Pages:
Author

Topic: Anonymous Bitcoin Transactions with Coinjoin (Read 5582 times)

legendary
Activity: 1795
Merit: 1208
This is not OK.
September 01, 2013, 05:51:56 AM
#27
Could payment processors, web shops etc. use this to combine payments (within a few minute window or so) to the same or small number of addresses?
Guess that'd have to be done carefully to maintain anonymity.
full member
Activity: 187
Merit: 100
September 01, 2013, 05:25:52 AM
#26
Is it possible to unravel the signed transaction to see where 1a wanted their money to end up?
The network must know the path otherwise how would they get from A to B.
The intention for the money to end up in a certain place is the weak link right?
No. The whole transaction  ("this group of things to that group of things") is the intention the transaction coveys, and it cannot be separated when using sighash all (the default sighash type).  Thats the point. Smiley There are possible side channels— how different clients encode signatures, for example, but the transaction style itself doesn't leak any information about the mapping when used correctly.

Quote
Of course you like you have said in that thread all the inputs must be the same denomination right?
There is no fundamental requirement in the Bitcoin protocol for them to be the same, but if they are different sizes you likely leak some information about the input to output mapping: If I put in 5 and you put in 50... and addr X gets out 50 and Y gets out 5 ... how do you think they map?

idk ... what if I to payed you 45 BTC? Using this scheme for ordinary payment transactions would add a great deal of uncertainty to the whole blockchain.

I'd love to see this added to standard clients as standard payment mechanism if anyone can work out a reasonable protocol to automate collecting the sigs. Maybe with a payment request already including the merchant's input to the tx.
newbie
Activity: 10
Merit: 0
Would it be possible for each party to a coinjoin transaction to give multiple output addresses so that if arbitrary input amounts are used, the output amounts can be randomly split across several outputs to prevent inferring an input to output relationship by amount?
legendary
Activity: 2338
Merit: 2106
impressive!
legendary
Activity: 1120
Merit: 1164
So will combining multiple transactions also help with blockchain bloat / sustainablity? Or would the size of the coinjoined transactions be much the same as the separate ones?

This probably increases both traffic and the size of the unspent transaction output set.

CoinJoin does increase network traffic a bit, but it can be implemented in a way that decreases UTXO and blockchain size.

For instance in addition to everything proposed already, you can make CoinJoin automatically join together requests multiple requests to pay the same address. For instance if Alice, Bob, and Charlie all want to donate 1BTC to Wikileaks's public address their CoinJoin implementation can take note of that and generate a single 3BTC txout with that address. You could even extend the payment protocol with support so that, for instance, BitPay could have all customers in a given 10 second interval join their payments together for totally unrelated items into a single txout.
legendary
Activity: 1176
Merit: 1015
So will combining multiple transactions also help with blockchain bloat / sustainablity? Or would the size of the coinjoined transactions be much the same as the separate ones?

No not really, because if it was not for the intention of making this transaction to mix the coins then this transaction would not happen. So its not really cutting down on bloat.

On the plus side, this would be a normal sized transaction so its not going to do any harm.
legendary
Activity: 905
Merit: 1012
So will combining multiple transactions also help with blockchain bloat / sustainablity? Or would the size of the coinjoined transactions be much the same as the separate ones?

This probably increases both traffic and the size of the unspent transaction output set.
legendary
Activity: 2674
Merit: 3000
Terminated.
Good work. Something innovative again, and so interesting.
legendary
Activity: 1795
Merit: 1208
This is not OK.
So will combining multiple transactions also help with blockchain bloat / sustainablity? Or would the size of the coinjoined transactions be much the same as the separate ones?
newbie
Activity: 44
Merit: 0

How about the people partaking in the transaction, is it possible to watch as more and more people add onto the transaction who intended what btc to go where?

Or is the transaction made all at once with many people involved but no one seeing where the people want the coins to go. (I'm talking about watching the process of this coinjoin tx being built)

In this implementation the outputs and inputs are collected in two separate stages to avoid easy correlation because the user sent both input and output at the same time. During inputs and outputs stage it's possible to watch a counter of how many participants sent their data, but we don't show the details till everything is collected (we do this to further avoid correlation, but probably wouldn't matter or might even help to show them as it goes).
newbie
Activity: 14
Merit: 0
This is not good.

