Ultimate Bitcoin Privacy - Discussion

[whirlwindmoney]

Our "hot wallet" is a 3/3 multi-sig with one of the signers being a physical server, so funds are safe. The infrastructure looks like a mini blockchain (with only 3 validators or signers which are all run by us for now), so even if the frontend or backend servers would get hacked, no funds could be stolen since faking guarantee letters using the backend server doesen't do anything as the signers would also have to verify.

I understand that, but my concerns was more about how users would be able to redeem their certificates should your service be seized or shutdown. It doesn't really matter that the funds are secure and cannot be stolen by third parties if the real owners cannot access them either.

And if you have a solution to this problem, how would that change if you move to multiple third party signers as you have mentioned above. Would I have to go to each signer individually and have them validated my certificate and approve my withdrawal? How would I even track down the signers?

First of all the frontend will be open source very soon, so if the service gets seized/shutdown anyone can use that to withdraw assuming the multi-sig signers are still online. The only really bad scenario is if all 3 signer servers get seized at the same time. Chances of that happening are very slim since we would know about at least 1 of them with enough time in advance and no single server out of the whole infrastructure is exposed so even finding one of them would be quite challenging, let alone the signers.

If there was a 5/10 multi-sig for example, if only 5 of those signers are still running then anyone can use the open source frontend to withdraw. You don't have to contact anyone, theoretically even the signers don't have to know who the other ones are. As long as the required amount of multi-sig signers are still online then the service is online regardless if we the creators are around anymore or not.

EDIT: The only disadvantage to keep in mind for when there'll be more signers is that the "Fast" mode will be deprecated and we need Blind Certificates because all signers will know what happens on the platform and could keep logs so we can't take that risk.

[1713949450]

1713949450

[LoyceV]

Our "hot wallet" is a 3/3 multi-sig with one of the signers being a physical server, so funds are safe.

Where's the redundancy in this setup? Who holds for instance the backup to the keys used on the physical server? And doesn't the fact that someone has access increase the risk of losing funds?

The only really bad scenario is if all 3 signer servers get seized at the same time.

If just 1 out of 3 is unavailable, the multisig transaction can't be signed anymore. Unless you mean a 1/3 multisig setup, but that creates other risks.

[whirlwindmoney]

Our "hot wallet" is a 3/3 multi-sig with one of the signers being a physical server, so funds are safe.

Where's the redundancy in this setup? Who holds for instance the backup to the keys used on the physical server? And doesn't the fact that someone has access increase the risk of losing funds?

We are the only ones who hold the backup (offline) for all 3 signers and the only ones who have access to the servers. One of the servers belongs to us, the other 2 are rented. The difference that we care about between the physical and rented ones is that for the physical one we are 100% sure it is not tampered with in any way. (can't disclose how for security reasons so you'll have to take my word on this) And if something were to ever happen we would find out with enough time in advance that we could just migrate to a new setup instantly.

The only really bad scenario is if all 3 signer servers get seized at the same time.

If just 1 out of 3 is unavailable, the multisig transaction can't be signed anymore. Unless you mean a 1/3 multisig setup, but that creates other risks.

It is a 3/3 multisig setup, 1/3 would defeat the purpose. The reasoning behind it is that if one signer will ever be seized or it stops for any reason there is no damage that can be done. Like I said the only real bad scenario is if all of them get hacked at the same time without us knowing. If we ever feel that something is not right with any one of the signers we can migrate to a new multi-sig with new signers and new servers in under an hour, in fact we were planning to do this once in a while by default just in case. Most if not all other services store their keys on a single server that may be infiltrated from day 1, there is just no way to be sure but we don't want to take any chances ourselves.

[o_e_l_e_o]

I think maybe it would be worth clarifying the difference between the current set up and your future plans.

At the moment, with whirlwindmoney being the sole operator of the site, then they are in control of all 3 keys in a 3-of-3 multi-sig. This provides additional security against a single server being seized or infiltrated, but it still requires complete trust from the end user that whirlwindmoney won't scam them, as it would in a normal single-sig set up.

In the future with blinded bearer certificates and the involvement of other third parties, then presumably the best option in that scenario would be to migrate to a different multi-sig. Let's say they recruit nine other people to be signers for the blinded certificates. Maybe something like a 7-of-10 multi-sig would be the best in that case, which provides a good mix of security against some of the signers being dishonest as well as redundancy against some of the signers being taken offline, seized, infiltrated, etc.

