, so as a weekend project, I tried my best to create an easy-to-understand explanation graphic. Of course my guide simplifies the info a little, but it's meant to explain this stuff to beginners. There's more to add at a later date, but this should be a good start!


If the image is a little blurry, you can click it to view the full size.

Excellent stuff, but I think you should make the image a little bigger, as it is hard to read the small parts of the text without clicking.

The flow looks like this: User deposits 1.1BTC using the Note method and now holds a private key. With this private key he would then issue two Blind Certificates, one of them for 1BTC, and the other for 0.1BTC. Now his deposit is provably anonymous. Whenever he wants to withdraw, he redeems the two Blind Certificates for one or more Notes, and he follows the normal Note withdrawal procedure. In this case the user would be protected by 2 Anonymity sets, the public one which is the one that is now shown on the website, and by the Blind Certificates one, which proves beyond any doubt that you indeed got complete anonymity using the service.

I don't completely understand where the two anonymity sets come from. Do you mean the coins are taken from the 1BTC and 0.1BTC anonymity sets? And in which order?

If we could debate the reasons why, I'd argue that the corporate banking system has had a hand in suppressing this technology. It's utterly a direct threat to their existence. There's no other way to put it.

Of course, the rouge moneyball gallery want everyone to use CDBCs instead of dollar notes, so nothing to see here.

Banks shouldn't really be concerned about mixers. That's more of the Fed's problem.

[LoyceV]

I tried my best to create an easy-to-understand explanation graphic.

Can you (significantly) increase the resolution? The small font doesn't do it justice.

While discussing Bitcoin privacy and blind certificates, I think this topic (from 2016) never received the attention it deserves: Hiding entire content of on-chain transactions. The same author later implemented it as blackbytes, but it never took off. I'm not quoting the entire post, please just read the topic. I'll only post this summary:

So if I understand correctly, the public block chain is just a "bag of hashes" which cannot be verified or anything by any node or miner.  It is just a block chain of "data".  These data only have meaning for the people receiving "banknote files", which allows them to check the validity of the whole "banknote".  The hashes are in fact nothing else but hashes of "signed transactions", like with bitcoin, except that only the *signature hash* goes on the public block chain, and the actual transaction data remain on the individual banknote file.  Is that the gist ?  In fact, you need, as you say, TWO signatures (or hashes of signatures): one is the transaction signature (including the new beneficiary) and the other is the "spend" signature of simply the previous output.  The first signature (spending signature) makes that you cannot do double spending any more (you have invalidated the file up to the point where you transmit it), and the second signature allows the receiver to have a valid "new address" that he can spend (and only he, because only he has the secret key that goes with it like on bitcoin).

This is indeed a very, very good idea !  Money becomes more "physical" again: it are files !

[whirlwindmoney]

The flow looks like this: User deposits 1.1BTC using the Note method and now holds a private key. With this private key he would then issue two Blind Certificates, one of them for 1BTC, and the other for 0.1BTC. Now his deposit is provably anonymous. Whenever he wants to withdraw, he redeems the two Blind Certificates for one or more Notes, and he follows the normal Note withdrawal procedure. In this case the user would be protected by 2 Anonymity sets, the public one which is the one that is now shown on the website, and by the Blind Certificates one, which proves beyond any doubt that you indeed got complete anonymity using the service.

I don't completely understand where the two anonymity sets come from. Do you mean the coins are taken from the 1BTC and 0.1BTC anonymity sets? And in which order?

My bad, in fact in my example there are 3 Anonymity sets involved. One of them is the public Anonymity Set visible to anyone on the website (total number of deposits), the second one is the 1BTC Blind Certificate Anonymity Set, and the third one is the 0.1BTC Anonymity Set.

For an outside observer only the public Anonymity Set matters since he won't even be able to know if you used Blind Certificates or not. As long as you believe we don't store logs then the public Anonymity Set should be the only one that matters to you too. But if you are concerned that we store logs/act maliciously then the figure you should care about is the specific blind certificate's anonymity set that you are using at that time.

While discussing Bitcoin privacy and blind certificates, I think this topic (from 2016) never received the attention it deserves: Hiding entire content of on-chain transactions. The same author later implemented it as blackbytes, but it never took off. I'm not quoting the entire post, please just read the topic. I'll only post this summary:

Very interesting - I think it's important I mention that when applied to our use-case actual Blind Certificates would introduce at least one huge security issue, but thankfully we already found a solution to this in case we ever need to implement it.