If Bitcoin is further anonymized, Dictator Barack Obama will ban it soon.
staff
Activity: 4284
Merit: 8808
How about the people partaking in the transaction, is it possible to watch as more and more people add onto the transaction who intended what btc to go where?
Or is the transaction made all at once with many people involved but no one seeing where the people want the coins to go. (I'm talking about watching the process of this coinjoin tx being built)
It depends on how it is implemented. The simplest ways of implementing it make either a meeting point "server" learn the correspondence, or all the participating users.  More complicated ways result in no one knowing. (I sketched out at a very high level in the other thread two distinct ways on the more complicated ends of the spectrum, but there are many possible ways with distinct trade-offs in security, implementation complexity, resistance to denial of service attack, etc)
full member
Activity: 211
Merit: 100
You are not special.
Wow. This is way above my head! I didn't even realise this was possible! I hope this project continues to grow and that anonymous peer networks can be found easily and quickly in the future.
legendary
Activity: 1176
Merit: 1015
Is it possible to unravel the signed transaction to see where 1a wanted their money to end up?
The network must know the path otherwise how would they get from A to B.
The intention for the money to end up in a certain place is the weak link right?
No. The whole transaction  ("this group of things to that group of things") is the intention the transaction coveys, and it cannot be separated when using sighash all (the default sighash type).  Thats the point. Smiley There are possible side channels— how different clients encode signatures, for example, but the transaction style itself doesn't leak any information about the mapping when used correctly.


How about the people partaking in the transaction, is it possible to watch as more and more people add onto the transaction who intended what btc to go where?

Or is the transaction made all at once with many people involved but no one seeing where the people want the coins to go. (I'm talking about watching the process of this coinjoin tx being built)
staff
Activity: 4284
Merit: 8808
Is it possible to unravel the signed transaction to see where 1a wanted their money to end up?
The network must know the path otherwise how would they get from A to B.
The intention for the money to end up in a certain place is the weak link right?
No. The whole transaction  ("this group of things to that group of things") is the intention the transaction coveys, and it cannot be separated when using sighash all (the default sighash type).  Thats the point. Smiley There are possible side channels— how different clients encode signatures, for example, but the transaction style itself doesn't leak any information about the mapping when used correctly.

Quote
Of course you like you have said in that thread all the inputs must be the same denomination right?
There is no fundamental requirement in the Bitcoin protocol for them to be the same, but if they are different sizes you likely leak some information about the input to output mapping: If I put in 5 and you put in 50... and addr X gets out 50 and Y gets out 5 ... how do you think they map?
legendary
Activity: 1176
Merit: 1015
Question: Is it possible to trace one input to a output?

So inputs 1a,2a,3a,4a in and outputs 1b,2b,3b,4b out. Is it possible to trace 2a ending up as 4b? (Assuming that is the path the transactions took)


It is absolutely not possible to trace one input to an output in complex transactions. The reason is that, by the protocol, we only check that it all adds up (inputs, outputs, and fees). If it ads up, the transaction is valid. We don't, because we can't, keep track of a bitcoin, much like you cannot keep track of a number when adding numbers: If 3+5=8, you cannot tell which of those eight come from those three. With physical objects you could, but bitcoins are pure abstraction, like numbers in the above example.
You could maybe argue that one of the outputs is, for example, 12.5% related to one of the inputs (previous outputs, that is), but this is far from "tracing" one-on-one.

Is it possible to unravel the signed transaction to see where 1a wanted their money to end up?

The network must know the path otherwise how would they get from A to B.

The intention for the money to end up in a certain place is the weak link right?
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
Question: Is it possible to trace one input to a output?

So inputs 1a,2a,3a,4a in and outputs 1b,2b,3b,4b out. Is it possible to trace 2a ending up as 4b? (Assuming that is the path the transactions took)


It is absolutely not possible to trace one input to an output in complex transactions. The reason is that, by the protocol, we only check that it all adds up (inputs, outputs, and fees). If it ads up, the transaction is valid. We don't, because we can't, keep track of a bitcoin, much like you cannot keep track of a number when adding numbers: If 3+5=8, you cannot tell which of those eight come from those three. With physical objects you could, but bitcoins are pure abstraction, like numbers in the above example.
You could maybe argue that one of the outputs is, for example, 12.5% related to one of the inputs (previous outputs, that is), but this is far from "tracing" one-on-one.
legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo
I wonder if this could be added to regular Electrum client as an optional extra module (with extra dependencies libbitcoin, sx) ? Python, client/server ... seems closely aligned.
legendary
Activity: 1176
Merit: 1015
Will coinjoin eventually offer the same anonymity benefits Zerocoin promised?
See the thread on the general idea for my thoughts on the general question.

Far out, I had no idea you could have other inputs from other people into transactions and do it in a trustless way.

This is amazing, and it just uses normal transactions.

So essentially this is coin mixing using the inputs of a transaction from lots of people. Of course you like you have said in that thread all the inputs must be the same denomination right?

Question: Is it possible to trace one input to a output?

So inputs 1a,2a,3a,4a in and outputs 1b,2b,3b,4b out. Is it possible to trace 2a ending up as 4b? (Assuming that is the path the transactions took)

staff
Activity: 4284
Merit: 8808
Will coinjoin eventually offer the same anonymity benefits Zerocoin promised?
See the thread on the general idea for my thoughts on the general question.
Pages:
Jump to: