Topic: CoinJoin: Bitcoin privacy for the real world - page 14. (Read 294649 times)

At worst it is an exaggerated analogy. The analogy relates to the newness of the technology. Bitcoin is based in math theory and the technology is accessible to all. Just because we have a technology, does that mean everyone should be allowed to use it? Does that go for any technology? Howabout drug manufacturing? Howabout explosives? Should anyone be able to do anything they want without restrictions?

genjix: Yup. Scaling works out nicely too because the additional CoinJoin traffic will never be more than a small multiple of the existing transaction traffic, so doing all the CoinJoin communication via global broadcast messages is actually reasonably and efficient enough; gives good privacy for that communication. You can also reuse bitcoin age as a limited resource for anti-dos.

It's not as pretty as more clever crypto, e.g. the zerocash project that I'm also now working with, but has the huge advantage that its flaws are easy to understand and predictable. We want diversity in the level of engineering in the solutions we come up for to solve problems; CoinJoin + zerocash are two totally different approaches, and if one day we can use both we're more likely to actually achieve privacy.

Let's see.


The problem here is that you don't know the difference between reality and projection. Your apocalypse fantasy (bitcoin=plutonium) is something you should be talking about with a therapist - it has nothing to do with Bitcoin.

maaku, the mixers are connected through a p2p protocol so anyone can set one up, however I think the idea (according to Peter Todd) is to use the Bitcoin network as a mixnet.
I don't think we can use ring signatures unless bitcoin adopted ed25519... or am I mistaken?
also it can scale >2 participants, because you do multiple rounds (share outputs, share inputs, give signatures).

cbeast, self-censorship is why threat is so effective. the real people who will adopt our tools won't be yuppie students buying coffee at the bar, it will be new digital black markets & we market to them. the tools go beyond mere payments into governance, markets and new forms of association between humans. the effect is deeper. bitcoin is more than a payments innovation despite what others want to make us believe. I'm not shuffling its massive potential under the carpet through fear of retribution and spending my time making Facebook apps.

Showing a brother he is going the wrong way.

https://bitcointalksearch.org/topic/m.6959794

Now I am confused.

e.g. on https://darkcointalk.org/threads/coinjoin-in-bitcoin-and-darksend.560/
or http://www.reddit.com/r/DRKCoin/comments/1zlv36/what_does_darkcoin_offer_that_couldnt_be_done/
or some/alot other sites they talk about CoinJoin in DarkSend

Sharedcoin is a blockchain.info product. You can read about it on their website, but I don't think it was based on any external design, just a mixing service cooked up by one of their engineers.

Darkcoin and darkwallet also have nothing in common either. Despite co-opting the name, darkcoin's darksend doesn't appear to have anything to do with coinjoin. Their description and illustration in their thread shows some sort of centralized mixing service (more akin to sharedcoin), and indeed their distribution mechanism involves a reward for "masternodes" which perform the mixing with these fresh coins. It would be nice if someone from that project could chime in here and explain just what it is trying to accomplish, because the available technical descriptions are scarce and contradictory.

Darkwallet does indeed implement coinjoin, albeit using a centralized matchmaking service to setup the mixes. I have been informed by the developers that this is a temporary mechanism and they are working towards a fully p2p solution. They do not use the blind signing or ring signature mechanisms which are required to scale to more than 2 participants without revealing ownership of outputs.

maaku: Thank you very much. SharedCoin is based on what technology then?

All: As its basically the same. Any reasons why is DarkCoins DarkSend attacked as insecure, but DarkWallet is not?

kinda sad darkcoin isnt implementing ring sigs
masternodes are coinjoin servers where miners must pay tax
i'm interested to understand how that differs to federated darkwallet gateways
still, all power to drk... 4th crypto now

Greg has nothing to do with sharedcoin (and sharedcoin has little to do with coinjoin).

To your question, read the op. This whole thread is a description of how to do decentralized, trustless mixing.

http://sharedcoin.com/ is trustless centralized CoinJoin by Greg Maxwell.
Darksend in DarkCoin is dezentralized CoinCoin by Evan Duffield.

