Topic: Blind Bitcoin Transfers (Read 14896 times)

As the TS has written in post #35, he is no longer running the service.

However, you may wanna check out our service: https://bitcointalksearch.org/topic/announce-bitcoin-fog-secure-bitcoin-anonymization-50037
We already superseed blindbitcoin in functionality, run through TOR, and have a couple of other advantages.
The Fog is not based on blindbitcoins however, and thus we don't share any of its bugs that may have led to discontinuation of its service.

(sorry for the shameless plugging, but it seemed like you were searching for a good working anon-service)

DNS appears to be inaccurate (resolves to IP address 1.2.3.4.)

Hello, I noticed blindbitcoin.com is down. Has this been discontinued?

Since MPC relies on at least one server being honest anyway, could this proposal be simplified by having each participant send their bitcoins to a pool controlled by unanimous consent of the mix operators, prior to the computation?  They could use the keys they sent with to sign the pieces of (output_i, random_i) sent to each of the servers to prove they are valid.  They could receive a locked transaction signed by all the servers which will return their coins in the event that unanimous consent is not reached by the servers to distribute the coins.  Thus, the only way for participants to lose their coins is for all of the mix operators to collude.

Also because we're relying on at least one server being honest, do we really need a random_i from each of the mix participants?  Could we get away with just having one from each of the servers?

I have no idea how the MPC is done from here, though.  But here's an interesting paper http://eprint.iacr.org/2008/068 describing a recent successful implementation of MPC with three servers and over 1000 participants in an real world auction.

I question if this kind of machinery is necessary for a mix, though.  Couldn't the same result be achieved by the mix operators doing the above pooling, and selecting a server to issue untraceable, unlinkable digital cash in exchange for the bitcoins?  The participants could then break their digital cash up into standardized sizes that maximize the size of the anonymity set, and then redeem the pieces to separate bitcoin addresses.  Of course the server would have to run as a Tor hidden service in order to obfuscate participants' IP addresses.

This is correct ofcourse -- everyone needs to put in the same amount.  Presumably there would be a number of  "mix clubs" runing at a time, each for different amounts.  Rather than discuss here I'll make a thread in dev section.

I don't want to dissuade others, so I'm posting here that I'm not interested.  I think it's a great idea, but I don't have much experience with those technologies.      Good luck!

Subscribing... Am interested in hashcoin's ideas too...

Once I get back to a real computer I'll be able to type more (on my phone right now) but how does the protocol overcome the fact that the input amount for person x will match the output for person x. Am assuming that you could potentially have a set of fixed transaction rings that you join each one with a set btc amount? Then I suppose it would just be a matter for the software to split the btc amount down amongst each ring?

OP - sorry you had to close your site, bitcoin needs more people like you making solutions and services
.
Will

The site is written in Python, using Twisted. The RSA parts of the site are written in C (via pycrypto) for speed and python calls out to it via the CPython C-extension api.

The database is MySQL, but you could easily port it to Postgres since the Twisted API for MySQL and Postgres is the same.

The client-side code is all javascript (obviously) and I use jQuery as well as jsbn (javascript bignum) and some other libraries that are GPL/BSD licensed.

If you're interested in running the site, shoot me a PM and we can work out compensation, etc.

Duncan, with your generic message on, I can't tell much about the technology.  What language and database did you use?  What compensation are you looking at in exchange for transfer of the service?

Yeah, I think so. The potential liability of somebody finding an exploit and stealing from my customers, plus the potential legal liability is too much to shoulder for the amount of money that I could potentially make on that sort of thing.

It makes me very sad to have to close the site, especially after I've put in n-hundred hours of work on it, but I think this is the best option.

I'll reiterate: if anyone wants to take over operating the site, I will give any and all assistance I can. I really don't want to see this site die, even if I can't run it anymore.

Site says closed for good?

Duncan,

Thanks for putting this together. Hopefully someone will take it and run with it. People deserve privacy in their personal affairs.

Trader Steve

Scratch that on the business resuming.

I have decided that the liability of running a site like this is just too great and the monetary benefit is too small.

I will continue to honor unredeemed tokens and existing scheduled pay-outs, but I will not be accepting new transactions.

I anyone wants to carry on this site, I can help you get everything up and running.

--Duncan

Hey all. My site is currently down while I figure out a bug that somebody was able to exploit to insert erroneous pay-outs into my scheduler.

Rest assured that I have the bitcoins to honor legitimate pay-outs and that business will resume as soon as I find the bug.

This would indeed need separate client software (once you do p2p instead of centralized, you need your own software.  what a shame! If only it were as easy to launch new p2p software as it were to start a website.  Hmm....), but I was not thinking including in bitcoin since this is something highly specialized.  Presumably this would be something like the TOR network for bitcoin: a separate p2p client for mixnets.

Secure MPC is quite interesting and in general you can think of it as the "big hammer" or perhaps more like the "nuclear bomb" of cryptography.  Every sophisticated crypto protocol we know of (anonymous e-cash, secure electronic voting, zerk-knowledge proof) is infact a special case of secure MPC.  The problem is because its so general it's not practical yet, so while we knew how to do these things using MPC, to do them in real life typically one needs to come up with a special case solution.  However, taking a protocol, doing the secure MPC transformation on it, and then simplifying from there can be good.   In particular a hot-potato scheme where a list is passed around and when it gets to you, you shuffle the outputs, replace your output with a new one, and pass it on could possibly be a starting point.   In particular this scheme protects the last K from the K+1'st-to-last.