CMIIW.

[whirlwindmoney]

At the moment, with whirlwindmoney being the sole operator of the site, then they are in control of all 3 keys in a 3-of-3 multi-sig. This provides additional security against a single server being seized or infiltrated, but it still requires complete trust from the end user that whirlwindmoney won't scam them, as it would in a normal single-sig set up.

Correct, the multi-sig's purpose in the current setup is not to protect against us acting maliciously, but against external actors.

In the future with blinded bearer certificates and the involvement of other third parties, then presumably the best option in that scenario would be to migrate to a different multi-sig. Let's say they recruit nine other people to be signers for the blinded certificates. Maybe something like a 7-of-10 multi-sig would be the best in that case, which provides a good mix of security against some of the signers being dishonest as well as redundancy against some of the signers being taken offline, seized, infiltrated, etc.

Correct again, in this form users funds will be protected against external actors and us acting maliciously. I believe it could work well enough even with less than 9 other people, but the flow remains the same.

CMIIW.

Nothing to correct. It was clear to us from the beginning that requiring trust from the end user would be the biggest issue, but until we find reputable users to add to the multi-sig there really is no way around it. We will try our best to migrate to the trustless version as soon as possible, it all depends on how fast we'll be able to find the right users for the multi-sig. Until then as you said funds are safe from external actors but we could scam anytime if we wanted.

[LoyceV]

The only really bad scenario is if all 3 signer servers get seized at the same time.

If just 1 out of 3 is unavailable, the multisig transaction can't be signed anymore. Unless you mean a 1/3 multisig setup, but that creates other risks.

It is a 3/3 multisig setup, 1/3 would defeat the purpose. The reasoning behind it is that if one signer will ever be seized or it stops for any reason there is no damage that can be done.

That makes sense. My assumption was the multisig is meant to protect against losing access, but it's against someone else gaining access. Unless someone skips the servers ans gains access to your backups directly.

[yhiaali3]

Everyone has the right to rush to fill the big gap left by Chipmixer, but on the other hand, it has become very difficult for any mixer to gain the trust of the community because of this incident, which showed that the mixer was keeping user data.

I, as many here, do not know how blind certificates work completely, but what I do know is that it has become very difficult to trust any third-party services. I personally do not trust that any third-party service fully maintains privacy.

You need to decentralize the service almost completely to gain trust.

[nioctib_100]

The blind certificates are certainly causing a lot of confusion since it's a relatively novel idea put into practice. Perhaps you all could create a graphic that would explain it clearly and in an illustrative manner? That would help a lot vs. reading paragraphs of text about it, and then it'd be easy to repost to answer this question moving forward.

[Synchronice]

It is a 3/3 multisig setup, 1/3 would defeat the purpose. The reasoning behind it is that if one signer will ever be seized or it stops for any reason there is no damage that can be done.

3/3 is a case where three signature is required to sign a transaction. So, if one user isn't online or able to sign, then you are going to migrate to a new multi-sig with new signers and servers because you have the backup, you said that.
So, if you hold the backup for all 3 signers and you can always change the fate of situation, doesn't that mean that all you are doing by multi-sig is that you just put transparent curtains? I mean, what's the point of 3/3 multisig if you can always do whatever you want?

[hugeblack]

After gaining trust, will the fast situation be deleted and only use notes? and what is your plans to get trust? only high-payment the signature campaign?

until we find reputable users to add to the multi-sig there really is no way around it. We will try our best to migrate to the trustless version as soon as possible, it all depends on how fast we'll be able to find the right users for the multi-sig. Until then as you said funds are safe from external actors but we could scam anytime if we wanted.

blinded bearer certificates is a new concept for me < will read about it and update.

What are the criteria for selecting *reputable users,* and will the contract be for decentralization and how will you deal with legal frameworks and how to make payments? Can anyone be a reliable member if he fulfills certain conditions, or is the list central?

[whirlwindmoney]

I, as many here, do not know how blind certificates work completely, but what I do know is that it has become very difficult to trust any third-party services. I personally do not trust that any third-party service fully maintains privacy.

Understandable, but that's the advantage of blind certificates. You won't need to trust that we don't keep logs, it would be impossible to log anything even if we tried. This will be provable beyond any doubt at any point since it's code, not just our words.

