|
rini17 (OP)
|
 |
March 06, 2012, 10:20:49 AM |
|
Hello,
I am certain somebody already thought about it - but can't find it. Why cannot be transactions in block mixed together to make individual transactions indistiguishable? I can think of these strategies:
1. Create 1 big transaction per block from all submitted ones by just adding them together
2. split big transactions into more blocks or amounts
3. Nodes can generate decoy transactions between addresses inside one wallet,to increase noise.
Receiver won't know which sender address(es) were used for its transaction..but it's really a prob'lem?
|
|
|
|
|
|
|
According to NIST and ECRYPT II, the cryptographic algorithms used in
Bitcoin are expected to be strong until at least 2030. (After that, it
will not be too difficult to transition to different algorithms.)
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
coinft
|
|
March 06, 2012, 11:48:43 AM |
|
I doubt miners can do this (changing transactions) without the original private keys. I definitely don't want anyone able to tamper with my txs.
-coinft
|
|
|
|
|
FreeMoney
Legendary
 Offline
Activity: 1246
Merit: 1014
Strength in numbers
|
|
March 06, 2012, 03:13:43 PM |
|
That can't be done now, but I wonder about a system that let a tx essentially say. "This input can be used for any tx as long as the coinbase transaction of that block has an output to [recipient address] equal to [amount].
Feels like there might be problems with it. Multiple people paying the same address in the same block...?
|
Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone. |
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
March 06, 2012, 03:27:14 PM |
|
It can't be done with Bitcoin we are talking about a comprehensive change to how transactions are handled.
It could potentially done with a new cryptocurrency.
The main issue with the proposal in OP is that the information between sender & receiver is already known. It has to be known.
Transaction: I have 10 BTC in A and I want to send 5 to Y and 5 to Z.
If I submit that to the network then anyone on the network knows that (even if it isn't included in the block).
Say the block ends up looking like this...
Inputs
A -> 10 BTC
B -> 1 BTC
...
L -> 4 BTC
Outputs:
M -> 0.2 BTC
...
Y -> 5 BTC
Z -> 5 BTC
Now to anyone who ONLY has the block there is no way to know which input(s) went to which output(s). However anyone could simply have kept a copy of my original transaction. If they do looking at transactions submitted to the network AND the blocks it is trivial to reconstruct the original transaction.
One would need to devise a system where the transactions are hidden from everyone except those who solve the block and only hash of transaction submitted to entire network.
Thus unless you solved the block you would only be able to see
a) the block level view.
b) the hashes of transactions.
Alternatively one would need a method where inputs and outputs are completely disconnected.
Something like:
1) You submit input only and it gets hashed to a block.
2) you submit output only and it gets hashed to a block.
3) there is some cryptographic system linking outputs to a prior block (not input).
I am not even sure such a system is possible or even desirable just brainstorming to show the criticial "issue" (delinking inputs and outputs) isn't accomplished by the OP and is a non-trivial problem.
|
|
|
|
|
|
rini17 (OP)
|
|
March 08, 2012, 11:38:11 PM |
|
Thanks to everyone for your thoughtful replies! Indeed,if we desire transactions to be combined(or inputs separated from outputs) after they were emitted, we get into trouble. But what if we can do it before transaction gets published? Two or several neighbor nodes can put together bigger mixed transaction with more inputs/outputs, after this is done it can be processed normally. Something like Diffie-Hellman key exchange where two parties without prior information can agree on encryption key over untrusted connection, so here network nodes can agree on one compound transaction. So that individual transactions could be visible only to small part of the network.
|
|
|
|
|
kronosvl
|
|
March 08, 2012, 11:45:12 PM |
|
probably this could be implemented with a modified client.
Clients connected to a central location, all clients send their transaction unsigned, server creates 1 transaction, clients sign it after each verifies that is ok, server sends this to the bitcoin network and deletes individual unsigned requests.
Can something like this be implemented? The money never touch the central location.
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
March 09, 2012, 02:30:46 AM |
|
probably this could be implemented with a modified client.
Clients connected to a central location, all clients send their transaction unsigned, server creates 1 transaction, clients sign it after each verifies that is ok, server sends this to the bitcoin network and deletes individual unsigned requests.
Can something like this be implemented? The money never touch the central location.
