Topic: [ANN][DASH] Dash (dash.org) | First Self-Funding Self-Governing Crypto Currency - page 6161. (Read 9724097 times)

Wow you did some really good research... awesome!

I spent a fair amount of time thinking about the discussion with dime, humanitee, luigi1111, camosoul and others yesterday about the anonymity of Darksend.  I suspected that the logic behind darksend as currently implemented was not sound, and I thought it would be best to determine how exactly darksend was working, and do an in-depth analysis of a mixing cycle and the transactions that follow mixing.

This analysis appears to have confirmed my suspicions.  There is a flaw in darksend as currently implemented that removes virtually all anonymity from the mixing.  Luckily there are many steps that can be taken to remedy this, as I describe at the end of the post.

Let me start by describing how darksend is currently implemented, I did all of my testing on RC1, so any changes made in RC2 will not be reflected in this analysis:

Let’s pretend A,B,C etc. are addresses.
John wants to darksend 2 coins from address A to D
Fred wants to darksend 3 coins from address B to E
Bob wants to darksend 4 coins from address C to F

The masternode inputs are:
10 coins from A
10 coins from B
10 coins from C

The masternode outputs are:

2 coins to D + 8 coins to X
3 coins to E + 7 coins to Y
4 coins to F + 6 coins to Z

X,Y, and Z are “change” addresses, these are the addresses that are used to send back coins to A,B,C – instead of sending them back to the same address they are sent to a different “proxy” address in the same wallet.

As you can see, it is obvious which change address pairs to which darksend recipient address.
2+8 = 10, 3+7 = 10, etc.

But it appears (at this point at least) to be impossible to determine if someone is sending 2 coins to D and receiving 8 back in change or vice versa (sending 8 and recieving 2 back).  Later I will show you how this can be determined by analyzing the blockchain.

If we are given only this much info the transactions remain anonymous, as there are still 3 possibilities for each darksend:

A sent D&X, or E&Y, or F&Z
B sent D&X, or E&Y, or F&Z
C sent D&X, or E&Y, or F&Z

Now here is where the problem arises:

Let's pretend John has 500 coins at address A, he darksends 2 coins to address D, his wallet is deducted 10 coins.  The masternode sends John his “change”, 8 coins, which he receives at new address X. At the end of the darksend transaction everything is fine and dandy.  Johns has 490 coins at address A, and 8 coins at address X there is no way to link address A and X so he is safe, he might even have other addresses in his wallet that contain coins.

So far, so good.  BUT, John decides to buy something shiny, it costs a lot of coins (550 coins to be exact). So he sends 550 coins to address G, when he does so his wallet looks at the available addresses in his wallet and sends out 650 coins to address G.  On the blockchain it looks like this:

Input
490 coins from address A
52 coins from address F
8 coins from address X

Output
550 coins to address G

So this is the problem with the logic behind darksend as it is currently implemented.  The transaction itself is fine, the problem lies in the fact that a "change" address is created “address X” which acts like a ticking time bomb, capable of exposing darksend transactions well after they were conducted.  The transaction above exposes address A (with 100% certainty) as the sender of 2 coins to address D above.

Now I’m going to walk through an example on the blockchain to show you how one can analyze the chain to unravel the darksend mixing. Here is what the mixing step looks like on the blockchain:

http://chainz.cryptoid.info/drk/tx.dws?249282.htm

And if we map out John’s transactions (just by looking at the blockchain with no other info)



A: http://chainz.cryptoid.info/drk/tx.dws?249273.htm
This is the initial step when darksend is initiated.  All of the coins (22) from the address XbaY4 are subdivided into three pieces and assigned a new address. Only the piece of size 11.889 will be carried through towards the mixing transaction, the other two pieces will sit dormant in the user’s wallet.

B: http://chainz.cryptoid.info/drk/tx.dws?249281.htm
In this step 11.889 coins are divided into three pieces, the piece of size 10 will enter the mixing reaction, the two smaller pieces (1.778 and 0.11) are returned to the users’ wallet with a new address.

C: http://chainz.cryptoid.info/drk/tx.dws?249282.htm
This is the mixing step that is performed by the masternode John’s 10 coins from address XvGuC are sent into the pool with two other 10 coin inputs. 2 coins are sent to the darksend receiving address (Xpahw), and 7.999 coins are sent back to john’s “change” address XvitP.  Up to this point everything is anonymous and working well, the problem though is that address XvitP will at as a “ticking time bomb”, potentially acting as the key to unlock John’s contribution to the mixing step at some point in the future if this address is ever used in another transaction.