The blind certificates are certainly causing a lot of confusion since it's a relatively novel idea put into practice. Perhaps you all could create a graphic that would explain it clearly and in an illustrative manner? That would help a lot vs. reading paragraphs of text about it, and then it'd be easy to repost to answer this question moving forward.

Great idea, we will do that once we get some traction with the current version

3/3 is a case where three signature is required to sign a transaction. So, if one user isn't online or able to sign, then you are going to migrate to a new multi-sig with new signers and servers because you have the backup, you said that.
So, if you hold the backup for all 3 signers and you can always change the fate of situation, doesn't that mean that all you are doing by multi-sig is that you just put transparent curtains? I mean, what's the point of 3/3 multisig if you can always do whatever you want?

Currently I am all 3 "users", the point is that if you have a 2 server setup for the whole infrastructure, like in a case where we all know for a fact this is the truth, then the entire service including funds are at risk of being hacked/seized//the list goes on. I can't disclose the exact setup that we are running for obvious reasons but there are >5 servers, and all but the clearnet frontend one are not exposed. While risk still exists with our setup too, it's mitigated to a minimum. I am not trying to pretend that I don't have access to funds or anything like that, I said multiple times that unless there will be more signers besides me in the multi-sig, then users will have to trust me and it's just how it is. But at least if you assume I am honest, then you don't have to worry about much else. I don't believe you have this luxury with many other services.

After gaining trust, will the fast situation be deleted and only use notes? and what is your plans to get trust? only high-payment the signature campaign?

We will phase out the Fast mode only if we migrate to a setup with multiple signers. (I explained before it's because all signers could keep logs for Fast mode and we can't take that risk) As for trust I was planning to run a review campaign and lock a few BTC in escrow, Hhampuz is looking to find a 3rd party to hold these funds. Not much else to do besides this other than running the service reliably, time will tell

What are the criteria for selecting *reputable users,* and will the contract be for decentralization and how will you deal with legal frameworks and how to make payments? Can anyone be a reliable member if he fulfills certain conditions, or is the list central?

I have no idea right now to be perfectly honest, but I hope that after some more time and discussions about this topic here we will come up with a reliable plan that we can execute.

[nioctib_100]

Thinking very long term here because I know in the near term challenge is just to find three separate trusted members, but it would be really neat to someday set up a system with separate groups of 3 signers and allow the user to choose which group to engage with. This would reduce the trust to place in the service for picking the three members and give us more autonomy on choosing exactly who we can trust. It would also set up a very neat system where people could essentially form their own mixer on your service. Three people join together, they each control separate certificates to form a mixing/trust cluster, and they get a portion of the mixing fee (as does Whirlwind). These people would then be super promoters of Whirlwind because they'd be promoting their own mini mixer within the Whirlwind system. They might even fund their own signature campaigns and other sort of referral programs. I worked with developing a referral program years ago and it was the single best thing the company did for acquiring new users. The company paid the users well for their referrals, and it practically 10x-ed growth.

[Synchronice]

3/3 is a case where three signature is required to sign a transaction. So, if one user isn't online or able to sign, then you are going to migrate to a new multi-sig with new signers and servers because you have the backup, you said that.
So, if you hold the backup for all 3 signers and you can always change the fate of situation, doesn't that mean that all you are doing by multi-sig is that you just put transparent curtains? I mean, what's the point of 3/3 multisig if you can always do whatever you want?

Currently I am all 3 "users", the point is that if you have a 2 server setup for the whole infrastructure, like in a case where we all know for a fact this is the truth, then the entire service including funds are at risk of being hacked/seized//the list goes on. I can't disclose the exact setup that we are running for obvious reasons but there are >5 servers, and all but the clearnet frontend one are not exposed. While risk still exists with our setup too, it's mitigated to a minimum. I am not trying to pretend that I don't have access to funds or anything like that, I said multiple times that unless there will be more signers besides me in the multi-sig, then users will have to trust me and it's just how it is. But at least if you assume I am honest, then you don't have to worry about much else. I don't believe you have this luxury with many other services.

I mean, if something happens to those one or two users, you can use your backup that you hold for all 3 signers, right? This means, finally the control system is still centralized and in reality, we don't get pure 3 signers service because after all, you are capable to use those keys anytime you wish and finally it comes to whether we trust personally you or not, right? Or did I misunderstood something here?
Btw I'm not saying whether you are trustworthy or not, I'm neutral here.

