Topic: CoinJoin: Bitcoin privacy for the real world - page 16. (Read 294649 times)

I find it a good idea to create a site where you enter a P2SH address, it gives back a traditional address, and when it receives money at the traditional address, it immediately forwards the unconfirmed BTC to the P2SH address. Hope someone will manage it!

Could someone kindly give a status update on when will we have a real-world, usable CoinJoin (besides the implementation on Blockchain.info)? This thread is huge, and I'm sure many casual readers would like to see a tl;dr to learn will this result in a usable client soon, or what's the plan?

I found the thread when reading this article from 7 months ago. What has happened since?
http://bitcoinmagazine.com/6630/trustless-bitcoin-anonymity-here-at-last/

And thus my original statement was correct:


Also my statement that the CoinJoin protocol can be DOS-attacked was correct.

It was a bit difficult to explain these facts w.r.t. to gmaxell's semi-coherent, incomplete explanations of his protocol. But I think I was able to help him to specify the essential requirements of his protocol.


The solution was provided by gmaxell. Use Zerocoin which is an atomic operation from inputs -> available outputs. But it won't work for Bitcoin's current block chain design, because even if we could (which we currently can't) we don't want to put the Zerocoin accumulator on the block chain because we don't want to trust the PQ thus we want to the accumulator to have a preset short-term lifespan and all inputs and outputs must specify themselves with that time limit. However this can't work in Bitcoin because inputs have to sign the output addresses. Thus in Bitcoin the specification of the output addresses would make it a non-atomic operation thus it can be DOS-attacked.

The solution for an altcoin (or Bitcoin if we can make such a radical change) is to make the transaction id a nonce and have the inputs and outputs sign that nonce. If the outputs are greater than inputs, then the transaction is invalid. In the rare event the outputs are greater than inputs, then we know to throw away and don't reuse the Zerocoin accumulator's PQ (because its trust is compromised) and try again.

I'm sometimes reading this topic, occasionally, and it seems always the same. Actually, its getting worse.
Like with almost everything: plenty of ideas, but no solution whatsoever.

As for this specific topic, it basically seems like the level of the misery is just increasing.
My advise: talk less, do more - it will solve all your problems, I promise!

Why do people even care to waste their time on pointless discussions?
I could have saved so much of my own time, if I had only known an answer to such a stupid question
I guess it must be some kind of entertainment, like watching TV, because I cannot believe someone would be wasting his time on this kind of pointless forum arguments, though still thinking that he actually somehow helps the mankind.
We are talking about tens of pages of a "technical" topic (and not only this one!), lasting for years, with practically no actual applications - it must be just an entertainment, what else?
Unless it's a new kind of science: a theoretical engineering... Though I would still rather count it as a stupid kind of philosophy 

You just can't resist the ad hominem even after I've shown you were wrong all along about DOS attacks on your protocol.

Sigh.

Actually I think they're fine for this without the UFOs, I only brought them up because you were insisting things that were add odds with their e
Appears you are saying that as a participant when I provide my input, I also specify the amount of my output?

Derp. Your output is equal to your input. Privacy comes from equalizing amounts.

As for slowing down, the adversary can have many parallel addresses in play so I don't think so.

Transaction fees might work if they are significant enough. I haven't studied how much the tx fees are in Bitcoin much. I think I read that certain txs can be 0 for some cases?

If the adversary is mixing through CoinJoin transactions (hehe, uses what he also DOS-attacks against itself), then the blockchain tx fee is going to be shared between all parties of the CoinJoin transaction, so could it be insignificant?

Edit: I've just realized the adversary can eliminate the transaction fees too, by spending those banned amounts as he normally would (e.g. day trading), thus he doesn't incur any extra cost.

Edit#2: unless all decentralized CoinJoins share their ban lists (which is quite impractical to achieve as it is the antithesis of decentralization), adversary can just round-robin through them.

So I've won the argument. Checkmate.

Transaction fees and confirmation times should slow down the attacker.

You removed part of the logic of the sentence. Here is what I wrote:


Surely you understand that the word "unless" means that if UFOs are not a solution, then I'm asserting you've admitted and if UFOs are a solution then I'm not asserting you have admitted.

So I did not (intentionally) misrepresent your stance. You are still claiming that UFOs are a solution, thus you haven't admitted and I have never claimed you have.

Note the logic of "unless" also (unintentionally) meant that you admitted couldn't think of a way to use a trusted PQ instead of a UFO. But you have apparently presented a workable idea below. Kudos!


I agree the extra size is not likely a factor for use offchain such as a decentralized CoinJoin.

Zerocoin is also not realistic inside Bitcoin because if a trusted party could create unlimited Bitcoins, that would violate basic principle of Bitcoin. That same trust issue may or may not apply if used in CoinJoin.

I elaborate below why am not convinced UFOs would solve that trust issue if used in Bitcoin.


I would need to look and think more deeply about the math he showed there, but seemed like he was saying that we can predict the occurrence of primes in a product probabilistically thus I am having the conjectured thought (to explore more when I have more time) that the requirements on the period (in the applicable domain space) over which the assumption that the (approximation to the) Random Oracle model must hold true may be implicitly much more vast than when we apply hash functions in Z. I am curious to think more about what he actually proved and didn't prove.

I think there is much more depth to this than we can go into now. And I haven't had the time yet to wrap my mind completely around the math in that paper on UFOs.

Why don't we ask Adam Back? He is a neutral party and I think he may know more about the deeper implications of the mathematical assumptions in that RSA-UFO paper.

Or we can simply agree to stop discussing about Zerocoin or RSA-UFOs, which would be fine by me.



I am replying to your comments. If you stop talking about Zerocoin, then I can stop responding about Zerocoin.

I am curious about Zerocoin as a solution for CoinJoin since I am fairly certain that your proposed protocol for CoinJoin can be DOS-attacked (see my reason below).



That is a very interesting idea! Since knowing PQ doesn't allow you to snoop on the other participants' anonymity, that might be workable.

And then we don't need RSA-UFOs.

I don't see why you need to track how often there is failure. You simply discard a PQ where there was a DOS attack, because that is 100% evidence that PQ is compromised.


Great. If the DOS attack occurs during the blind signing of the output tokens then everything is totally trivial then. Since every inputting user is required to blind sign everyone else output token, if they don't— you know who's jamming the process and you ban them.

Here is an overview of all the places a user could refuse to participate further:

(0) If a user refuses to sign an initial introduction message that specifies their input and their blinded output (and other parameters like blind signing keys to be used), then they're just not participating as producing that message is how they join in.

(1) If a user refuses to sign the blinded outputs of all the other users their inputs are blacklisted as the blind signing of everyone's output tokens is not anonymous (relative to inputs).

(2) If a user (now reconnected anonymously relative to inputs) refuses to reveal their unblinded outputs, this attempt is aborted, all honest users reveal their blinding factors and withholder is deanonymized and their inputs banned.

If we've made it this far we have a set of outputs which were provably created by the people who created the inputs, though we don't know the correspondence. We can form a transaction and know that the transaction matches their wishes. So we do.

(3) If any input does not sign for the resulting transaction we blacklist them because we know the transaction is accurate at this point.

I really cannot understand why you find this difficult to understand.