austonst
Member
Offline
Activity: 76
Merit: 10
|
|
July 19, 2012, 10:29:49 PM |
|
Well, my proposal wasn't to mix 2 transactions, but maybe 10, or even 50. And then once you add the change addresses (at least 1 per wallet), it is no longer so easy to figure out what was used for what, and what belongs to what.
Couldn't you say the same thing about this mixing? It could be expanded pretty easily to have Alice's mix offer be "Hey, I'm running a 5 BTC mixing party. Let's get everyone in on this same transaction." If a lot of people are throwing in their 2's and 3's, it'll get difficult to find the original pairs. Not really, because once I do my 100btc transaction, I have to combine all those in my own wallet. So mine are again identifiable as mine. The "bad" operation is to actual combine. So my idea was, make the combine operation more anonymously. Okay, I get your point now. I guess the way this mixing would solve that issue is to make it meaningless to know that addresses are related. Sure, you can see that four 25 BTC outputs have come together to pay 100 total BTC, but since mixing occurs between each transaction, you can't trace them any further back. You can't tell who owns them or what those coins have done in the past, and if the mixing has been done properly (like in Casascius' last post), there won't be any cases of "Oh, I see from tx1 that someone owns addresses A,B,C and I see from tx2 that someone owns C,D,E. Therefore, the same person owns all 5 addresses." Whoo, you guys type fast. 3 more replies since I started writing this up. One more point, while casascius method would extremely bloat the block chain, mine could actually reduce the size.
In the original post, it was mentioned that in the future, most people will be storing only the unspent transactions, not the entire history of everything. Many of the blockchain pruning ideas implement something similar, and I think it's pretty likely that the solution that finally gets implemented will only store unspent transactions. While casascius' method would bloat the blockchain with transactions, it would dramatically reduce the side-chain that only stores unspent transactions.
|
|
|
|
aq
|
|
July 19, 2012, 10:36:06 PM |
|
I see your points. How about this: First step is creating a transaction as it is now. After this the client creates a combined transaction with other unconfirmed and uncombined transaction. This combined one is almost like of a double spend on the first one, so legacy miners would ignore it. Now other clients upon seeing this combined transaction, check if they can sign it, and will do so if necessary. Once all inputs in the combined transaction are signed, a miner can replace all those single transaction by the combined one.
|
|
|
|
Jan
Legendary
Offline
Activity: 1043
Merit: 1002
|
|
July 19, 2012, 10:43:13 PM |
|
And the block chain grows at an accelerated pace...
|
Mycelium let's you hold your private keys private.
|
|
|
piuk
|
|
July 19, 2012, 10:50:57 PM |
|
Nice idea. But it could be fairly easy for someone with good connectivity to de-anonymoize transactions. If for example someone with the address 1NotMixed keeps broadcasting his address as suitable for mixing every transaction that involves that address you know that the other output was the real destination address. Even if it is a chain of mixed transactions every one they manage to involve themselves in increases the likelihood of predicting the final destination address.
Or not necessarily using the same address, but unique addresses and sending back to 1NotMixed after.
|
|
|
|
casascius (OP)
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
July 19, 2012, 11:05:57 PM |
|
I see your points. How about this: First step is creating a transaction as it is now. After this the client creates a combined transaction with other unconfirmed and uncombined transaction. This combined one is almost like of a double spend on the first one, so legacy miners would ignore it. Now other clients upon seeing this combined transaction, check if they can sign it, and will do so if necessary. Once all inputs in the combined transaction are signed, a miner can replace all those single transaction by the combined one.
I could see some ways this would work - the challenge would be in trying to come up with a sustainable coordinator for those transactions. If Alice originates a transaction, and miner Mike wants to propose to Alice that she sign transaction A+B which combines her transaction with one of Bob's... then Mike needs a way to contact Alice. Alice pretty much needs to attach a calling card to the transaction, which gives her less anonymity rather than more. Or, as you seem to be suggesting, Mike could start broadcasting the incomplete transaction around the network, in the hopes it will end up reaching Alice so she can sign it. The only problem is that if the network starts permitting such incomplete transactions to be relayed, then a vandal could send out a hundred transactions, and then send out thousands of proposals to combine those 100 transactions 100+ different ways each, exponentially amplifying modest transaction spam into a full-on DoS attack.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
Steve
|
|
July 20, 2012, 04:28:25 AM |
|
Great idea…I like the train of thought. Nice idea. But it could be fairly easy for someone with good connectivity to de-anonymoize transactions. If for example someone with the address 1NotMixed keeps broadcasting his address as suitable for mixing every transaction that involves that address you know that the other output was the real destination address. Even if it is a chain of mixed transactions every one they manage to involve themselves in increases the likelihood of predicting the final destination address.
