Pages:
Author

Topic: Can Coinjoin transactions be traced? Busting Bitcoin privacy myths! - page 2. (Read 2139 times)

member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
I feel the need to apologize for my earlier statement claiming that WabiSabi coinjoins have weak privacy. Specifically, I argued that WabiSabi coinjoins have a lower Boltzmann score compared to Whirlpool. However, this assertion was both gravely inaccurate and failed to make a valid point. Calculating the Boltzmann score for a WabiSabi coinjoin is infeasible due to its large transaction size. Even if such a calculation were possible, attempting to match inputs with outputs would still amount to mere guesswork.

I also want to apologize for likely making many statements about WabiSabi without giving them proper thought or grounding. It seems I misjudged due to insufficient study on my part.

This is very humble, I appreciate you approaching the subject again.

I recently gave WabiSabi a try, and I have a question. I joined an input worth ~0.01 BTC using your coordinator, and created two outputs. One of them has an anonymity score of 21, the other has 1.

That seems like an unusual decomposition. It sounds like you were using the BTCPay Server coinjoin plugin?

How is this calculated exactly? If it's joined in the coinjoin, shouldn't it be greater than 1? Does this imply it's possible to determine that the 0.01 BTC input created that specific output with high certainty?

"Anonymity score" is a best attempt to measure the privacy gained from a coinjoin round, but it's extremely conservative in order to handle edge cases. If you got an output with a score of 21, that means that there were 20 other outputs created in that round with the same exact value. If your other coinjoin output kept a score of 1, that means it did not match the same value as any other outputs from the round. Although your unique output was made more difficult to track due to the coinjoin, it's unclear how to calculate the amount of privacy it gains, so the client just assumes it is zero and just remixes the coin. This guarantees that whales who create change will eventually break that change down into amounts that blend in evenly with the rest of the pool.

Anonymity score is also divided by the frequency of your outputs. For example, if you created 2 outputs for 0.01062882 BTC out of 22 matches with the same value, then the anonymity score you receive for each coin would be 11.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
I feel the need to apologize for my earlier statement claiming that WabiSabi coinjoins have weak privacy. Specifically, I argued that WabiSabi coinjoins have a lower Boltzmann score compared to Whirlpool. However, this assertion was both gravely inaccurate and failed to make a valid point. Calculating the Boltzmann score for a WabiSabi coinjoin is infeasible due to its large transaction size. Even if such a calculation were possible, attempting to match inputs with outputs would still amount to mere guesswork.

I also want to apologize for likely making many statements about WabiSabi without giving them proper thought or grounding. It seems I misjudged due to insufficient study on my part.



I recently gave WabiSabi a try, and I have a question. I joined an input worth ~0.01 BTC using your coordinator, and created two outputs. One of them has an anonymity score of 21, the other has 1. How is this calculated exactly? If it's joined in the coinjoin, shouldn't it be greater than 1? Does this imply it's possible to determine that the 0.01 BTC input created that specific output with high certainty?
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
I have read the whole thread and it seems to me that there is no perfect solution between these options(?)

I suppose not if your standard of 'perfect' is 100% guaranteed privacy with no thinking involved. However, liquid coinjoins using the WabiSabi protocol create a practically infinite amount of results, you can attempt to trace participants yourself: https://mempool.space/tx/70aad1d92dd3fc6ddbd802ed20ed155472a5752126a0c3489b56fde6e4cf801c
?
Activity: -
Merit: -
I have read the whole thread and it seems to me that there is no perfect solution between these options(?)
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Another Bitcointalk user attempted the challenge of tracing a WabiSabi coinjoin:

wasabi2.0 is a waste of money and fee and doesn't protect users privacy

Ok, prove it then: Show me which specific outputs were created from each input of this coinjoin transaction: https://mempool.space/tx/2248a68222cb0aa591cc00b51bbf3dd13df09622cd8d0061ae6c0df48943b0a5

He failed to produce any results Roll Eyes
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
A new challenger has appeared! dkbit98 claims Bitcoin is not anonymous. However, he was unable to trace a WabiSabi coinjoin:

Bitcoin Is Not Anonymous.

