Topic: Coin Validation misunderstands fungibility and could destroy bitcoin - page 3. (Read 29316 times)

How do we get Adams suggestions before the people who can make it happen?

-Burger-

He probably is spinning PR or focusing on short-term implementation plans to avoid discussing the longer term plans discussed in the article.  If you read it with the PR-interpretation mindset its not so good.  

Whatever his intentions, he is not thinking through the implications or just selfishly doesnt care for quick buck reasons,  I dont know him so I cant tell.  Either way I think this will not end well.  I've been in the privacy tech / crypto business for 15 years, its quite common to encounter and have to navigate around people of all stripes: well meaning, neutral, dont care, and anti-privacy.  Even the ones that are neutral or well meaning often dont think about the long or even mid-term implications of what they are doing.  Thinking about implications is complex, requires concentration, deep understanding across many fields, and may conflict with short term objectives (ie rush something ill-thought-out but  "pragmatic" to get something out the door).  Sometimes making a buck even conflicts with user interests, or even the survival of the system.  Some of these people might even show concern and genuine remorse afterwards when it predictably blows up (to their genuine surprise because they didnt think more than the first chess move.)  Most probably though they'll be onto their next venture and pretend it never happened or more likely not even make the connection between their actions and the outcome.

The technology space is littered with implications from ill considered decisions.  Eg web pages are not signed, and jscript is not signed; a single server key is used for combined tunnel auth/encryption but no transferable signature on the content.  So people can hack servers and modify and replace code and steal eg jscript bitcoin wallets.

These things matter because architecture defines the internet.


So first they want to identify clean addresses (from the forbes article).


And then they want to distance themselves from clean addresses (from reddit).

So whats a clean address?  Its one that according to them has not got taint on it according to some threshold they decide against some blacklist.  Seems squarely what we are talking about.
Thats my interpretation.  Waters or the other people at CoinValidation are welcome to clarify.


The KYC part yes, the clean coins I am not so sure - they really do seem to think longer term that tracing coins is somehow a useful thing to do, which can only harm fungibility.  We may need a priority deployment of CoinJoin option into multiple clients before they get far with that.

DarkWallet could probably do with some funding help also.

Adam

Its a subtle point but there should ideally be two layers. 

A. Coin layer, the coin is anonymous and fungible (like zerocoin if they can get the CPU & storage efficiency and another issue fixed). 

B. User layer: the users send each other encrypted transactions for commercial sensitivity and user privacy, within the encryption the users identify to the degree they choose, if any.   If the recipient is a regulated, it asks for AML/KYC level identification.

Bitcoin is not so far able to meet this normal ecash design.

Bitcoin is cutting edge, the blockchain design is an elegant all-new design to handle double-spend protection for distributed ecash.   But it lost some crypto ecash features of fungibility via cryptographic blinding (Chaum) because they are harder to do in a distributed system.  As close as we have so far is the ZeroCoin proposal of Matthew Green & Ian Miers which improves on a 1999 paper by Sanders & Ta-Shma.

It is very complex to improve bitcoin features, to do it with practical efficiently, and to get them implemented securely, tested as rigorously as a jumbo jet autopilot, and deployed.  There are hard cryptography problems.  People are working on it as hard and as fast as they can, most of them volunteers but enthralled by the new possibilities bitcoin enables for society, with smart-contracts, user self-determination etc.


I think you have been reading too much David Brin    While corruption is bad, as Assange says, there should be transparency for the powerful, and privacy for the weak.  Current financial systems have the reverse.

In fact a further future, smart-contracts (that bitcoin includes an early version of) should allow rules to be apriori enforced.  This is because smart-contracts act like a scrupulously honest virtual AI that always follows the rules and cant be influenced.  Technically its just that all recipients of proceeds of contracts, and he network itself validate the transactions before they rely on the money.  But its a very powerful effect.  Mike Hearn made a presentation on smart contracts www.youtube.com/watch?v=mD4L7xDNCmA

I do think in principle we could build a future with less systemic risk, less scope for fraud with more sophisticated smart-contracts apriori enforcing rules.  It is better to prevent a crime than occasionally catch these people, and mostly they are smart-enough and connected-enough to avoid sanctions anyway.