Sure however you are sending your private key to a third party and hoping they don't suddenly rob you (and everyone else at the same time). Also you would need to ensure to never use that private key again even for change again. |
|
|
|
|
|
kronosvl
|
|
March 09, 2012, 07:55:02 AM |
|
You don't send the private keys, you signed the transaction created by the server, just like a lightweight client.
let's assume that user A wants to send money to address A1 and A2(change).
user B sends to B1 and B2(change)
1. each one creates is own transaction but doesn't sign it and send it to the server.
2. server creates 1 transaction unsigned from these 2.
3. he then send this to user A who verifies his own inputs and outputs and then signs it.
4. I don't know the inner workings of bitcoin protocol and cryptography so I don't know what user B need sto sign (the sign transaction from user A or the unsigned transaction from the server and after that the server append both signatures to transaction).
5. At this point server has 1 bigger transaction signed by all parties. he send it to bitcoin network and deletes individual unsigned transaction which were never meant to be signed.
|
|
|
|
Meni Rosenfeld
Donator
Legendary
Offline
Activity: 2058
Merit: 1054
|
|
March 09, 2012, 08:15:16 AM |
|
Take a look at this post about oblivious mixing transactions. |
|
|
|
marcus_of_augustus
Legendary
Offline
Activity: 3920
Merit: 2348
Eadem mutata resurgo
|
|
March 16, 2012, 09:07:39 PM |
|
You don't send the private keys, you signed the transaction created by the server, just like a lightweight client.
let's assume that user A wants to send money to address A1 and A2(change).
user B sends to B1 and B2(change)
1. each one creates is own transaction but doesn't sign it and send it to the server.
2. server creates 1 transaction unsigned from these 2.
3. he then send this to user A who verifies his own inputs and outputs and then signs it.
4. I don't know the inner workings of bitcoin protocol and cryptography so I don't know what user B need sto sign (the sign transaction from user A or the unsigned transaction from the server and after that the server append both signatures to transaction).
5. At this point server has 1 bigger transaction signed by all parties. he send it to bitcoin network and deletes individual unsigned transaction which were never meant to be signed.
Hmmm, I think you could use blind signing for doing something like this .... There is also this post by Watson Ladd that claims to have a scheme to include a blinding signature into the protocol with new script OP 'SIG_FUNGIBLE' http://wbl.github.com/bitcoinanon.pdfwould be interested to get some thoughts on that, and the general question "Can the Bitcoin protocol be made more untraceable (fungibililty improved)?" |
|
|
|
|
|
|
Sergio_Demian_Lerner
|
|
May 02, 2012, 02:56:01 PM |
|
I'm working on a cryptocurrency where miners mix transactions without the need of private keys. I use something like universal re-encryption and a new cryptographic construct that I called "Trapdoor Shuffles".
Also the coin allows coin subdivision and combination without disclosing the amounts (I think it's the first e-cash system with this property).
I will post the paper when it's ready. It already has a name: PAPCash (Practical Anonymous Peer-to-peer e-cash)
Bye! Sergio.
|
|
|
|
|
HostFat
Staff
Legendary
Offline
Activity: 4214
Merit: 1203
I support freedom of choice
|
|
May 02, 2012, 03:16:29 PM |
|
Wow! I really hope that your ideas can also be ported to the actual Bitcoin protocol  |
|
|
|
|
Sergio_Demian_Lerner
|
|
May 02, 2012, 05:55:53 PM |
|
Alternate protocols do not hurt Bitcoin as Bitcoin can evolve and incorporate these new ideas. Bitcoin value lies on the community size, not on the protocol itself.
|
|
|
|
|
marcus_of_augustus
Legendary
Offline
Activity: 3920
Merit: 2348
Eadem mutata resurgo
|
|
May 02, 2012, 10:32:31 PM |
|
Good find. The beat goes on ... |
|
|
|
|
EhVedadoOAnonimato
|
|
May 22, 2012, 07:16:37 AM |
|
I'm working on a cryptocurrency where miners mix transactions without the need of private keys. I use something like universal re-encryption and a new cryptographic construct that I called "Trapdoor Shuffles".
Also the coin allows coin subdivision and combination without disclosing the amounts (I think it's the first e-cash system with this property).
I will post the paper when it's ready. It already has a name: PAPCash (Practical Anonymous Peer-to-peer e-cash)
Bye! Sergio.
Me baffled. And anxious to see what you've been working on. |
|
|
|
|
|