D: http://chainz.cryptoid.info/drk/tx.dws?249706.htm
Here the ticking time bomb goes off.  John sends 19.997 coins to address XjE6N.  The wallet uses 5 different inputs from three different addresses.  XfsVr, XvGuC are both linked to the darksend address Xbay4, these are packaged together with the dirty “change” address XvitP, and sent to XjE6N.  Looking back at the green box C, we can see that this outs John's address  XbaY4 as the initial darksender of 2 coins to to destination address Xpahw.  This is the essence of the problem.

Ok, so how can we solve this problem?

Here are my suggestions, not a comprehensive list for sure, listed by order of importance (IMO).

A) Randomized Serial Mixing
Darksent coins (both change and non-change) must be mixed more than once.  Importantly, the number of mixing cycles CAN NOT be fixed, as this would allow someone to know when a given input is expected to be finished mixing.  This is not good, it would defeat the whole purpose of mixing multiple times.  I propose that the number of mixing cycles be a random number, generated by the client, roughly between about 5 and 20 cycles.   Alternatively, this number could be set as a user-defined variable in an advanced settings menu.

B) More uniform pools
Each decimal place get’s its own pool.  Period.  Long decimal transactions can be divided into multiple pools.

C) Boost pool size and increase the number of duplicate inputs
The masternodes (or potentially even normal nodes that volunteer) could monitor the darksend pools, and automatically darksend transactions into the pool that match darksend amounts currently being washed. 2 coins, or 8 coins, for example to help keep John anonymous.   Also, if the pool size is 10, the wallet should attempt to send from an address that is as close to 10 as possible. If an address of exactly 10 is used, this removes the risk of exposing oneself in a later transaction.

D) Divide up change addresses
Instead of just address X (or in John’s case XvitP), break it into 8 addresses, each holding 1 coin.  Combine this with randomized serial mixing – wash each address a random number of times to maximize anonymity.

E) Smart wallet distribution of coins
If the change is 8 coins, the wallet should try NOT to send all 8 coins at once in a transaction – it should break up these coins when sending later transactions as much as possible.

F) Random transaction fees
Pay the masternode a small fee, and also increase anonymity in the pool at the same time.  Only the masternode knows how much fee you’ve paid.  This would help anonymize the smaller pool sizes (.01 pools and below)

E) Let's Brainstorm
There are other solutions I’m sure..  If everything above is implemented the anonymity of darkcoin will be extremely high, but there might be other great solutions I didn't think of, this is where you and our talented devs come in. Throw out your best ideas to increase anonymity

It's also worth mentioning that I haven't sold any of my coins since discovering the flaw, the future of Darkcoin is still extremely bright.  Evan is an amazing dev that should be able to fix this issue in no time. Sorry for the long post (:  

Best,
Sim

Another dump without much expression so far! Look at that order book on mintpal!

This coins is going to be huge

This is a great idea.

This is something that Andreas Antonopoulos is always talking in his conferences. I think we must focus in real "third world" problems instead of western world merchants.

We must beat Western Union first, then other FIAT currencies

Mandatory is a bit heavy, it would lessen the network's integrity. But it CAN absolutely be a perfect gateway to sub GPRS networks, and PERFECT for Africa, as it is already the norm in Kenya and Tanzania. People trade cellphone minutes for eggs, literally! Using the M-Pesa, its quite literally current daily currency over there.

Would spread like wildfire as it would be... waaaaaait fooooor iiiiiit... decentralised.

HUGE market cap!!

http://en.wikipedia.org/wiki/M-Pesa

I would like to ask the devs to make it compulsory to include the blockchain as part of the supernodes, and have it as 'read by anyone'.
I think that once we have the supernodes up and running with a readable blockchain that is accessible by anyone, different services might evolve independent of the darkcoin devs on top of this, such as the thin wallet described by TS.

Personally, I'm thinking less about smartphone wallet, and more about symbian wallet for third world countries.
These countries enjoy a huge influx of remittances by workers sending money back home, traditionally via Western Union.
We have in our village Thai and Filipino students/workers. I heard how much they are charged for transfers and almost fell to the ground.

This is  huge market of more than $0.5 TRILLION PER YEAR.

I think this also bundles well with the Darkcoin gift-card that the devs are working on.

We have an app for that

No, mixing happens while your coins are on their way to their intended recipient.  You send out in denominations of 10 (currently).  Your tx is processed, then intended amount goes to your recipient, and you receive "change" back.  Everything is sent in denominations of 10 to make it more difficult to tie specific tx amounts to specific addresses.