Or not necessarily using the same address, but unique addresses and sending back to 1NotMixed after.
I think you could mitigate this risk by simply altering some rules in the client regarding connection diversity and churning connections to ensure you're never connected to a single node for an excessive amount of time. Also, I don't think the proposal was to broadcast these mix requests (like a normal transaction is relayed)…I think the proposal suggests to announce such requests to peers and in most cases they either act on it or not, but wouldn't relay the request. In some cases they would relay requests to improve privacy.
|
|
|
|
bc
Member
Offline
Activity: 72
Merit: 10
|
|
July 20, 2012, 04:39:49 AM |
|
The best part of this proposal is the sheer simplicity. That alone makes it 10x as likely to get into the official client as any other mixing proposal - in my mind. Simple ubiquitous mixing gets it out of the alleyways, and into the light of day - where no-one need fear participating. Reducing the denominations to M^n is a great idea too. I would almost suggest initially reducing denominations to M^1 alone - to simplify the initial protocol. Maybe that's going too far, and you'd find fewer participants. Or maybe it's good because it means participants would find partners that would otherwise have been holding-out for M^2, M^3, or M^4. Maybe it would be a good first step to shake things out. I've got in mind Gavin's recent Gist about lessons learned from BIP 16 ( https://gist.github.com/2355445), and how he wants to apply them in BIP 34 ( https://bitcointalk.org/index.php?topic=92558.0). Specifically: "Think about laying a solid foundation, and then rolling out changes in stages. Baby steps instead of change-it-all-at-once." None of these things should occur to users who don't understand them or explicitly opt in to them. They could be briefly explained as benign side effects to a user who checks a checkbox to enhance his anonymity.
And maybe a checkbox to "support" the anonymity of others - by merely relaying these solicitations and transactions. There might be those who find mixing risky - especially while it's new. Those same people, though, might be more than happy to relay the required messages. And then OP goes and replies to a valid concern: One of the biggest issues is that once you make a transfer you combine coins from multiple addresses and as a result those can be identified as one wallet.
Reducing the swaps to specific granular amounts helps prevent this by making the units as indistinct as possible. ... ...Then, all of those chunks will be traded with others, one-for-one. By the time each chunk has been traded six or seven times, what's a recipient going to learn to know that for example three chunks of five were combined to make fifteen? Not much of use. One could perform an analysis on those three chunks to see if they might happen to all share a common possible point of origin on the block chain (an intersection attack), which could identify the original origin. But that could be easily mitigated just by the client occasionally "mixing" same-sized chunks with itself, which is indistinguishable from mixing with others, and which would make the ancestry of each chunk look very "inbred" so to speak, and therefore poorly useful for confidently identifying distinct faraway ancestors.I love it. As Austonst puts it: if the mixing has been done properly (like in Casascius' last post), there won't be any cases of "Oh, I see from tx1 that someone owns addresses A,B,C and I see from tx2 that someone owns C,D,E. Therefore, the same person owns all 5 addresses."
If fairly common (if not ubiquitous), it sounds like these mixes could start to render "traditional" blockchain analysis obsolete. The heritage of coins that have never participated in such mixing might start to become less clear. And another thing - the simplicity of this proposal widens the pool of developers willing and able to implement it. Kudos, Casascius.
|
"Democracy is the original 51% attack." - Erik Voorhees
|
|
|
casascius (OP)
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
July 20, 2012, 04:42:08 AM |
|
Nice idea. But it could be fairly easy for someone with good connectivity to de-anonymoize transactions. If for example someone with the address 1NotMixed keeps broadcasting his address as suitable for mixing every transaction that involves that address you know that the other output was the real destination address.
Of course, leave it to the guy who runs a node that connects to hundreds or thousands of peers at a time to point this out =) Yes, someone in a position to do that would be able to flag his coins as "not mixed" and his attack would work. Of course, he could also just ignore the request to mix coins, which would be just as effective and leave the coins just as unmixed, and would also be a normal expected response from a client that may not want to / be able to / feel like it / have any coins / randomnumber<threshold / whatever. By and large though, mixing would happen everywhere, mostly for people who only passively care about mixing their coins. Someone dead serious about mixing their coins might leave a node online and let it mix for days or weeks, and would succeed in doing so even if "NotMixed" got thrown in a few steps along the way.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
Transisto
Donator
Legendary
Offline
Activity: 1731
Merit: 1008
|
|
July 20, 2012, 05:55:36 AM |
|
... by default ?
What's the benefits of participating in mixing someone else coins ?
Say 98% of users do not have anything to hide and would prefer all transactions be traceable for the benefits of discouraging bad behaviors ?
