In reply to:
http://www.reddit.com/r/DRKCoin/comments/1yit1a/using_coinjoin_for_anonymity_is_errorprone/I'm posting this here, for everyone's benefit. Thanks!
Hi, I am Gnosis, the Anoncoin developer working on implementing Zerocoin. First of all, I think it is excellent that there is so much interest in developing a fully anonymous currency. I am not just a developer but also a user, or I will be when an anonymous currency exists! When coin creators compete, the coin users win!
However, CoinJoin has been around for a while, and it has not seen much use for anonymity. There's a good reason for that: it's not very anonymous.
Quoting my bitcointalk post:
CoinJoin has questionable anonymity compared to Zerocoin. The reason is that with CoinJoin, two or more users must somehow partner up and forge a transaction together. They communicate over a secure channel to do this. The coins are only mixed among these "partners." Picking partners you can trust is a significant obstacle: how can you know that your partners will "forget" the mixing that happened? One may try to repeat this 10 times with randomly chosen partners, but how can you know that your partners are not all just sock puppets of one malicious entity (on an anonymous network, it is trivial to create as many fake users as you want )? If that is the case, then your efforts are in vain.
Compare this with Zerocoin, where you put your coins in an accumulator, and they are mixed with the coins of all users who have put coins into that accumulator, since the beginning of Zerocoin. There would be a different accumulator for different denominations of Anoncoins (1, 5, 10, 50 ANC, etc.).
To put it simply, the more users' coins your coins are mixed with, the more anonymity you have.
I cannot speak to Darkcoin's implementation (or planned implementation) of CoinJoin since I cannot seem to find any specs or code on their Github or their site. If anyone knows, please point me to them.
I look forward to a practical and secure solution for anonymity from the DarkCoin devs!
First off, these are fantastic questions. The answer to implementing this in such a way where it is very difficulty to exploit is by adding cost and verification.
Here’s the gist of how I envision DarkSend to work in the long run. Some of what I’m going to mention is done, some of it I’m working on currently. I’d love some ideas on possible attack vectors on my implementation, so we can make it as bulletproof as possible.
PoolsDarkSend adds various extensions to the Bitcoin protocol for implementing transaction pooling. Like normal Coinjoin the pools take transactions in stages. The stages currently are:
POOL_STATUS_IDLE
POOL_STATUS_ACCEPTING_INPUTS
POOL_STATUS_ACCEPTING_OUTPUTS
POOL_STATUS_SIGNING
POOL_STATUS_TRANSMISSION
So the users relay these items throughout the network as the stages happen. After all items are gathered into the pool, the transactions are merged together into one, remotely signed and then broadcasted.
MastersTo defeat propagation problems, master nodes are elected each new block. They are responsible for being the authority of what goes into the joined transaction each session. This is done in a tamperproof way, but I think it’s not important to the discussion.
So what is the cost? There must be a cost to using this anonymous network, otherwise like you say there will be issues with millions of accounts popping up. I’m not dead set on which solution(s) to implement, but here’s a couple ideas:
Burnt IdentitiesHigher difficulty shares to the current block would be mined and then stored in the blockchain permanently. Multiple of these would be used for each transaction and would be “burnt” when misused, causing the attacker to have to mine them again.
Verification? To use the pools it will require unique unspend outputs, someone that wants to mess with the system would have to have a large pool of funds in many addresses. So to attack a pool with 100 slots, you would require funds dispersed to 99 addresses, on 99 nodes working in common.
Other possible fee-less solutions? There is interesting research on protecting against sybil attacks that lends itself really well to a decentralized ledger, such as this paper:
http://dimacs.rutgers.edu/Workshops/InformationSecurity/slides/gamesandreputation.pdfThe idea is to build a social graph of the inputs and outputs of each entry and they should all know different people. If 99 of them all have the same “friends” that they associate with, then they’ll have to enter a different pool. Which will ensure the pool is not full of the nodes belonging to the attacker.
An application for machine learning? I’m been making models for trading equities for over 7 years now. I ran a financial firm that sold the signals for a few years and I have experience with natural language processing using classifiers. So, I could make a classifier and actually embed it into Darkcoin to determine which pool a node should use, to separate out nodes that seem to be in common.
Other ideas? I’m open to ideas on how to provide the best security to the network. I would love to hear what people have in mind.
I’ve been working on DarkSend about a month and we’ve already fixed the decentralization and propagation issues, this is just another bridge to cross in the future.
Thanks!
Is it possible to implement 3 solutions to work side by side? Or would that conflict or slow things down too much?? I like repetition