rpietila Altcoin Observer

[yAmAdA]

If mining is centralized then the exit points are probably easy to find.

Can you please explain this in more detail? Neither are there exit nodes, nor are transactions sent directly to miners. Transactions are broadcast through the whole network. How do known miners make it easier to perform traffic analysis in a cover traffic scenario?

I assume you mean relay nodes sending out dummy packets at random intervals, so latency doesn't increase for legitimate traffic (as long as relay nodes can handle the additional bandwidth).

I have been thinking about establishing fixed capacity channels between sets of nodes instead. The negotiated capacity is filled completely at all times, either with padding or real data. Because channels are encrypted, an attacker cannot differentiate between them.

Seems to me the adversary could ignore all packets coming out of the exit nodes that didn't correlate with a low-latency to the targeted entry node.

Again: There are no exit nodes with I2P. This is also not possible with fixed bandwidth cover traffic channels.

Sybil attacks are very hard to defend against if your attacker can replace your internet connection with connection to NSA LAN instead. Despite all, in 2012 the NSA was still obstructed in some degree by even Tor use. The least we can do is make it a bit harder for them.

[1714715415]

1714715415

[binaryFate]

The argument is made that these masternodes won't be easily Sybil attacked because only a whale could. Your argument against the possibility of owning a lot of nodes fails due to the fact that money is always power law distributed[1].

Note that in the case of a ninja-mined currency, you don't even need to bring the general wealth distribution to the table to break the assumption that Sybil attacks cannot happen in practice.

[AlexGR]

Okay so compared to Monero (Cryptonote), DarkCoin has an additional Sybil attack vector yet also can have prunability which Cryptonote can't.

Which is the difference between having a usable anonymous coin and a proof-of-concept coin until the scaling can be resolved.

The argument is made that these masternodes won't be easily Sybil attacked because only a whale could. Your argument against the possibility of owning a lot of nodes fails due to the fact that money is always power law distributed[1]. One can argue that whales wouldn't destroy their investment by attacking it, but whales can be coerced with rubber hose or offered a percentage of the booty gained.

Actually, the game theory component of Darkcoin seems quite solid. And remember that DarkSend, when opensourced, can be used in multiple coins - which means that suddenly, one must have A LOT of money to own the nodes of every single coin out there, to deanonymize everything. It also creates the following loop:

Coin implements DarkSend => The-powers-that-be need to buy 80-95% of the nodes to deanonymize a good percent of transactions with 8 rounds of DarkSend => buyers of said coin get rich by TPTB that buy from them.

Suddenly you've made a mechanism where ordinary people are getting rich by the NSA or NSA-equivalent organizations. This is a non-strategy for the elite. They want to track you but not to make you rich - or ensure that every buyer of DarkSend-enabled coin will get rich.

The forceful or coerced cooperation part is also doubtful since nodes are all over the world. It's not enough to have a few nodes. You need a lot of nodes. And even if you have a lot of nodes, a paranoid Darkcoin user will escape detection by laundering his money 2-3-4 (or more) times over 8 different nodes (total 32 nodes) - by paying the fees necessary of course. The statistic possibility of deanonymizing him by going over 32 (or more) nodes would be near zero.

I am more worried about the IP obfuscation part of anonymous coins, rather than sybil attacks in Darkcoin / DarkSend-enabled coins. That's the weak spot.

Scaling, I believe, is a no-issue, not only due to pruning, but also due to lower-settings of mixing that will be used for less paranoid users that are more concerned with privacy rather than total anonymity.

Both can't avoid transaction fees because their anonymity depends on mixing transactions which encourages transaction spam.

Personally, I do not see transaction fees as a problem. I believe that fees should be enforced in every single coin. No fees = bloating attack vector open = coin is DOA. Nobody wants to use coins which have terabytes of blockchain because some kid scripted bogus transactions for the lulz / just to kill a coin. Such a coin would be a joke coin. Why would anybody use a joke coin that can be bloated to destruction by script-kids, at no cost?

[AnonyMint]

If mining is centralized then the exit points are probably easy to find.

Neither are there exit nodes, nor are transactions sent directly to miners. Transactions are broadcast through the whole network. How do known miners make it easier to perform traffic analysis in a cover traffic scenario?