Or strong legal protections and government funded support for whistle-blowers.  Whistle-blowers of corporate and government crimes should be lauded as heroes.  Take Snowden: should be nominated for Nobel prize, not grounded in Russia.


I think investigation should work as at present.  Subpoena people and businesses the criminal interacted with to track down.


Typically the user can keep receipts and present them afterwards in event of dispute or to prove what happened.

Adam

It's semantic pedantry but it's still fact. Private information is your name, address, social security number, or whatever you don't want everyone to know. Secret information is a level higher than that. People will kill each other to protect secret information because the level of seriousness is higher.

Usually when you have networks of people in authority keeping secrets you have corruption of whatever that institution is. That is because you cannot vet anyone without a background check and you cannot trust anyone who has secrets. If a human being is in a position of authority then secrecy is risk.

While we don't need to know exactly what was transacted it's a good thing that we can see the movement of money. If a lot of people give money to a particular address that is something which should be known to anyone. We don't have to know who they all are to know that.

Personal information is your identity. Public information is a lot of people who use Bitcoins like to buy books. Private information is the particular books that you chose to buy. If you don't want the world to see what you chose to buy then you need pseudo-anonymity to mask your email address, personal information, etc. It is still important for a society to know that certain books are popular without knowing which individuals are buying the books.

Um, whatever you want to believe, then.

No they are not logical opposites. Secrecy is the opposite of transparency. Privacy is not the same as secrecy.

Transactions should be private but not secret. If an investigation takes place it should be possible to follow a money trail. If there is secrecy in a system such as then then the secret money would have to show up somewhere.

So if politicians start dressing nice and driving in brand new cars, living beyond their means, then of course it's reasonable to consider the possibility that they could be taking a bribe. If you were a journalist trying to uncover all this then secrecy wouldn't help you. If information is private but not secret then it can be uncovered if you interview the right people or ask the right questions, but as a considerable enough cost that it couldn't be a situation where everyone is investigated by a machine.

At the same time most of us don't want to be associated with corrupt social networks, but that has nothing to do with fungibility. If Bitcoin is not fungible then you have dirty and clean Bitcoins and that cannot work. If Bitcoin is fungible then it means we don't have to care where our Bitcoins come from and this is a necessary requirement for Bitcoin.

This is not about crime, nor identifying perpetrators, its about fungibility, they are (perhaps surprisingly) orthogonal payment system properties.


An electronic cash system, must have irrevocability, which as we discussed here is how bitcoin can achieve low cost and efficiency relative to credit cards & paypal.   Coin anonymity is necessary for fungibility, but that is strictly about fungibility, identity level privacy is separate.

Bitcoin makes attempts to achieve irrevocability via blockchain hardening (so it is expensive to undo or change the transaction) and also via using fresh addresses to add coin-level anonymity.  CoinJoin and mixes are technical solutions to improve on just using fresh addresses.


However that does not mean the user is anonymous.  The user is identified  because they have an identity, they interact with multiple coins and identify themselves to businesses.  Police investigators can ask normal businesses they interact with to identify them.  And users identify themselves via street address for delivery, IP address (unless using Tor), username/password on web site, and email address for receipt, bank account for exchange, AML/KYC identities at the exchanges, geo-location of their smart phone, IP address log of their DSL connection, and (without CoinJoin) because their payments link different addresses when a transaction is made using multiple coins, and change is given.

The bitcoin user is far from anonymous.  The full transaction log is public.  (Bitcoin really is not that private nor anonymous: if someone offered to make your bank account or credit card statement as public as bitcoin does we would be angry about it.)

As I said in the original post:


Now in an ideal world how it is supposed to work is the fungibility/anonymity is secure like zerocoin.   And identity is managed between people sending and receiving bitcoin.  Many variants are possible:

1. public (everyone can see amount, and sender/recipient addresses - current bitcoin)
2. private (encrypted so only recipients see value and address information)
3. private but identified (encrypted between recipients, but recipient and/or sender is identified)

I prefer user choice of 2 or 3. We use SSL for web commerce for a reason, confidentiality of the transaction, and bitcoin does not encrypt transactions.  It means only parties to the communication see the value and decide what level of identification they want if any.  This supports buying ebooks without a dossier of what books you read.  Its no ones business.  And it supports AML/KYC for large for regulated businesses.  And identifying the customer account so the business can account eg with repeat customers.   And it supports criminal investigation also.  The police go subpoena information from businesses the criminal interacted with to track him down.  Same as in real life.