You are reinventing zerocoin.

Not at all.  Zerocoin is based on zero knowledge proofs, while Byteball's private payments don't rely on any advanced crypto, just plain old hashes.

Our implementation would have to involve zero knowledge proofs and in short here is why:

We decided to use Groth16 ZK-SNARKS for this, instead of blind signatures, because of an important security problem in our architecture with blind signatures: if the private key which is used for the blind signatures is stored on the backend server, an attacker which compromises it would be able to forge certificates which the validators will trust, and therefore draining the wallet, basically making the backend+validator architecture that I explained in a previous message useless.

With a ZK-proof, the attacker would not be able to do this, because the secret witnesses used to prove a certain withdraw is valid is generated by the user in the frontend, so not even the backend can forge these proofs. At some point, we will make the frontend open source, which will reveal all of the backend’s endpoints, so you can build/host your own frontend for this, or even create a CLI.

The architecture would look like this: we store a merkle tree of the users’s public statements in the database. When a user redeems a note for certificates, we store the user’s public statements in the tree. When a user wants to redeem the certificates for a note, the frontend, using the user’s secret witness, will be able to prove to the backend (AND the validators) that he has the secret witness of a certain leaf in the tree, without actually saying which leaf it is. This makes it totally anonymous towards us, the operators, as well.

[whirlwindmoney]

Crossposting this - very exciting news, please let us know what you think!

IMPORTANT UPDATE

We just completed the most important upgrade to date, the changelog is available at the end of this message. Some major changes have been made so we suggest everyone reads the FAQ again and perhaps even give the service a try with a small amount since it's essentially free now. We will also work on video tutorials now that the platform will be mostly unchanged going forward. ANN thread presentation will also be updated to reflect the latest changes.

We are most excited about the introduction of the Pay to Note feature and fungible outputs.

The Pay to Note feature enables instant, feeless and anonymous BTC transactions. Gone are the days where you want to send some Bitcoin to your friend but you worry about him checking out your past transactions so instead you are forced to use Monero. Now it's possible to do everything with Bitcoin with much more convenience and in much better conditions since all transfers are instant and free. Whirlwind is the first and only service to ever implement such a feature and we hope that our users see the value and opportunities that this brings.

Outputs are now fungible, meaning every single withdraw will look exactly the same for outside observers. This greatly increases privacy for all users since it's much harder to track what is happening behind the scenes only by looking at transactions.

We are ready to answer any questions and looking forward to read your feedback.

p.s. Clearnet is still under DDoS and offline, please use the Tor version for now. We will solve this issue too in the following days, apologies for any inconvenience caused but this was not a priority.

Changelog

04.22.2023 01:00:00 AM UTC
-Pay to Note feature implemented enabling instant, feeless and anonymous Bitcoin transactions.
-Complete compliance module - Whirlwind provides a signed Guarantee Letter for every action executed by the end user. It's the end user's responsibility to save all the guarantee letters and use them as needed.
-new UI and FAQ for better user experience
-stability issues completely fixed, all delay times will be respected to the minute
-withdraw fees are reduced to 2500 sats/address from 7500 sats/address
-fast mode is deprecated, everyone will have to use the Note system. you will still be able to withdraw instantly after your deposit is confirmed so it can be used in the same way as the fast mode
-outputs are now fungible, namely 0.001BTC, 0.005BTC, 0.01BTC, 0.05BTC, 0.1BTC, 0.5BTC, 1BTC, 10BTC. the unspent balance will remain on the Note and you can withdraw it at any time

[BlackHatCoiner]

Tried it. I created two notes, got their public addresses, and sent bitcoin back and fourth. The inconvenience I notice is that I must withdraw fixed amounts (e.g., 0.001, 0.005, 0.01 etc.). Fixed amounts isn't the problem per se. What might annoy someone is that you enforce an arbitrary fee rate (2500 sats per address). I don't get why you don't let the users choose themselves. At the moment, I have about 800,000 sats in notes, and I'll have to mix another 200,000, so I can merge them together into 0.01, to save 7500 sats in fees.

You're also showing in the main page how many anonymity sets there are. Is it because it's trivial for an advisory to figure that out in the chain?