Okay, prove it then. Show me which specific outputs were created from each input of this coinjoin transaction: https://mempool.space/tx/d26a197368167f7ed2e57bd7257d9d353131bd5e7a03fcc91c68828edbb2a210
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Unlike coinjoins with a fixed output size chosen by the coordinator, WabiSabi coinjoins organize output amounts optimistically from the client side. When creating huge rounds with lots inputs, it's easy for clients to match their output amounts with each other. With smaller rounds, the efficiency decreases. For this reason, the default coordinator in Wasabi Wallet requires at least 150 inputs for a round to begin, but other coordinators may require lower input minimums. For example, this WabiSabi coinjoin only has 40 inputs: https://mempool.space/tx/9709771a2dc9a1343327776a1f52e6ae75adb981cabdab449408099d5851baf2
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Whoever stood for the childish arguments Kruw had back then looks pretty silly now when you have Kruw himself running an uncensored coordinator, which is doing the exact opposite of what he said himself, which was that Censorship is the morally correct thing to do.
Oh, yes. The censorship chapter of this saga, unending. "You shouldn't coinjoin if you're a criminal" <-- they've literally said that. If you read that post, you can see Max arguing that Bitcoin is permissioned, and you can send "bad coins" only if you own hashrate or bribe a miner. And we're supposed to trust the skills of these clowns.

Oh, and since I've sent you to that post already, read my favorite part:
Quote
There’s a lot of nuance here, but in general what we can say is: yes—that is another precedent that UTXOs are not fungible, that there is metadata associated to UTXOs that are outside of the consensus implementation. And that’s just super difficult because now you’re gonna have different surveillance companies that have different blacklists and different risk scores associated to it. And now you have competing soft forked clients, basically, that reach a different consensus of which coins are good and which coins are bad. And well—there’s no solution to it.

There is no solution to which coins are good and bad, but let's buy chain analysis crap data and grant them control over who gets to coinjoin and who doesn't.  Grin
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
At this point, any body who reads a discussion in which Kruw has participated and decides Kruw is to be trusted deserves the future consequences of their own stupidity.

You don't have to trust me.

We both know Wasabi is NOT to be trusted and I would definitely have many other options over it.

You don't have to trust Wasabi. It's trustless open source software.
legendary
Activity: 882
Merit: 1873
Crypto Swap Exchange
Aren't you tired already from playing it stupid? I mean, Jesus. Do you think the viewers of your discussions can't tell you're one big hypocrite?
At this point, any body who reads a discussion in which Kruw has participated and decides Kruw is to be trusted deserves the future consequences of their own stupidity.  Such as nodding their head in agreement to Kruw back when he pointed fingers at us for arguing against Censorship.  Whoever stood for the childish arguments Kruw had back then looks pretty silly now when you have Kruw himself running an uncensored coordinator, which is doing the exact opposite of what he said himself, which was that Censorship is the morally correct thing to do.

We both know Wasabi is NOT to be trusted and I would definitely have many other options over it.  Hell.  I would rather trust a Centralized Exchange which says up front that they impose Know Your Customer than some body like Kruw and the Services he advertises.  Particularly when equal or better competitors to Wasabi always get a spit in the face from Kruw with no reason when ever he gets the chance to do it.  I like people being up front.  Particularly when I decide whether to choose their product or not.  Tell me you arbitrarily ask for Know Your Customer and I will be an idiot if I drop my money thinking I will not be asked for it.  But when I ask a question and it always gets derailed, how the hell am I supposed to trust?  When Wasabi claims to be THE solution for Fungibility while differentiating one Bitcoin for another and THE Wallet for Privacy while imposing Censorship, which is very 1984 ish, how am I supposed to trust their product?

I forgot.  'Wasabi is TRUSTLESS!'.  Sure.  How dare I even THINK about trust.  I completely forgot their stance was different.  More like, ignore the red flags, shut up, close your eyes and hand us your Money.  Do not ask questions, or else you are an idiot.  And a Scammer, too.  And probably an Alt of Samourai.

Like I previously said.  Kruw could do astonishingly well as a Politician considering the expertise of avoiding any legitimate question, derailing discussions and talking about apples when asked about pears.  This is a skill no body wants but he proudly showcases at all times.