[T3PR00T]

3/3 is a case where three signature is required to sign a transaction. So, if one user isn't online or able to sign, then you are going to migrate to a new multi-sig with new signers and servers because you have the backup, you said that.
So, if you hold the backup for all 3 signers and you can always change the fate of situation, doesn't that mean that all you are doing by multi-sig is that you just put transparent curtains? I mean, what's the point of 3/3 multisig if you can always do whatever you want?

Currently I am all 3 "users", the point is that if you have a 2 server setup for the whole infrastructure, like in a case where we all know for a fact this is the truth, then the entire service including funds are at risk of being hacked/seized//the list goes on. I can't disclose the exact setup that we are running for obvious reasons but there are >5 servers, and all but the clearnet frontend one are not exposed. While risk still exists with our setup too, it's mitigated to a minimum. I am not trying to pretend that I don't have access to funds or anything like that, I said multiple times that unless there will be more signers besides me in the multi-sig, then users will have to trust me and it's just how it is. But at least if you assume I am honest, then you don't have to worry about much else. I don't believe you have this luxury with many other services.

I mean, if something happens to those one or two users, you can use your backup that you hold for all 3 signers, right? This means, finally the control system is still centralized and in reality, we don't get pure 3 signers service because after all, you are capable to use those keys anytime you wish and finally it comes to whether we trust personally you or not, right? Or did I misunderstood something here?
Btw I'm not saying whether you are trustworthy or not, I'm neutral here.

It sounds complicated. If I have all cosigners seed then having a multi-sig is just giving a false security. It's again down to trusting one person. On the other hand it's risky for other two cosigners as they might be blamed for any mishandling. Their reputation will be at risk.

The mentions multi sig system, is it already implemented? I think it's not yet, in the case it's giving a false information.

Nice Ann design.

We are in the trust business, if we'd lie about something like this then we have no place doing what we do. You can read more about the multi-sig setup in the other thread I started.

I am coming from your response on the Ann. As I said, right now telling about multi-sig feature is a misinformation until it's implemented.

[whirlwindmoney]

I am coming from your response on the Ann. As I said, right now telling about multi-sig feature is a misinformation until it's implemented.

How is it misinformation if it is implemented?

At the moment, with whirlwindmoney being the sole operator of the site, then they are in control of all 3 keys in a 3-of-3 multi-sig. This provides additional security against a single server being seized or infiltrated, but it still requires complete trust from the end user that whirlwindmoney won't scam them, as it would in a normal single-sig set up.

In the future with blinded bearer certificates and the involvement of other third parties, then presumably the best option in that scenario would be to migrate to a different multi-sig. Let's say they recruit nine other people to be signers for the blinded certificates. Maybe something like a 7-of-10 multi-sig would be the best in that case, which provides a good mix of security against some of the signers being dishonest as well as redundancy against some of the signers being taken offline, seized, infiltrated, etc.

I suggest you read some of the earlier messages here to understand the purpose of the multi-sig

We will try our best to migrate to the trustless version as soon as possible, it all depends on how fast we'll be able to find the right users for the multi-sig. Until then as you said funds are safe from external actors but we could scam anytime if we wanted.

I'm here for any questions if something is unclear

[hugeblack]

 Since you are open to hearing opinions, I hope you will visit this link ----> Breaking Mixing Services

If there is interest in this topic, I can publish further information (source-codes, examples, ..) on this topic and attacks.
Link to my thesis (python source inside): https://www.dropbox.com/s/3yapwyfz72tvswh/BA_mixing_services.pdf?dl=0
Author: Felix Maduakor
Email: felix.maduakor@rub.de

¹ Chipmixer was the only centralized mixing service which I did not break fully. However, I did not put much work into checking this mixing service.

Contact him, and if he accepts to give a paid review, I think that this will contribute a lot to gaining trust in your mixer service (at least for some here)

[whirlwindmoney]

Since you are open to hearing opinions, I hope you will visit this link ----> Breaking Mixing Services

If there is interest in this topic, I can publish further information (source-codes, examples, ..) on this topic and attacks.
Link to my thesis (python source inside): https://www.dropbox.com/s/3yapwyfz72tvswh/BA_mixing_services.pdf?dl=0
Author: Felix Maduakor
Email: felix.maduakor@rub.de

¹ Chipmixer was the only centralized mixing service which I did not break fully. However, I did not put much work into checking this mixing service.