I would much prefer someone who stole BTCs to pay a fee to shameless mixer than to help him unknowingly.
|
|
|
|
casascius (OP)
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
July 20, 2012, 06:02:59 AM |
|
... by default ?
What's the benefits of participating in mixing someone else coins ?
Say 98% of users do not have anything to hide and would prefer all transactions be traceable for the benefits of discouraging bad behaviors ?
I would much prefer someone who stole BTCs to pay a fee to shameless mixer than to help him unknowingly.
Bad behaviors like what? Donating to WikiLeaks and other politically incorrect causes? Do we want Bitcoin to be a system that tracks taint of coins, or don't most of us share the consensus that the system as a whole would be better off without the notion of tainted coins, even if that means a few thieves will have an easier time getting away with their crimes? For everything you're asking for, there's MasterCard.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
justusranvier
Legendary
Offline
Activity: 1400
Merit: 1013
|
|
July 20, 2012, 06:17:29 AM |
|
I will probably discard the remaining 0.02 as a transaction fee somewhere so long as it's not worth mixing. That is exactly what mixing should focus on. I can take 73.26 and split it myself in to smaller sizes in a way that looks like a series of purchases on my own node with no cooperation needed from anyone else. What I can't do is anonymously combine all my dust addresses into an address large enough to be useful without outside assistance. A client can be very careful to use different incoming addresses for every receipt and to never link addresses but at some point the user is going to want to spend an amount larger than the balance of any single address. The only way to avoid this situation without compromizing anonyminity is to have the ability to securely combine small addresses into larger ones. That's why I think mixing should be focused on transactions which have many more inputs than outputs. https://bitcointalk.org/index.php?topic=93390.msg1036811
|
|
|
|
Transisto
Donator
Legendary
Offline
Activity: 1731
Merit: 1008
|
|
July 20, 2012, 06:19:13 AM Last edit: July 20, 2012, 06:36:43 AM by Transisto |
|
... by default ?
What's the benefits of participating in mixing someone else coins ?
Say 98% of users do not have anything to hide and would prefer all transactions be traceable for the benefits of discouraging bad behaviors ?
I would much prefer someone who stole BTCs to pay a fee to shameless mixer than to help him unknowingly.
Bad behaviors like what? Donating to WikiLeaks and other politically incorrect causes? Do we want Bitcoin to be a system that tracks taint of coins, or don't most of us share the consensus that the system as a whole would be better off without the notion of tainted coins, even if that means a few thieves will have an easier time getting away with their crimes? For everything you're asking for, there's MasterCard. Tracking tainted coins is already very challenging, As a coin mixer would I bother to do research on every case of stolen coins and act as a judge on every cases,,, for say 50000$ worth of BTC ? probably NO. But say there was a major heist of 500k BTC at a major exchange and the savings of tens of thousands of peoples were lost, putting the whole economy at risk. ? Or say someone kidnapped some very important person and the life of many depends on finding who spent the coins ? In those later cases I would rather accept the highest fee of whether the client or the affected peoples. People who got stolen 50 000 BTC would pay a hefty bounty for any information leading to the culprit. Sorry but I always thought of this as a feature of Bitcoin and I will continue to see coin mixing as a non-issue for 99.99% of honest peoples and 99% of dishonest ones.
|
|
|
|
Transisto
Donator
Legendary
Offline
Activity: 1731
Merit: 1008
|
|
July 20, 2012, 06:48:46 AM Last edit: July 20, 2012, 07:41:54 AM by Transisto |
|
if coin mixing were built into the client, there would never be a need for anyone to use a coin mixing service, and thereby deliberately and identifiably participate in so-called "money laundering" Most people see no problem in said "money laundering", because most of the money to be laundered is from drug trade and lots of people here are against the war on drug. Laundering money of drug trade is not the same as laundering money of say "human trafficking" or "mass murdering". To be honest if this feature would be removed I'd quit Bitcoin and wouldn't give it a long time before it get shut down. The way it currently work also add value to newly mined coins, which add incentive for miners to secure the network.
|
|
|
|
waspoza
|
|
July 20, 2012, 08:11:18 AM |
|
... by default ?
What's the benefits of participating in mixing someone else coins ?
Say 98% of users do not have anything to hide and would prefer all transactions be traceable for the benefits of discouraging bad behaviors ?
I would much prefer someone who stole BTCs to pay a fee to shameless mixer than to help him unknowingly.