-----

Yes. Why can't you answer that question?
Why can you not answer so many questions and always answer only what is convenient?  The glasses, Kruw.  We are back to where we started, they are either dirty again or you need to get your eyes checked because they seem to skip so many questions all the time.  I am starting to get really worried!
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
You're really asking me to answer why I would rather use Whirlpool over WabiSabi

Yes. Why can't you answer that question?
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Aren't you tired already from playing it stupid? I mean, Jesus. Do you think the viewers of your discussions can't tell you're one big hypocrite? You're really asking me to answer why I would rather use Whirlpool over WabiSabi, after all been said for the last two (or three?) years?

Literally everything in these questions has been answered in the past. Anyone still trying to figure out those answers can just use a search engine like ninjastic.space. The tl;dr is that Wasabi is a clown fest. I'd rather not engage in discussions about it anymore, if I may. I think I deserve this. There really isn't anything more to say.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Personally, I combine toxic change with other toxic change where lack of privacy is minimum.

Why not use WabiSabi instead of Whirlpool so you don't have toxic change and have no lack of privacy at all?

You do not consolidate your private coins in the the coinjoin, but after it, using a mix partner.

If you are using a second coinjoin to solve the privacy flaw of the initial Whirlpool coinjoin, then why not just perform a single coinjoin that doesn't have the initial privacy flaw so you can cut through these two transactions?

Completely irrelevant and debunked already: https://bitcointalksearch.org/topic/m.63120005.

2 - Tx0 clearly pays the coordinator, and this output is easily identified. The privacy of Whirlpool coinjoins does not depend on this fee payment being secret. It does not matter if you and I both pay to the same coordinator address - there is zero loss of privacy.

So the Whirlpool coordinator's output is easily identified. That's unfortunate...

Let's compare this privacy loss in Whirlpool to a WabiSabi coinjoin where the coordinator fee adds to the anonymity set: Which output is the coordinator fee???  https://mempool.space/tx/74254011886f8bcbc19269030a07d3e63cee242492f7a32818152e51995e6d31

Still waiting for the answers to all of these questions.
jr. member
Activity: 46
Merit: 29
If 5 out of the 6 equal sized outputs created in the coinjoin end up remixing as makers in the future while the remaining equal sized output is spent in a unique way, the first guess someone would make is that the output that didn't remix was created by the taker. But, this is still a guess and not a 100% guarantee since the taker could have switched roles to become a maker, or a maker could have decided to stop remixing and spend their coins. So, you could have scenarios where all 6 of these outputs remix, or all 6 of these outputs are spent, or any combination in between.

You are right you could argue that the maker or the taker switch their roll between coinjoins but joinmarket and whrilpool still would give a false sense of a higher anonset then it leads to believe. So it comes off as the makers being almost pointless and making the transaction fees not worth the effort. IMO I think wabisabi is a much better coinjoin system since all inputs are takers with unpredictable output spending. Wabisabi gets a bad rep for blocking certain UTXO's but I think this is a good thing because coinjoining with sanctioned UTXO's will label all UTXO's in the coinjoin as sanctioned.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
I thought joinmarkets were still pretty easy to unmix.

When you look at a single JoinMarket coinjoin, you can often (but not always) determine common input ownership for the participants and track their change. However, this isn't a limitation that ever requires you to compromise your privacy because you can use the taker role to construct a coinjoin where you have only one input and one (equal sized) output.

Here's an example of a JoinMarket sweep transaction: https://mempool.space/tx/9c6479472e1f3b5861c86bc904d11814e715a84c21aa8d0dd0861e635555451f

You can tell this is a sweep instead of an outgoing payment because there are 9 inputs, 9 equal sized outputs, and 8 change outputs that can be easily connected to maker inputs. The taker's input was from bc1q2pcrqv8jshjalxdan9hdm6qsh0njtm7jxydct9, but there is no trace of his output since it could be any of the 9 values for 0.03846033 BTC.

This is the same problem with samurai wallets whirlpool right?