[whirlwindmoney]

Tried it. I created two notes, got their public addresses, and sent bitcoin back and fourth. The inconvenience I notice is that I must withdraw fixed amounts (e.g., 0.001, 0.005, 0.01 etc.). Fixed amounts isn't the problem per se. What might annoy someone is that you enforce an arbitrary fee rate (2500 sats per address). I don't get why you don't let the users choose themselves. At the moment, I have about 800,000 sats in notes, and I'll have to mix another 200,000, so I can merge them together into 0.01, to save 7500 sats in fees.

We could let users withdraw arbitrary amounts like before too after clicking a checkbox saying something along the lines of "I understand that if I withdraw an arbitrary amount my withdrawal could be deanonymized under certain conditions", but there are not many arguments in favor of it since the privacy levels increased by multiple folds with the introduction of fungible outputs, and if you are really that concerned about the 2500 sats fee you can just keep the balance on the Note until you reach a fixed amount that you can withdraw at once. Transfers between Notes are 100% free, not subject to any 2500 sats fee.

We can't let users choose the fees themselves because all transactions are sent from the same multi-sig so we can't really afford to have any of them stuck for a long time. Assuming the user chooses 0% donation if we pay more than 10 sats/vb for his individual withdraw then we're losing money. On the other hand in a month we lowered the fee 6x from 15000 sats to 2500 so this is already some good progress and cheaper than anything else, and depending on the profitability we'll eliminate this altogether.

You're also showing in the main page how many anonymity sets there are. Is it because it's trivial for an advisory to figure that out in the chain?

Our multi-sig is always visible at this address:

https://mempool.space/address/bc1qf8h5k6sash8007vpesymxkw2xsg5d0r3j4l5vmcrwpz2pqu66fjstzgd3r

We are showing the Anonymity set on the website too so users are aware of the exact level of anonymity they are getting when using Whirlwind and to make it easier for them to figure out when new deposits were made without having to check the chain themselves. Again this is public knowledge so there is no reason not to show it.

[blindmixer]

blindmixer might be a nice example of this: we already utilize blind schnorr signatures, and have full non-repudiation:

every action taken by the client requires a signature that only the client can generate, as such we cannot dupe any single user with it being proveable.

A consequence of this is that it is a little more complex than a single webpage: the client needs to actively generate signatures and store them. JS will be required. Still, we believe that we packaged it as simple as possible for the average user.

A huge drawback currently is that our scheme is centralized, meaning that we can exit-scam at any point. We have looked into using a MuSig scheme with multiple signers, and it should definitely be possible. Don't think it will play very nicely with lightning as of right now, but that will undoubtedly change in the future.

[LoyceV]

Our multi-sig is always visible at this address:

https://mempool.space/address/bc1qf8h5k6sash8007vpesymxkw2xsg5d0r3j4l5vmcrwpz2pqu66fjstzgd3r

It looks like you're first sending all deposit to your own multisig address, and then consolidating them again into the same address. Why don't you skip a step by consolidating deposits while processing withdrawals?
So instead of:
deposit A > multisig
deposit B > multisig
multisig > multisig + withdrawal C
You'd get:
deposit A + deposit B + multisig > multisig + withdrawal C

[whirlwindmoney]

It looks like you're first sending all deposit to your own multisig address, and then consolidating them again into the same address. Why don't you skip a step by consolidating deposits while processing withdrawals?
So instead of:
deposit A > multisig
deposit B > multisig
multisig > multisig + withdrawal C
You'd get:
deposit A + deposit B + multisig > multisig + withdrawal C

Multiple reasons:
1)Security is our top priority so in order for the signers to be able to register and validate each deposit 100% reliably, the transaction from the intermediary address to the multi-sig needs to be broadcasted. We are sacrificing some sats paid extra in fees for an unbreakable system in regards to loss of funds for any reason other than us, the operators, acting maliciously.
2)We might not necessarily pay extra in fees since right now we can broadcast all deposit transactions deposit x > multisig on a very low fee regardless of congestion. Output transactions from the multi-sig need to be broadcasted with higher fees so they don't get stuck.
3)We want to leave some UTXO's available in case a transaction still gets stuck even with a higher fee

Other than working on other features and exploring ways to decentralize the service completely our job should now be as easy as this: pay the servers and change them once in a while just in case. Whirlwind could be considered a blockchain, the only missing piece is decentralization meaning more signers. We are considering a system where in order to be a signer you are required to deposit a certain amount of BTC, and we implement a slashing mechanism to deal with bad actors. We will give more details once we have an actual plan, until then we're patiently waiting to see if demand for something like this actually exists. From a technical point of view we are by far the superior privacy solution available for Bitcoin today, so if something like this isn't used (even when it's essentially free) then it's certainly not worth wasting time to develop it further.

[BlackHatCoiner]

Apologies for my difficulty to comprehend blinded certificates, but I still don't understand what prevents you from keeping logs which would give away the activity of the users. For example, I created a note and deposited money to an address tied to that note. You could have kept that. Then, when someone sent me money to my public address, you could have known which note was spent in which public address.

Unless the front-end is coded in such manner that prevents the unveiling of that information, I don't know how provable privacy is ensured.  

We can't let users choose the fees themselves because all transactions are sent from the same multi-sig so we can't really afford to have any of them stuck for a long time.

Okay, but that doesn't answer on why having arbitrary fee rate. The network could be flooded with transactions such that maybe 2500 sat/addy is neither enough.

[whirlwindmoney]

Okay, but that doesn't answer on why having arbitrary fee rate. The network could be flooded with transactions such that maybe 2500 sat/addy is neither enough.

We simply do not want to add more moving parts where they are not necessarily needed in order to improve stability. The backend and signers have to validate every single action and adding more friction at the withdrawal stage by making the fees dynamic doesen't seem like a good idea. We'd prefer to eliminate them altogether if this is really an issue, we want the system to work without ever needing our intervention and we achieved this in the current form.

Apologies for my difficulty to comprehend blinded certificates, but I still don't understand what prevents you from keeping logs which would give away the activity of the users. For example, I created a note and deposited money to an address tied to that note. You could have kept that. Then, when someone sent me money to my public address, you could have known which note was spent in which public address.

Unless the front-end is coded in such manner that prevents the unveiling of that information, I don't know how provable privacy is ensured.  

It's a misunderstanding, Blinded Certificates are not implemented in the current version. I explained how it would work in Whirlwind's case in the messages I'll quote below, but we are not really in a rush to implement it as it's quite apparent most users don't care that much about this aspect so it's not yet a priority.

I hate the word "revolutionize," so I mean it when I say that blind certificates could actually revolutionize the mixer industry. They're going to be important to understand if you're in this space, so as a weekend project, I tried my best to create an easy-to-understand explanation graphic. Of course my guide simplifies the info a little, but it's meant to explain this stuff to beginners. There's more to add at a later date, but this should be a good start!

Great explanation and I'm glad you found the idea interesting enough to allocate time for this!

I want to mention that while we certainly could store logs about every transaction and we can't prove that we don't, in case you believe that we don't then I'll tell you how the current system works: we only store a Notes public key and balance in the database, when you generate a Note that is its corresponding private key. So in the database the Notes are not stored in chronological order, it's random. There is no link between a Note's public key and its corresponding deposit because we don't store anything about that. If you want to take it a step further you could withdraw a small percentage of the Note or combine 2 of them together so you alter the link between the exact deposit amount and Note public key balance in our database.

Whirlwind is built in a way that makes it possible to implement Blind Certificates, as an example our version would look like this:

There will be 5 Blind Certificates denominations, 10BTC | 1BTC | 0.1BTC | 0.01BTC | 0.001BTC

Each one will have it's own Anonymity set, which means that if there are 100 x 1BTC Blind Certificates issued, if you redeem one of them it could be any of the 100 issued certificates from Whirlwind's perspective. The only known information to anyone including us is that one of the 100 issued certificates was redeemed.

The flow looks like this: User deposits 1.1BTC using the Note method and now holds a private key. With this private key he would then issue two Blind Certificates, one of them for 1BTC, and the other for 0.1BTC. Now his deposit is provably anonymous. Whenever he wants to withdraw, he redeems the two Blind Certificates for one or more Notes, and he follows the normal Note withdrawal procedure. In this case the user would be protected by 2 Anonymity sets, the public one which is the one that is now shown on the website, and by the Blind Certificates one, which proves beyond any doubt that you indeed got complete anonymity using the service.

For the moment I'll wait until people understand how Whirlwind works in it's current form and the service starts to see some more serious usage, and if this concept generates interest until then I'll implement it in a fairly short timeframe.