Contact him, and if he accepts to give a paid review, I think that this will contribute a lot to gaining trust in your mixer service (at least for some here)

I went through his report and altough I'm sure we already fixed the issues outlined by him, I will still try to get him to do a paid review for your confirmation.

Coinmixer.se (the service used as example in the report) works like most mixers on the market today, and they all have the same big issues in common:
1.Maximum delay time is limited
2.Maximum amount of output addresses is limited
3.No option to have higher outputs than inputs
4.Use of mixing codes

These issues make it possible for anyone to perform blockchain analysis with relative ease. The privacy set (number of deposits your output transaction could have originated from) which is the most important figure in my opinion, is reduced to only the transactions that were performed during the time limits imposed by the "maximum delay". And since you also know the maximum number of output transactions each deposit has, it's not that difficult to deanonymize it.

We solve all these issues by introducing the Note mechanism. Let's see how the above issues apply to Whirlwind:
1.Maximum delay time is unlimited
2.Maximum amount of output addresses is unlimited
3.Outputs can be higher than inputs (combine Notes)
4.We don't use mixing codes

Since the user has the option to deposit and withdraw whenever he likes and we don't impose a limit, blockchain analysis becomes useless. In the case of coinmixer.se it's written in the report that they had about ~1000 deposit transactions a week. If we assume we'll have the same, then the privacy set of Whirlwind will grow by 1000 every week.

After 10 weeks every output transaction could originate from any of the 10,000 deposits into Whirlwind, and this figure will only grow as time goes on. With other mixers it doesen't matter how many deposits they have in total, the privacy set doesen't increase.

The use of mixing codes by a service confirms that the privacy set is very weak and introduces other risks since it can link your transactions. If a mixer does what it's supposed to do, it shouldn't matter if you get 'your own coins' back because anyone that ever used the service could have withdrawn those coins.

[o_e_l_e_o]

I remember reading that report thoroughly at the time it was shared. I agree that the structure that ChipMixer used, and the similar structure that Whirlwind is now using, meant that they can't be broken in the same way as traditional mixers exactly for the reasons whirlwindmoney has given above. By allowing users to deposit different amounts to different addresses at different times, to combine and split these amounts freely, to do so over any period of time desired, and then to withdraw any amount of coins from their vouchers/notes, it becomes impossible to track inputs and outputs in the same way this report does. Of course users can still make mistakes such as combining mixed and unmixed UTXOs, but the service itself is not at fault in such cases.

My feeling would be that the fast option would potentially be breakable in the same way that every other mixer is, but notes would not be breakable in the same way that ChipMixer wasn't.

And of course if things get as far as blinded certificates, then it becomes provably impossible to link deposits and withdrawals via blockchain analysis, since certificate issuing, trading, spending, and redeeming, all happens off chain and Whirlpool are blinded to the individual certificates.

[NotATether]

Rather than asking a few questions about user privacy, I will ask another kind of question.

What preventative measures have you taken to protect yourself from arrest and federal government seizure of website assets (i.e: how do you plan to avoid Cipmixer's fate)?

[Agbe]

Everyone has the right to rush to fill the big gap left by Chipmixer, but on the other hand, it has become very difficult for any mixer to gain the trust of the community because of this incident, which showed that the mixer was keeping user data.

If I would not be mistaken Chipmixer was the biggest Mixing company in the community, until it demised and presently whirlwindmoney has taken over that Chipmixer's position in the community. Well you can't give an inductive reasoning on whirlwindmoney and Chipmixer, I am not saying that you should trust them but where (the root of launching) the mixer is entirely different from Chipmixer therefore they have different operations and managers.

I, as many here, do not know how blind certificates work completely, but what I do know is that it has become very difficult to trust any third-party services. I personally do not trust that any third-party service fully maintains privacy.

You need to decentralize the service almost completely to gain trust.

Really this is my first time of hearing this blind certificate, if the transactions are anonymity to the public then they can make the whole system anonymous to every users for fair transactions. In any system trust is the most important thing to keep. I will want whirlwindmoney to be transparent in all their dealings with their customers and both in the community and in the site.