Also I wouldn't consider being called a "random CSAIL ugrad" a bad thing, I was just trying to motivate you to make a better system that actually protects you  

No bet. I am a "random ugrad in CSAIL" and I've been called a great many things worse than that.

Thanks for the suggestion to see Prof. Rivest.

I was not aware of Secure Multi-Party Communication. This is just a side project of mine, I'm more of an AI guy than a crypto guy. I think if someone were to implement the scheme you describe, it would have to be either as an extension to the bitcoin client or in the bitcoin client itself. If I have the opportunity (read: time), though, I'll definitely work on this. Thanks a bunch for the suggestion. It seems like the "right way" to do bitcoin anonymizing.

This is an intersting idea. I'm assuming that to make the coins anonymous, a set denomination needs to be used, and the coin mixing process need to repeated multiple times, preferrably with different, new members, over the network.

I can't really help the OP with this problem, but I hope someone tackles and implements this. Doing a cursory glance there appears to be quite a lot of new work on MPC. e.g.
Secure multi-party computation over networks, Nishitani Y, Igarashi Y 2000

I assume that the point is that Chaum's scheme is for offline cash payments??  His system detects double payments after the fact.

Since bitcoin is inherently online, there is a lot of redundancy in the system.

I agree this is really dumb from a liability perspective and you are asking for trouble IMO.  If you are at The Institute and don't want to spend money on a lawyer, I would strongly suggest you consider talking to Ron Rivest.  He is not a lawyer, but I think he will be able to give you very very helpful advice.  First he is very familiar with anonymous e-cash, as he's studied and published on it.  He's also started two crypto-based micropayment companies (peppercoin and another) so he is likely quite familiar with the relevant laws.  Third, and most importantly, he has first-hand experience in dealing with situations where ugrads get themselves into a world of shit (see charliecard incident).

Now, to be a huge asshole and maybe motivate you more, I'll say frankly I'm not impressed with this.  I bet I could take a uniform random ugrad in CSAIL, hand them a basic description of blind sigs, and they would produce what you did.  Here is what would impress me: do this without any liability by not requiring trust even for you to not run with the money (i.e., let people do this entirely p2p without trusting anyone).  Seriously, think about it before you read the next paragraph, and if you realize how to do it great.  If not I probably wouldn't either when I was a ugrad, so here's how to do it.  Unlike blind sigs, even with this description there is quite alot of work to go from idea to reality.

---

What you are basically providing is a protocol where N people can submit bitcoins to an address under your control, and then you will spend them back to N different addresses without knowing the mapping.  First observe people don't need you at all for this, because bitcoin supports multi-in, multi-out TX.  So N people can do this without you.

Attempt 1:  N people who want to mix coins get together and build a TX.  We get together in a circle and, starting from a blank piece of paper, pass it around the circle, each step adding our input and our output to a random location.  After it has been passed around once, it gets passed around again.  This time, assuming my input and output is still there, I sign the tx and pass it on.  If everyone signs it, it is broadcast and we're done.

Problem: This is entirely secure from outsiders, but leaks information to other participants.  E.g. if you are first in the circle and I'm second, I know your input/output mapping.  Similarly if you're last and I'm second-to-last.

Corrrect solution:  Realize what you have is basically a protocol for N+1 participants, where one is a trusted third party to do the input/output mapping.  There exists a generic transformation, called Secure Multi-party Computation that takes such a protocol and eliminates the trusted particpant to yield a cryptographically sound protocol performable by the N parties.  More precisely, for any function f, N people can compute f(x1,...,xN) without revealing their xi.  At the end each party only learns about others' input by what is revealed from f() itself.

So here the setting is xi = (input_i, output_i, secretkey_i, random_i) where input/output are desired addresses, secretkey is the ECDSA key for the input, and random_i is enough random bits to specify a random permutation perm_i on [N].  The output is the following TX, signed by all parties.  Let perm = perm1 o perm2 o perm3 o ... o permN.  Note that if even a single person chooses his permutation at random, then perm is a uniformly random permutation.

inputs: input1, input2, .. inputN.
outputs: output_perm(1), ..., output_perm(N)

Note at the end, all I learn is the inputs, outputs, and that in the overall perm my input was matched to my output.  In particular, the input:output mapping is a random permutation conditioned on knowing the value at one point.

Now that would impress me, and many others too.  In particular existing MPC protocols are likely not practical.  You will likely need to do some work studying the work on 2PC that has been done since the 80s to make it practical.  AFAIK not much has been done since the original defn in [Yao 82] to make general MPC practical.

It's also possible that there's a way to make the paper-passing protocol secure with many more rounds that involve adding garbage addresses and removing other peoples, only to have them add a new one back later.  It seems tricky to get privacy and get something like this to eventually converge, but I can't rule it out entirely so wouldn't dismiss it yet.

Oh, absolutely. I'm still looking for a lawyer who is comfortable with both IT law and financial law to give me an on the record consultation.

To go back to your actual laundromat analogy: consider if a criminal buy a bunch of dirty clothes at Goodwill with his dirty money and then washes them at a laundromat. He sells them to someone who is unaware of the origin of the clothes because they are now clean and whiter (assume the criminal used bleach ). The laundromat would not be "on the hook" for money laundering because they never handled "actual money". I believe this is analogous to bitcoin anonymizers.