You send your desired amount.  Denomination happens automatically and you receive "change".


If there is a way to do this, I'm not sure what it is.


Rest of these I'm not sure of.  I'm sure others can answer though.

Could someone point me to some documentation that describes exactly how darksend works?

To note: I have read the DarkSendDocumentation.pdf, the darkcoin white paper, and I have spent about an hour searching the web looking for information on this, but all accounts are overly simplistic, and oftentimes, contradictory. I suspect that there are many people like me who are not using Darkcoin simply because this information is not readily available.

For example, do you send money to a mixing pool first, and then withdraw it later? Do you need to use fixed denominations (10, or 100 DRK)? Can you check how many coins your transaction was mixed with? How many coins are in the pool? Do I send coins to a pool, or are they simply just mixed with all the coins that occur in the block? And how exactly are the coins mixed, what's the algorithm? Are there any studies on deanonymizing darksend transactions?

Thanks in advance.

1-If the weight of the vote is function of the number of shares it's possible : let's say that the number of shares is equivalent to the number of coins in a wallet, a vote coming from a big wallet (or many of the same user) can have more power than a vote coming from a smaller one.

2-But if it's "one person, one vote" the identity has to be tied to the vote one way or another.

There is also the very important trust issue, a BTC mixer is owned by someone you need to trust with your coins. We are moving away from centralization and into trustless solutions.

BTC mixers are centralized - just one server sitting out there like a big fat juicy target for snoopers.  Should the server be compromised by law enforcement (or whomever), it'd no longer be anonymous.  DarkSend chooses mixing nodes from the existing network and skips all over the place, making it difficult to infiltrate.  Also, the service is built in to the client with Darkcoin, so no fees for mixing.

There is more to it, but that's the gist.

Great improvement over the existing website design.

It also matches my free web based proxy / promo sites template: http://www.darkproxy.net and https://ssl.darkproxy.net

...

Whilst I'm here - can I recommend / suggest that the Darkcoin project and the community supports the Reset The Net initiative by Fight For The Future.

Watch: http://youtu.be/qKk8MHFLNNE

See: https://www.resetthenet.org/ - Reset The Net, before June 5th, 2014 - #ResetTheNet

You can support this initiative via Twitter, Facebook and Tumblr by linking the Thunderclap.it app to your account

See: https://www.thunderclap.it/projects/10619-reset-the-net/

This will potentially bring alot of interest to Darkcoin and its also a very worthwhile campaign in terms of promoting Internet Privacy.

BitcoinTalk.org forum thread: https://bitcointalksearch.org/topic/reset-the-net-june-5th-2014-httpswwwresetthenetorg-573931

Cheers!

What's the difference between darksend and a mixing service for bitcoin ?

 Plus, lets not forget that an organised place to discuss DRK is called darkcointalk.org!

 Anyway, got stuck setting up a MN, can't seem to run daemon... what gives?


 

Dude relax, this is by far the most interesting thought provoking thread in the altcoin world, whether it is technology discussions, philosophical issues, long term investment vision, etc. If you go to other threads they just discuss the price of their ponzi scheme coin and ignore whether it adds value to the real world or not. I think creating a culture around DRK  is very important to have a cohesive community, and so far this community is attracting intelligent and interesting people looking to create something revolutionary. Now back to listening to Pink Floyd while trading DRK.

I know this is not related to Darkcoin, but it is very important. This petition is for Avaaz, which is a very large and popular grass-roots activist/petition site.
If they accept Bitcoin it will be very important for all cryptocurrencies going forward.

Now is your chance to sign the petition:

http://www.avaaz.org/en/petition/Avaazorg_Start_accepting_cryptocurrencies_like_Bitcoin_for_donations/?nFCTmbb

Clearly, it needs some thought into linking issued addresses or numbers of addresses issued with counted votes. You still need to have the principle of one person one vote. That's the type of extension coloured coins would probably be considered, but I'm not a fan of those.

If you can solve the issue of anonymous voting using a crypto currency, you also begin to solve a lot of other problems - like shareholder voting for decentralised anonymous corporations.

So I can use thousand of wallets and have more weight in an election ? More money more rights ? It's anonymous yes, but fair no... And that's why they'll say : "let's tie the wallet to the id to have a really fair vote" 

Plus ca change...

This way at least the little people could profit too if they wished. Shifting the power (and responsibility) down the ladder couldn't be worse than what we currently have.