Yes, common input ownership and toxic change are the same problems inherent to Whirlpool coinjoins as well. The main advantage JoinMarket has to defeat this problem is ability to coinjoin arbitrary amounts, so your toxic coins never have to touch each other. Whirlpool is limited to coinjoining fixed amounts (0.5, 0.05, 0.01 and 0.001), so every transaction you send or receive will require you to forfeit up to 100k sats in unmixable change in order to keep full privacy.

The second advantage JoinMarket has over Whirlpool is that Whirlpool cripples the privacy of users by requiring a premix "tx0" transaction. The premix conclusively reveals all the consolidated inputs are owned by the same person and links it with toxic change that can be tracked in future transactions.

JoinMarket mitigates this privacy leak by skipping the premix transaction and consolidating inputs directly in the coinjoin transaction. Here's an example of a 5 person JoinMarket coinjoin that consolidates 297 inputs: https://mempool.space/tx/63b28f5e17e03fef27795e1ea7fbf821e2d5f072098ffcef3d27b8b2d23ca719

This makes it difficult to determine which inputs belonged to the participant that created the 33677 change output and which inputs belonged to the participant that created the 44384 sat change output.

If theres only 1 taker and for example 5 makers in a joinmarket coinjoin it should be pretty easy to unmix them if you watch to see which output get used as inputs for more coinjoins then they are makers and if you can determine which outputs were makers then you can determine which output is the taker by process of elimination.

If 5 out of the 6 equal sized outputs created in the coinjoin end up remixing as makers in the future while the remaining equal sized output is spent in a unique way, the first guess someone would make is that the output that didn't remix was created by the taker. But, this is still a guess and not a 100% guarantee since the taker could have switched roles to become a maker, or a maker could have decided to stop remixing and spend their coins. So, you could have scenarios where all 6 of these outputs remix, or all 6 of these outputs are spent, or any combination in between.
jr. member
Activity: 46
Merit: 29
- Can JoinMarket be traced?

Not as a taker. Since takers choose the equal value output size, they can make anonymous payments or anonymize their change at any time without trusting anyone. Fidelty bonds help protect takers against makers performing Sybil attacks.

I thought joinmarkets were still pretty easy to unmix. If theres only 1 taker and for example 5 makers in a joinmarket coinjoin it should be pretty easy to unmix them if you watch to see which output get used as inputs for more coinjoins then they are makers and if you can determine which outputs were makers then you can determine which output is the taker by process of elimination.

This is the same problem with samurai wallets whirlpool right?
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Question for experienced JoinMarket users: How frequently do you participate in a remix as a maker?
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
LaurentMT confirms that Whirlpool's incentive model was designed to provide the least amount of anonymity possible: https://twitter.com/LaurentMT/status/1783589807668535563
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
This restriction is called “tx0”, it is a self spend transaction prior to the coinjoin that allows the trusted coordinator to custody the fee they charge in order to prevent DoS attacks from being costless. Once the coordinator’s fee is confirmed, they allow the outputs created from the premix tx0 to be added to their liquidity pools.

Some Whirlpool users were rugpulled because they paid coordinator fees in a separate transaction from their coinjoin: https://mempool.space/address/bc1q6dxnvx3wm40e4rtmye6fwy9zmwnqchnz04pzaa
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1

You are 100% correct ordinals has absolutely nothing to do with coinjoins.
Ordinals are filling blocks with transactions that are obviously not coinjoins. And the rest is Crateology.
https://en.wikipedia.org/wiki/Crateology

As I said take out ordinals, take out known TXs, take out what else they know from other services and you have a very small pool of txs moving at the moment.
Keeping an eye on all of them and figuring out what is going on where is a lot less difficult then if all the txs in blocks were 'real' transactions.

You don't seem to understand: Equal output coinjoins from JoinMarket, Whirlpool, and WabiSabi have a distinct on chain footprint that distinguish them from all other transactions regardless of whether those transactions are ordinals or not.

Mempool.space seems to have applied the "Coinjoin" tag to this Whirlpool tx0 transaction as well: https://mempool.space/tx/97a6b985f48c2faf4a3cb7c1e4b5a0ac230fd59aac33723101de9dd144bd735e
Pages:
Jump to: