Design B: Users provide inputs, outputs and collateral at once. In this case the master node knows who is sending money to who, but later it can tell who didn’t sign.
I’ve chosen to use design B (users will add inputs and outputs at the same time) because it’s the only design that can’t be attacked in the way you’re saying.
Okay he has confirmed that you are not anonymous to the master node, as I wrote upthread would be the case if he associates the collateral transaction with both input and output stages of the CoinJoin.
eduffield I would like to say that is not acceptable because for the same reason I don't want to use mixer or laundry website, I can't know if the master node is an NSA honeypot.
I would like to suggest you think about my divide-and-conquer idea as another electable option for users.
If there is failed stage, then divide the inputs into two groups. Then ask for outputs again. Divide and conquer as necessary, then the join will complete.
Not ideal, but at least you don't break anonymity and require trust of the master node.
Best of luck with it.
Thanks AnonyMint!
You are the real deal in anonymityland
James
What he suggests is unlikely, but even if some nodes are run by the NSA, which is likely, why not?, then they might get info for one transaction. Big deal, they can't always be the master node, there are too many other nodes running. And to "fix" such a minute problem, or possible issue, one would have to complicate the system to such a degree, I am certain you'd create more holes than you can cover up.
sounds good, in practice it's a disaster. KISS, Is the way I think it should go. That Anonymint will never understand, as he keeps going on and on about the same half dozen issues. It's like conspiracy theories. yah, they could have happened, but how likely is it? With other more reasonable explanations and the fact that the government is so dang inept. It's just silly.
It's even more unlikely if we require the master nodes have 1000DRK and it would elect them from the whole network. That way if there's 5000 capable master nodes, it would cost 5000*1000DRK to de-anonymize 50% of the transactions. Seems like a good compromise.
PS. If one user doesn't sign, the whole process needs to restart. Which really just means the master node will ask all users to resubmit their inputs/outputs/signatures and will charge the user.
Not sure this approach wont be counterproductive. After all, cost wouldnt be a deterrent to attacker and unless 1000 DRK is something most of the users will have, it will limit the pool of possible master nodes. Thus increasing the chances that it is a compromised node.
Also, even if "only" 10% of the transactions are de-anonymized, over time a fairly complete path analysis will become available.
All of this is not a concern for the mass market, but we need to be careful what sort of expectations DRK is setting
I think as is for initial release is fine and if you can implement the divide and conquer approach down the line, so much the better
James