Haters/FUDers/trolls hate on DarkCoin saying it's insecure because bad actors like Goverments could run many Masternodes.


Leeds me to the question:

Is dezentralized trustless CoinJoin possible?

did you had the chance to get a look into Darkcoin, too? thank you!

Looking through the white paper, it seems like ring signatures don't actually sign the bytecoin transactions, they only sign the inputs.

I wonder if anyone with an expertise in ring signatures has reviewed the paper, its a little out of my comfort zone.

As hard as it is to believe, people other than me do occasionally have really good ideas.  ... (No, I'd only heard about it a couple months ago and looked into it in depth until the last week).  I think all these altcoins are horribly ill-advised in their altcoinness. You're in the wrong subforum and thread if you want to talk about cryptocurrency speculation— my interest here is just in the techniques— and I'm not going to credit some random code aping fork for other people's work when talking about them.

(In case anyone had the impression that I thought bytecoin was all love and wonder: the implementation is currently really immature and somewhat buggy— and perhaps not likely to improve if its authors are now getting voted off the island in a fork. The POW is very slow to validate, and seems generally ill-advised to me (see https://download.wpsoftware.net/bitcoin/asic-faq.pdf), the adaptive blocksize stuff seems dangerous and the coin burning excuse for it can't work as expected in the long run since miners can get paid out of band, ... but the privacy design is very good, though even there its incompatible with pruning (but so is everything else). Of course, all these concerns also apply to forks that just aped the code.).

It's hard to believe you're not a major bytecoin holder of some sort? Monero is a fork without the massive premine/instamine/slowmine without release whatever it was of bytecoin, I imagine your opinion about it is the same if they share cryptonote?

Yea, the Bytecoin/Bytecoin thing caused me to not notice it for a long time.

The cryptographically interesting Bytecoin has a reasonable whitepaper: https://bytecoin.org/old/whitepaper.pdf  Some of the things it does appear to be pointless or ill-advised to me and I would have counciled otherwise— but as far as the privacy aspect goes, the ring signature approach appears top notch. The privacy depends on the decisional DH problem, so perhaps you could argue that its privacy has a slightly weaker cryptographic story than the basic discrete log stuff (computational DH) but in the curve they're using its believed to be equally strong.  In any case, anything that has reduced the privacy question to asking about cryptographic assumptions has gone pretty good.

Sorry for the OT tangent here. Though there may be some good bitcoin-relevant privacy things to mine out of the bytecoin design.

Thanks for introducing me to Bytecoin/CryptoNote. Some solid cryptography being used (in theory) and some great improvements over bitcoin. Unfortunately the fact that there is another coin called bytecoin is very confusing and bytecoin doesn't really have any formal documentation other than this page. Time to do some source code reading!

No, not in a meaningful sense. Validation is very cheap. You do run into block size limits if you're trying to transact too much at once, but any privacy system is limited in its privacy by transaction volume.

"Dark Coin" really strikes me as pointless. The whole idea in coinjoin is that coinjoin is already part of the design of Bitcoin. There is no advantage in having a new and different system. If you're going to do something incompatible, losing Bitcoin's network effect in the process, then you can do something much stronger.

It also depresses me somewhat to see people talking about darkcoin (or even zerocoin/zerocash) when bytecoin has a privacy system with much better properties than CoinJoin (it's similar to CJ except you safely join with offline coin holders, and all users are participants), something made possible by the fact that it doesn't have to fit within the existing Bitcoin network, and it's completely practical, reasonably performant and deployed for some time now. But strangely, it's virtually unheard of...  Bytecoin's privacy properties are in some sense weaker than zerocoin's— since its like a supercharged coinjoin— but the cryptography is much stronger and much more efficient, so in practice I'd expect it to have better anonymity just due to it being much more practical (also as evidence to it existing as a deployed system).  ... so yea, if you actually are interested in privacy technology in a non-bitcoin system, Bytecoin seems to have pretty much nailed it.

Yeah okay. I'll see if I can find time to finish the half-written BIP I've already started.

Yes as genjix says we're waiting for specific proposal of how to approach it, when we designed the system that was the idea that we could use the bitcoin network to overcome some of the adversary problems.