The adversary could hijack the upstream router/ISP of the miner and peer at all traffic incoming to the miner.

I assume you mean relay nodes sending out dummy packets at random intervals, so latency doesn't increase for legitimate traffic (as long as relay nodes can handle the additional bandwidth).

I have been thinking about establishing fixed capacity channels between sets of nodes instead. The negotiated capacity is filled completely at all times, either with padding or real data. Because channels are encrypted, an attacker cannot differentiate between them.

The user's packet has to be in the same form as it entered the network when it leaves the network going the miner. Afaics, your proposed cover channels accomplish exactly nothing.

Sybil attacks are very hard to defend against...Despite all, in 2012 the NSA was still obstructed in some degree by even Tor use. The least we can do is make it a bit harder for them.

A Sybil attack doesn't mean you succeed 100% of the time, as you don't have 100% of the relay nodes.

I want anonymity by needle-in-haystack, not anonymity by pair of dice.

Apparently nobody knows what percentage level of relay nodes the NSA controls on Tor (or I2P).

[AnonyMint]

Both can't avoid transaction fees because their anonymity depends on mixing transactions which encourages transaction spam.

Personally, I do not see transaction fees as a problem. I believe that fees should be enforced in every single coin. No fees = bloating attack vector open = coin is DOA. Nobody wants to use coins which have terabytes of blockchain because some kid scripted bogus transactions for the lulz / just to kill a coin. Such a coin would be a joke coin. Why would anybody use a joke coin that can be bloated to destruction by script-kids, at no cost?

If I answered that, I would reveal one of my valuable secrets. Not even people I speak to privately know my answer to that.

And I need that to become open source asap, because it is dangerous to hold such a secret and not tell anyone.

[coinsolidation]

And I need that to become open source asap, because it is dangerous to hold such a secret and not tell anyone.

Often the way to approach this problem, is to develop and create openly from the start. You can easily develop publicly and test before launch whilst building a conversation with no negative impact on the community or the thing being developed.

[yAmAdA]

I assume you mean relay nodes sending out dummy packets at random intervals, so latency doesn't increase for legitimate traffic (as long as relay nodes can handle the additional bandwidth).

I have been thinking about establishing fixed capacity channels between sets of nodes instead. The negotiated capacity is filled completely at all times, either with padding or real data. Because channels are encrypted, an attacker cannot differentiate between them.

The user's packet has to be in the same form as it entered the network when it leaves the network going the miner. Afaics, your proposed cover channels accomplish exactly nothing.

If your threat model includes the attacker looking at clear traffic on both sides, you have lost anyway, because the attacker can already read the transactions senders send and know who the senders are. Otherwise, the attacker cannot tell the way the packet looked when the sender sent it, because from the side of the sender the attacker only sees say 100 packets per second of constant size sent to 16 different nodes each, which also behave this way.

Please understand that this proposal is intended to counteract opaque timing attacks only, not sybil attacks.

Sybil attacks are very hard to defend against...Despite all, in 2012 the NSA was still obstructed in some degree by even Tor use. The least we can do is make it a bit harder for them.

A Sybil attack doesn't mean you succeed 100% of the time, as you don't have 100% of the relay nodes.

I want anonymity by needle-in-haystack, not anonymity by pair of dice.

Apparently nobody knows what percentage level of relay nodes the NSA controls on Tor (or I2P).

I entreat you to stop mentioning Tor. It is a different system than I2P, which is being implemented.

It is still a haystack, just of different size. It is still better than nothing at all. A hypothetical attacker with infinite budget cannot be defeated. We can model an attacker with specific capabilities and attempt to design system which defeats the attacker with a given probability. We do not actually disagree on this?

[JorgeStolfi]

Personally, I do not see transaction fees as a problem. I believe that fees should be enforced in every single coin. No fees = bloating attack vector open = coin is DOA

Indeed, I got this suspicion that most of the traffic in the Bitcoin blockchain (~70'000 BTC/day currently) is "fake", namely coins being moved between addresses that belong to the same owner.   Could it be all generated by a single person, from a single laptop, moving 500 bitcoins (possibly in many different addresses) every 10 minutes or so?  Perhaps someone is trying to wash stolen coins, or torture-test some wallet software...
https://blockchain.info/charts/estimated-transaction-volume 

The number of new addresses used per day may be bloated for the same reason.  Since new addresses are free, why not...?

[AnonyMint]

I assume you mean relay nodes sending out dummy packets at random intervals, so latency doesn't increase for legitimate traffic (as long as relay nodes can handle the additional bandwidth).

I have been thinking about establishing fixed capacity channels between sets of nodes instead. The negotiated capacity is filled completely at all times, either with padding or real data. Because channels are encrypted, an attacker cannot differentiate between them.

The user's packet has to be in the same form as it entered the network when it leaves the network going the miner. Afaics, your proposed cover channels accomplish exactly nothing.

If your threat model includes the attacker looking at clear traffic on both sides, you have lost anyway, because the attacker can already read the transactions senders send and know who the senders are. Otherwise, the attacker cannot tell the way the packet looked when the sender sent it,

Correct (I had momentarily forgotten the logic of my original post to which you replied), the onion routing encryption layers are peeled off, thus the no knows the unencrypted data the sender sent until it arrives at the last node in the network which doesn't forward it.

However, this doesn't stop the adversary from looking at unencrypted data the miner is receiving, thus determining which data was cover (dummy) traffic.

Yet the spender could encrypt data for the miner, so only if the miner was compromised would your idea fail. The uncompromised miner would discard dummy packets and no one would know which they are.

Which is another reason we don't want mining to be centralized  because it is more likely the fewer mining pools will be compromised.

But I don't see how cover channels can even work as you describe them? Where does the constant flow originate in onion routing?

Please understand that this proposal is intended to counteract opaque timing attacks only, not sybil attacks.

Why do you mention that? Even if you Sybil attacked the entry node, you wouldn't know what the destination packet looks like due to the onion routing.

Sybil attacks are very hard to defend against...Despite all, in 2012 the NSA was still obstructed in some degree by even Tor use. The least we can do is make it a bit harder for them.

A Sybil attack doesn't mean you succeed 100% of the time, as you don't have 100% of the relay nodes.

I want anonymity by needle-in-haystack, not anonymity by pair of dice.

Apparently nobody knows what percentage level of relay nodes the NSA controls on Tor (or I2P).

I entreat you to stop mentioning Tor. It is a different system than I2P, which is being implemented.

It is still a haystack, just of different size. It is still better than nothing at all. A hypothetical attacker with infinite budget cannot be defeated. We can model an attacker with specific capabilities and attempt to design system which defeats the attacker with a given probability. We do not actually disagree on this?

My point is that 10-20% of the relay nodes Sybil attacked is not needle-in-the-haystack odds, more like the odds of flipping a dice or pair of them.

[AnonyMint]

Since new addresses are free, why not...?

Hint: yeah the more the better.

[AnonyMint]

Would like to get some closure on recent discussions.

To help rpietila with the periodic summaries he typically adds to the OPs of his moderated threads, I suggest we try to compile a summary of the significant pluses and minuses of top anonymous coin designs.

Could we agree on wording such as the following? Please let me know if I left anything out that we discussed upthread. The following doesn't attempt to qualify how likely or predominant relative weaknesses are, as this is too complex to summarize succinctly.

* represents a feature which is claimed to be an advantage but may or may not be a liability.
?? means I guessed and am not sure.

Monero (Cryptonote coins)

+ cryptographically unlinkable & untraceable
- tx sybil attack (mitigated with mandatory tx fees)
- I2P (anonymity or DoS) sybil or timing analysis attack
- unprunable -> mining centralization or less scalable
- public key cryptography not quantum nor number theoretic immune
- slow PoW hash
- mining is not anonymous
* unvetted asic-resistant PoW hash, demonstrated GPU parity

Boolberry (Cryptonote optimization)

+ discards ring signatures reducing block chain size by a constant factor
+ prevents mixing with those who don't mix so unlinkability & untraceability isn't trivially broken
+ cryptographically unlinkable & untraceable
- tx sybil attack (mitigated with mandatory tx fees)
- no I2P/Tor IP obfuscation
- unprunable -> mining centralization or less scalable
- public key cryptography not quantum nor number theoretic immune
- mining is not anonymous (??)
* unvetted asic-resistant PoW hash, demonstrated GPU parity (??)

DarkCoin (this is the best CloakCoin's anonymity could improve to as it is similar conceptually in design)

+ prunable (but unimplemented)
- unlinkability Sybil attack on masternodes
- tx sybil attack (mitigated with mandatory tx fees)
- Tor (anonymity or DoS) sybil or timing analysis attack
- simultaneity or premix tx bloat -> mining centralization or less scalable
- public key cryptography not quantum nor number theoretic immune
- mining is not anonymous (??)

Zerocash

+ all coins mixed all the time, so no tx Sybil attack incentive (may not need tx fees if they adopt my secret??)
+ don't need to obfuscate IP address (I2P/Tor) because...
+ ...everything is cryptographically hidden...
- ...even the money supply -> compromised master setup or cryptanalysis breakage could create unlimited undetected coins
- unprunable (??) -> mining centralization or less scalable
- public key cryptography not quantum nor number theoretic immune
- unvetted new complex crypto could break anonymity and coin value retroactively
- mining is not anonymous (??)
- not released

[coinsolidation]

Could you tabulate that summary so that the items are the same for each currency you list. A + when supported and a - when not.

[AnonyMint]

Could you tabulate that summary so that the items are the same for each currency you list. A + when supported and a - when not.

I will let someone else edit. This is open source.

[yAmAdA]

But I don't see how cover channels can even work as you describe them? Where does the constant flow originate in onion routing?

My idea is that the cover traffic channels would be the outermost layer for communication between nodes participating in the mix network. You perform routing and onion routing through these channels.

Why do you mention that? Even if you Sybil attacked the entry node, you wouldn't know what the destination packet looks like due to the onion routing.

Following the above, if an attacker controls all nodes to which you connect, the attacker can tell what part of the traffic is cover traffic.

If you find a way to switch around the order of layers, this can possibly be avoided. However, as you noted, doing cover traffic inside the onion routing network would be difficult.

My point is that 10-20% of the relay nodes Sybil attacked is not needle-in-the-haystack odds, more like the odds of flipping a dice or pair of them.

I see this point.

[AnonyMint]

But I don't see how cover channels can even work as you describe them? Where does the constant flow originate in onion routing?

My idea is that the cover traffic channels would be the outermost layer for communication between nodes participating in the mix network. You perform routing and onion routing through these channels.

Afaics, there can't be a layer outside the onion routing maintaining constant flow to outputs of the network unless you have masternodes in control of maintaining the constant flow, which would then be egregiously vulnerable to Sybil attack. How do you envision it working otherwise?

Thus constant flow is inimical to the obfuscation of fixed points through autonomous randomization (increasing entropy), which makes a Chaum mix-net work.

Tangentially: the beauty of one-time ring signatures if they are creationally autonomous thus entropy increasing. Entropy increasing designs are congruent with the universal trend of nature (because mutually observable space-time is irreversible). Unfortunately one-time ring signatures are also collectively bound for destruction, i.e. kills pruning.

[yAmAdA]

Afaics, there can't be a layer outside the onion routing maintaining constant flow to outputs of the network unless you have masternodes in control of maintaining the constant flow, which would then be egregiously vulnerable to Sybil attack. How do you envision it working otherwise?

Thus constant flow is inimical to the obfuscation of fixed points through randomization, which makes a Chaum mix-net work.

You can build what is basically mesh network with fixed capacity connections upon which you run the mix network. Whenever you open a connection to another peer in the network, you keep open the connection and both sides keep sending packets at the agreed upon rate while tunneling their actual communication through this constant stream. Packets are routed through this network to the target peers chosen for the onion routing route for the given packet.

I see that this design is probably more than can be easily implemented on top of I2P if it was desirable at all.

It occurs to me that this discussion is probably off topic here.

[AnonyMint]

Ah I didn't consider all nodes running constant flow all the time (because it is so inefficient). That indeed obfuscates fixed points without masternodes but...

A fully connected mesh network of all nodes in the mix-net means N squared explosion in bandwidth. The bandwidth is limited to the slowest node's bandwidth (how to coordinate that? coordination could be Sybil attacked? ... I expect my 'inimical' point to remain valid because you try to fight against entropy increase).