Bad behaviors like what? Donating to WikiLeaks and other politically incorrect causes? Do we want Bitcoin to be a system that tracks taint of coins, or don't most of us share the consensus that the system as a whole would be better off without the notion of tainted coins, even if that means a few thieves will have an easier time getting away with their crimes? For everything you're asking for, there's MasterCard. +1
|
|
|
|
bc
Member
Offline
Activity: 72
Merit: 10
|
|
July 20, 2012, 11:34:11 AM |
|
... by default ?
What's the benefits of participating in mixing someone else coins ?
Say 98% of users do not have anything to hide and would prefer all transactions be traceable for the benefits of discouraging bad behaviors ?
I would much prefer someone who stole BTCs to pay a fee to shameless mixer than to help him unknowingly.
Valid question. What is seen: Coins are stolen, and there's a statistical method to trace subsequent spends to the culprit. What is not seen: Thousands (millions?) of people will be coerced into paying capital gains on coins that appreciate in value. Those taxes will go to fund all manner of government programs. Governments will profit from the appreciation of traceable coins. The coercion has teeth because of traceability.
|
"Democracy is the original 51% attack." - Erik Voorhees
|
|
|
Mike Hearn
Legendary
Offline
Activity: 1526
Merit: 1134
|
|
July 20, 2012, 11:37:55 AM |
|
|
|
|
|
Steve
|
|
July 20, 2012, 01:04:58 PM |
|
... by default ?
What's the benefits of participating in mixing someone else coins ?
Say 98% of users do not have anything to hide and would prefer all transactions be traceable for the benefits of discouraging bad behaviors ?
I would much prefer someone who stole BTCs to pay a fee to shameless mixer than to help him unknowingly.
I don't think you realize just how non-anonymous the current bitcoin client really is. Most people would prefer that the amount of coins under their control not be so easily discerned from the block chain. Do you walk around wearing a shirt that announces your net worth to everyone? It has nothing to do with people engaged in what some may consider bad behavior.
|
|
|
|
Transisto
Donator
Legendary
Offline
Activity: 1731
Merit: 1008
|
|
July 20, 2012, 03:20:57 PM |
|
... by default ?
What's the benefits of participating in mixing someone else coins ?
Say 98% of users do not have anything to hide and would prefer all transactions be traceable for the benefits of discouraging bad behaviors ?
I would much prefer someone who stole BTCs to pay a fee to shameless mixer than to help him unknowingly.
I don't think you realize just how non-anonymous the current bitcoin client really is. Most people would prefer that the amount of coins under their control not be so easily discerned from the block chain. Do you walk around wearing a shirt that announces your net worth to everyone? It has nothing to do with people engaged in what some may consider bad behavior. For what you're asking for, there's MasterCard. Or how about you constantly request money to be sent at different addresses or pay a small fee for coin mixing if you're that ashamed of your net worth. It had nothing to do with bad behavior, now it will. Would you really want Bitcoin be associated mostly with evilness ? Could be profitable, but I would wait until we're crunching around 500 petahash/s.
|
|
|
|
n8rwJeTt8TrrLKPa55eU
|
|
July 20, 2012, 03:24:46 PM |
|
Tracking tainted coins is already very challenging
Sorry but I always thought of this as a feature of Bitcoin and I will continue to see coin mixing as a non-issue for 99.99% of honest peoples and 99% of dishonest ones.
Tracking is difficult now because there are no tools. If Bitcoin becomes successful as a widespread means of payment, it is a certainty that sophisticated and cheap blockchain analysis tools will be developed both for commercial purposes and criminal purposes. Similar to the rise of products and tools that currently do comprehensive HTTP log, cookie, and webbugs analysis to track individual customers. Imagine in the future a naive user (your mom, your grandma) who is unaware of the technical details, and keeps receiving and sending Bitcoins always using the same and/or chained addresses. Every time they buy something, no matter how trivial, they are potentially giving a determined snooper/attacker a window into all of their income and purchases since the dawn of time. This is a disaster waiting to happen. It will make life wonderful for criminals in countries (e.g. Latin America) where robbery and kidnapping and extortion are common. It is absolutely essential for the long-term viability of Bitcoin that all clients (and ideally, the protocol itself) have mixing built-in and turned on by default.
|
|
|
|
Transisto
Donator
Legendary
Offline
Activity: 1731
Merit: 1008
|
|
July 20, 2012, 03:35:21 PM Last edit: July 20, 2012, 03:59:16 PM by Transisto |
|
...I don't think you realize just how non-anonymous the current bitcoin client really is. ...
I mine coins, I announce it with my IP, I spend it. I agree it's not anonymous because all Pools can leak information about their customers (miners), what IP sent X shares and where the payment for those was sent. Next we learn it's possible route share through proxies. It's also not anonymous because all merchant can be hacked and all customers information leaked, Linking transactions with home addresses.
|
|
|
|
|