(This is what committed transactions try to do, though it so far has inefficiencies for SPV, and has imperfect privacy as people on the transaction see previous transactions; however it is much more efficient than zerocoin.)


The problem with Coin Validation arises because bitcoins coin-level fungibility/anonymity is imperfect, so it is somewhat possible to correlate users via coins.  It depends if the user follows technical advice, what wallet they use, and if they use coin privcacy enhancing tools like coinjoin.
There are two approaches: cryptography like zerocoin/committed tx; and stirring coins together like coinjoin and mixes - so their whitelist attempts see a jumble of spagetti and reject all transactions and so are ignored.  CoinJoin works now the others are future projects.

Bitcoin identification is also adhoc.  However any regulated bitcoin processor asks for AML.  Most business sites will have an address for delivery, an email for a receipt, an IP address from the web, cookies linking to other sites.  Hence my suggestion to them: issue AML certs in their jurisdiction that the user can show when requested its the sane way to do it within the architecture of an ecash system without destroying its fungibility and hence destroying the currency itself.

(btw fungibility to the other reader, has a second standard meaning: that each coin should be considered equal value).


I hope contrarily that to quote John Gilmore the internet views Coin Validation as censorship and routes around it.  Meaning the coin graph is stirred to a blur via coinjoin integration in all major clients, or Matthew Green & Ian Miers figure out a faster zerocoin or something else figures something else out.

Please do not feed the "oh but the criminals" meme.  We're not encouraging or facilitating crime.  Before it was shutdown silk road accounted for < 1% of transaction volume/month and falling.  Paper cash has worse statistics and is less traceable.   HSBC laundered $880m of dirty money for drug cartels and worse, and walked away with a fine, no sanctions.  http://www.reuters.com/article/2012/12/11/us-hsbc-probe-idUSBRE8BA05M20121211  

We just want an efficient fungible payment system that works without the reputation (equifax etc) costs and revocability (credit card charge backs, paypal freezes etc) that come with credit cards and paypal.   Do NOT invite currency destruction via fungibility attacks it WILL pull the costs up to credit cards and paypal levels.

Adam

This is what I thought too, but now I am looking closer and it appears that Forbes may have misrepresented the tech. Read Alex's reddit posts from the previous day: http://www.reddit.com/user/alex_waters :





It is beginning to sound a bit more like what you proposed Adam.

adam3us - I know you'll be flooded with replies, but I just wanted to say THANK YOU. You have perfectly encapsulated why Coin Verification is a bad idea, and I'll do my best to protest this and boycott the individuals and their associated businesses.

Mike Hearn, Yifu, etc.. you should be ashamed of yourselves for trying to undermine the core tenet of Bitcoin - FREEDOM.

They're the logical opposite of one another. The likely answer is, not with this design.

All of these sorts of reactions only will make the situation worse. Darkwallet is not a solution, it's a patch.
We have a legitimate requirement for transparency and the ability to investigate the blockchain.

Whether it's journalists trying to uncover corruption, or law enforcement, or members of a community trying to determine whether or not to vote for certain politicians. If we do not focus on solving the problem of institutional corruption then Darkwallet will be used by the corrupt institutions to maintain their corruption.

The same technology you build for anonymity to be used by you could also be used by the people in power to control you through corrupting your community with bribes and other tactics. So no I don't think Darkwallet will fix anything. It does produce greater privacy but it also removes the ability to follow the money trail which enables and helps the corrupt individuals already in power.

If a law enforcement officer is corrupt and taking bribes behind the scenes I'm sure Darkwallet will be what they'd use. We need the ability to apply sousveillance to follow the money trail to the corrupt police officer so I'm on the side of transparency.