I see you trade the increased latency required to otherwise defeat timing attacks for N squared explosion in bandwidth.

There are more efficient methods than the above two options.

Agreed we are getting too technical for this thread.

[crypto_zoidberg]

Hello guys,

I heard you were talking about pruning ring signatures from CryptoNote coins, so let me introduce Boolberry's solution:




Zoidberg

[Anotheranonlol]

BBR doesn't have a "sugar daddy" effect not network effect. It will get it's backing in soonish time.

Zoidberg is not a one man team. He is also widely suspected to have written major portions of the original CN coin. I also suspect he is thankful_for_today (could be wrong on this one), so he is never going to focus his energy on XMR. Instead he and his small team are working on just improving BBR all around. His work in not closed source, contributors are going to come to BBR just like they came to XMR.

Cheap current valuation is nothing to worry about. Accumulate and speculate.

XMR was on a terrific track until it started getting hastily shoved down everyone's throats by pumpers and a certain exchange. In due time BBR will rightly surface over the XMR drawbacks.

This is FUD. Zoidberg did not spend two years writing CryptoNote, then wait for it to be public, then lose to Monero to be the first fair release. If Zoidberg really was apart of the original CN team, he certainly would have been ready to release the first fair CN coin.

You're a liar, you're making up lies.

Also, BBR has not enough of a lead to overtake Monero, this is the Litecoin vs Bitcoin argument all over again. Perhaps if BBR had a entirely different anonymity system then sure, it could be a competitor, but it's not. BBR has the same stuff that Monero has and both teams (Monero and BBR) have been using each others commits, so the intellectual knowledge sharing is quite even actually.

You're making a case that isn't, very sad to see BBR supporters being this lame.

One of the only people I respect in the BBR community is Zoidberg, many of the BBR supporters like yourself just make up fiction and lies, I cannot respect a liar.

Who said they did not release the first fair one which was later 'hijacked'?

About the litecoin vs Bitcoin argument all over again (implying 1- that ltc never offered anything over btc, which it did at some point and hence why myself and many others bothered mining and touching it from first days of launch, and 2) that bbr doesn't offer anything over xmr) If anything Bytecoin is Tenebrix, Monero can be Fairbrix and Boolberry is Litecoin. I guess you can switch things over and say Monero is litecoin since it seems to have 'stuck' over all CN coins, or make the arguments you can't pigeonhole today into yesterday- both fair comments

but essentially same argument you make to deride BBR is true in reverse..XMR doesn't bring anything to the table over BBR, in fact it seems to leave a few ingredients off some dishes- saying 'it's better that way, we can add them later'..(once we learn how to cook them properly), yet there is just a ton of confirmation bias from xmr supporter camp that seem to act like XMR is michelin star preparation and BBR is just a cheap motel breakfast clone attempt

sad thing is looks like XMR can steal any missing dishes from BBR table and people would ask why eat at BBR table when we have all dishes here? If BBR were to steal some dishes from XMR table people would still prefer to eat at celeb-frequented and endorsed XMR table. They've been told by people with green numbers next to their name it's the only thing worth investing in aside from BTC itself

maybe we might see a new wave of CN hipsters will start asking why the food at XMR table is so pricey in comparison, and these people start looking for less crowded tables where the food is priced more attractively and may not leave you quite so bloated and lethargic after snacking. interesting to see if xmr tries to weighwatchers hard-fork and clean up their messy body with a nice gui makeover whether people will come back to them or whether they will just steadfastly never leave xmrs side for younger, skinnier and sexier blonde boolberry . I think it will be the latter but hope it's the former for the sake of the underdog

Frankly, I hold both coins.. Just sick of constant xmr echo chamber and people using monero as synonym for cryptonote

[darkota]

Ok, so the point is:

Boolberry has been instamined/extremely unfairly mined by a guy with a PGPU, who was making 5,000-7,000 Boolberry per day.

Boolberry is not the first fairly launched/accepted Cryptonote coin, it has no network effects working with it

Boolberry lacks a decent size development team

Boolberry has a really crappy name(no offense)

Basically, anyone buying Boolberry is just throwing their money out the window.