And here is a more technical explanation for why Blinded Signatures are not enough in Whirlwind's case and why we would need to use zk-snarks instead:

Our implementation would have to involve zero knowledge proofs and in short here is why:

We decided to use Groth16 ZK-SNARKS for this, instead of blind signatures, because of an important security problem in our architecture with blind signatures: if the private key which is used for the blind signatures is stored on the backend server, an attacker which compromises it would be able to forge certificates which the validators will trust, and therefore draining the wallet, basically making the backend+validator architecture that I explained in a previous message useless.

With a ZK-proof, the attacker would not be able to do this, because the secret witnesses used to prove a certain withdraw is valid is generated by the user in the frontend, so not even the backend can forge these proofs. At some point, we will make the frontend open source, which will reveal all of the backend’s endpoints, so you can build/host your own frontend for this, or even create a CLI.

The architecture would look like this: we store a merkle tree of the users’s public statements in the database. When a user redeems a note for certificates, we store the user’s public statements in the tree. When a user wants to redeem the certificates for a note, the frontend, using the user’s secret witness, will be able to prove to the backend (AND the validators) that he has the secret witness of a certain leaf in the tree, without actually saying which leaf it is. This makes it totally anonymous towards us, the operators, as well.

[LoyceV]

I'm quoting OP from another topic to bring the discussion here:

When you 'generate' a Note on the website the private key you are getting is a normal Bitcoin private key. It starts with 'ww-' so it's easier to distinguish from other bitcoin private keys you have in case you save them in the same place.

The Note Public Address is in fact the Legacy Bitcoin address corresponding to the private key you saved, the only difference is that every '1' is changed to 'ww' so again, you can easily distinguish a Whirlwind Note from a Bitcoin address.

Example:
ww-L4xK361wZYYxJg7vSwXgDTVBVXY4JfgYrUU5QZic2nNB9PUbMzbt - Note Private Key
ww8Sf8x3GBUiTxg55RQEzynf2Cdyy7F1ihh - Note Public Address

L4xK361wZYYxJg7vSwXgDTVBVXY4JfgYrUU5QZic2nNB9PUbMzbt - Bitcoin Private Key
18Sf8x3GBUiTxg55RQEzynf2Cdyy7F1ihh - Legacy Bitcoin address

If you do not want to generate the Note on the website you can simply use any other private key and it will work the same.

Example: Imagine you need to receive a payment so you generate a new address locally and send the Legacy address to the sender expecting a normal Bitcoin transfer. The sender can now pay you instantly, anonymously and for free through Whirlwind even if you didn't know we existed. You could then access the website and withdraw your funds to your desired address. (the sender can also send you the LoG for the Pay to Note transfer proving that he sent the funds)

(I've shortened the quotes a bit to focus on the relevant parts)

I have some doubts: if I'm expecting a Bitcoin transaction, I wouldn't appreciate being told to use a third party to collect my money. The sender could instead have withdrawn the note himself, and sent an on-chain transaction to my address.
As a sender, I also wouldn't really want to rely on a third party to send funds and provide evidence. No matter how trusted your service becomes, it's never as strong as on-chain evidence. Unless you don't want an on-chain transaction trail of course.

[whirlwindmoney]

I have some doubts: if I'm expecting a Bitcoin transaction, I wouldn't appreciate being told to use a third party to collect my money. The sender could instead have withdrawn the note himself, and sent an on-chain transaction to my address.
As a sender, I also wouldn't really want to rely on a third party to send funds and provide evidence. No matter how trusted your service becomes, it's never as strong as on-chain evidence. Unless you don't want an on-chain transaction trail of course.

My intention was to make it clear that Whirlwind addresses don't need to be 'initialized' in any way. if someone sends you funds through Whirlwind without you ever entering the website before you can still access them with your private key.

The sender could make an on-chain transfer to your address, but that means he would know where you withdrew your Bitcoin. If he uses Pay to Note then you are anonymous even to the sender. of course you should always know beforehand where you will be sent the funds, I wouldn't appreciate this kind of 'surprise' either.

Nothing will ever be as strong as on-chain evidence, but for the Pay to Note feature you need to rely on the Letter of Guarantee since there are no on-chain transactions being executed. We could also provide a Letter of Guarantee to the receiver which would be downloadable from the 'Dashboard' page for the first x hours after the transaction. Do you think this would be useful in any way?