But I'm also on the side of privacy. I don't think every coin should be subject to scrutiny. I don't think every transaction should be carefully analyzed by law enforcement to determine whether or not a crime took place. The reason is that if you allow that then whoever has enough power to hire private investigators can simply watch their political enemies until they commit a crime and then the private investigator can pass the evidence to law enforcement.

So we must care about privacy to protect the community from fishing expeditions but we also have to care about transparency to protect the community from institutionalized corruption, hackers, scams, etc. We need a balanced approach which attempts to solve the problem while upholding both of these critical ideals.

Darkwallet is good for hackers, for corrupt politicians, cops, and perhaps some paranoid individuals, but it can also be abused if taken too far. Balance is necessary.

A blacklist need to have a threshold, otherwise it's meaningless (you could distribute taint to people you don't like, if you happen to have tainted coins). If the percentage of taint is below a certain level, you can't really consider that input as linked to the originally tainted output.

And concerning the fact that most mixers would contain mostly tainted coins, even if that becomes the case, they would still be able to cover tracks.
Let's say a non-violent, honest individual does something perfectly ethical but which governments tend to punish, like, say, not paying taxes, selling cocaine or whatever. If governments manage to identify a particular address as participant in a particular "made-up crime", they'll taint it for that reason. If the said individual mixes his coins enough, even if in the end he gets lots of tainted coins still, the original reason his coins got tainted for is practically lost. Yes, there may still be lots of tainting in his coins, for many different reasons, what indicates with a decent probability that he did something the government does not approve. But you can't really know what. Legally, they can't hold anything on him, other than the fact that he probably tried to cover his money tracks. Yeah, perhaps they can criminalize that with some scary wording like "money laundering". But, well, if wallets do it automatically on the background once in a while, it would be hard to criminalize it.

Also, there would probably be multiple different blacklists. Victims of one particular blacklist have an interest in working together with victims of other blacklists in order to mix their coins. Assuming the place you want to spend your coins block coins from blacklist A but not blacklist B, exchanging your taint from A to B would make you clean.

Further on, from an tyrannical surveillance POV, blacklists don't easily allow a government to know everything you do with your money. Whitelists allow them to track each little spending of yours. When they control your money, they control you.

Anyways, I'm not trying to say that blacklists offer no danger and that people should not try to fight them, quite on the contrary. I'm just trying to point the fact that it's easier to work around them, when compared to whitelists. Mandatory whitelists could render the Bitcoin payment network almost as awful as credit cards. We'd still have an inflation-proof currency, what's great, but the payment network value would considerably decrease.

I'm not sure that this is possible in the way I'm presenting it without a change to the current mining protocol. There are sensible reasons to prevent it, as it creates a market for miners to accept personal vendettas against certain addresses, which is precisely the mechanism I'm arguing for. But in the name of only targeting the clean list.

Perhaps it might be possible to query all public Bitcoin nodes to see which addresses they are blacklisting. Then at least you can identify who is blocking you. The truth is that all solutions to this problem are a compromise, we're working with an information system here, and for it to be in any way useful, it must permit misuse as well. Storing non transaction information in the blockchain being just one example of misusing the innovation, people always worked around any attempt to stop it, so Gavin Andresen moved to standardise it instead.

I like your idea Carlton, get the miners to stop it in it's tracks. I bet Xperian and Equifax are salivating at Mike Hearn's suggestion.

after reading the forbes news report and then investigating coinvalidation themselves.. i have come to this conclusion

never take whats written on the news as gospel.. (a lesson i learned way back, but recently got reminded)
secondly, there is alot of hysteria without much investigation by people.

so here it is short ans sweet.
coinvalidation are not government. they cannot freeze, seize funds
coinvalidation are just business advisors with a data base.
coinvalidation cannot make it a requirement to use their service. they are a business. people are free to choose to use it or not.

now lets talk about this database.
this database will not store every public key and eventually link it to users.
it will however list pubkeys of businesses that are fully fincen compliant and also seek out to list blackmarket addresses, again i highlight businesses not personal keys.

think of it like a santas "naughty or nice list" for BUSINESSES not individuals.

coinvalidation is not seeking to get every USERS identification , much like the government does not request everyone to write their name and zipcode on every bank note they spend. all its for is to increase the ability to see the source of funds. much like banks look at serial numbers of bank notes to see if they come up with flags that funds once got blacklisted/marked as part of a drugs cartel blackmarket

EG have funds come from a compliant exchange, or a blackmarket recently.

how will businesses use coinvalidation services.
(a) alpaca socks shop wont need to check TXID for its origins as they only accept small amounts, meaning low risk and no need for the AMLKYC stuff
(b) real estate agent will check every TXID for its origins due to higher value transactions. and if within 3 hops they notice a legitimate bitstamp address, great no risk. if its silkroad with 3 hops *, then the real estate agency will assess the risks of money laundering and do all the fincen checks required of them and report to fincen if serious crime criteria is met.


parts of finCEN require compliant members to:
do AMLKYC on customers transactig over $10k
monitor for serious crimes.

now a serious crime is NOT selling a dimebag of weed for $20 of bitcoin. a serious crime is a druglord with over $10k of funds for instance. or a murderer for hire, etc etc

so for businesses to monitor serious crimes they need to look out for large amounts of money that come pretty much directly * from drug websites for instance. small amounts like $20-$100 or even $1000 can be weighed up by the business as a low medium or high risk themselves.
*businesses will decide how many hops are deemed high/low risk for validation checks as part of their own policy handbooks

now then
all of this only applies to businesses that have to deal with FIAT exchanging for customers and its purely about sniffing out large transacting serious crimes and tax evaders. so all those businesses that dont do customer FIAT-bitcoin transactions dont need compliance. but businesses that do handle FIAT on behalf of customers do.

so chill out on the hysteria. bitcoin anonymity wont change, infact the FINCEN regulations wot/havnt changed in decades. the only difference is that coinvalidation will make it easier for bitstamp to recognise a 1-2-3-4-or 5 hop TXID as coming from a notorious website to then assess the requirement to report it to fincen.

I think there's a misunderstanding around the use of the term fungible here...

To me fungibility describes the ability of a good to be divided and recombined to the same value... With varying degrees of divisibility and recombine-ability but same term...

This thread somehow confuses governmental violent coercion through white-lists with fungibility... Violent coercion, that is using violent force to get what you want is obviously going to end bad for the person who isn't going to get what they want, or the person who is going to be a victim of violence/jail/etc... In this case the groups utilizing violence to force others into using their products, their coin outputs etc, are obviously going to benefit from that ability...

I should also mention that it doesn't seem like Coin Validation is asking for government force to backup their white-list at this point, but there's an assumption that it won't be long before they likely will.

White-lists might have real market value in specific cases - Market value is determined by a free market though. - A market ceases to be free when a government, or a few individuals who control or manipulate government, use it to force a markets participants to act a certain way.

So this no doubt bad because it looks like Coin Validation is only building towards government backed white-lists - but it shouldn't be called a fungibility issue.

I haven't looked into the details of Coin Validation, but is there some kind of *whole coin* limit, where they want to limit people to use whole coins behind addresses and not any smaller amounts? In this case you can call this a fungibility problem - but I don't think this is the case...

White-listing != fungibility

Thats not so, blacklisting increases the probability that you receive back blacklisted coins— even if you didn't have blacklisted ones going in. This increases the "cost" to you of using this approach, so only outlaws will think it worth the cost, and so you'll only receive outlawed coins while using such a system. It's self-fulfilling once it takes off.  I don't think that things that have cost and take effort and which only a tiny fraction of (more likely than usual to be troublesome) users can really move the needle against efforts like this, or at least we shouldn't count on them to.

Oh but they're not quite the same. Blacklists are easier to work-around. Mix your coins enough and there will be no meaningful taint anymore.

Whitelists, OTOH, are an entirely different matter. Authoritarian governments may force every business in their jurisdiction to only accept money from the whitelist. Everything not whitelisted should be taxed or even seized. That's the real danger.

Since I'm replying to the bright mind behind Zerocoin, I'll use the opportunity to ask: does it make sense to talk about whitelisting Zerocoin transactions/addresses? I confess I tried to understand how your system works, but I'm just too dumb to actually get it.


Whitelists do not need to be public.