Pages:
Author

Topic: CoinJoin: Bitcoin privacy for the real world - page 28. (Read 294672 times)

legendary
Activity: 1400
Merit: 1013
Among the benefits is that the math is simpler, allowing other ideas to be easily implemented (such as a cutoff value: everything under 0.000x BTC is lumped into one output. If a small, random transaction fee is also included, this avoids dust outputs but is still resistant to analysis.)
If outputs are in the form of Xn, then you can easily implement a cutoff by specifying a minimum value for n. Leftovers just get added to the transaction fee.

I really don't care if there is a recommended standard of X=2, or X=5, or if an explicit negotiation step is added to the protocol to choose a value for X, just as long as there's some way to do it that actually gets implemented.
legendary
Activity: 980
Merit: 1004
Firstbits: Compromised. Thanks, Android!
Consider a hypothetical CoinJoin transaction with several inputs and two outputs, A and B.

Output A is 5.21875 BTC and Output B is 3.4375.

In order for an attacker to break the mixing he must answer the question, "which combination of inputs add up to each output", and that question could likely have only one solution. If there is only one solution, the mixing has no value other than forcing the attacker to spend a bit of CPU power on it.

If the participants in the mix instead choose to only use integer powers of 2, they can break their desired outputs down like this:

Output A can be broken down as follows:
1 x 22
1 x 20
1 x 2-3
1 x 2-4
1 x 2-5

Output B can be broken down as follows:

1 x 21
1 x 20
1 x 2-2
1 x 2-3
1 x 2-4

So now the transaction has 10 outputs: 4 BTC, 1 BTC, 1 BTC, 250 mBTC, 125 mBTC, 125 mBTC, 62.5 mBTC, 62.5 mBTC, 31.25 mBTC.

The odds of finding an unambiguous mapping of inputs to outputs should be far lower in the second case.


Hmm. It might simplify things by "approximating" powers of 2: 1, 2, 5, 10, 25, 50, 100, 250, 500, etc. Similarly, 0.5, 0.2, 0.1, 0.05, 0.02, 0.01, etc.

The downside is there's somewhat more risk of analysis matching inputs to outputs, but I would think the increased risk is very slight.

Among the benefits is that the math is simpler, allowing other ideas to be easily implemented (such as a cutoff value: everything under 0.000x BTC is lumped into one output. If a small, random transaction fee is also included, this avoids dust outputs but is still resistant to analysis.)

For example, your above outputs, after removing small transactions fees, might break down to

 A) 5.21872289 (prior output after removing a randomized 0.00002711 txn fee) =
  5 + 0.2 + 0.01 + 0.005 + 0.002 + 0.001 + 0.0005 + 0.0002 + 0.0002289 BTC

 B) 3.43742991 (prior output after removing a randomized 0.00007039 txn fee) =
  2 + 1 + 0.2 + 0.2 + .02 + 0.01 + 0.005 + 0.002 + 0.0002 + 0.0002 + 0.00002991 BTC

Almost all of the privacy, and the coins are less noticeable (as opposed to values like 0.03125 BTC) even just sitting in the wallet. And this would be a much better result too for those of us managing coins in paper wallets who need to determine how many change addresses to grab to spend X bitcoins.

Just a thought.
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
Have sent some BTC and would be more than happy to set up a project on CIYAM Open for this (free of charge for its lifetime of course).
hero member
Activity: 784
Merit: 1000
theymos, gmaxwell, everyone - excellent project! My donation on the way too...


IMHO we should motivate miners to operate liquid CoinJoin pools and pass all their new block rewards through it. Then integrate CoinJoin in as many clients as possible, for automatic or semi-automatic use. When everything is tainted, nothing is, and all list operators will look pretty stupid.

It's in the best interest of miners that bitcoins remain fungible long term, but some short sighted individual miners might object to getting slightly tainted coins. This could be offset by a small fee paid by CoinJoin users, and shared between pools and miners.

I tend to think that Coinjoin pools should be like Tor flashproxies, ephemeral, ad-hoc and untrackable.
full member
Activity: 187
Merit: 100
theymos, gmaxwell, everyone - excellent project! My donation on the way too...


IMHO we should motivate miners to operate liquid CoinJoin pools and pass all their new block rewards through it. Then integrate CoinJoin in as many clients as possible, for automatic or semi-automatic use. When everything is tainted, nothing is, and all list operators will look pretty stupid.

It's in the best interest of miners that bitcoins remain fungible long term, but some short sighted individual miners might object to getting slightly tainted coins. This could be offset by a small fee paid by CoinJoin users, and shared between pools and miners.
legendary
Activity: 1078
Merit: 1006
100 satoshis -> ISO code
theymos, gmaxwell, everyone - excellent project! My donation on the way too...
legendary
Activity: 1498
Merit: 1000
CoinJoin needs to be nicely implemented in Bitcoin-Qt before any of these ridiculous blacklist proposals take off. So for the next 30 days, I will match donations to the CoinJoin bounty fund (3M8XGFBKwkf7miBzpkU3x2DoWwAVrD1mhk), up to a maximum of 5 BTC. Just donate to that address, and in 30 days I'll donate the difference between the current received amount (16.21420773) and the received amount at that time (max 5 BTC).

I agree so I just send ~$50 to donations https://blockchain.info/tx/37fa76c95c06c4f35ac4069a84d75a022275a80bd35a05e102c8f6ad4d02646d
hero member
Activity: 836
Merit: 1007
"How do you eat an elephant? One bit at a time..."
CoinJoin needs to be nicely implemented in Bitcoin-Qt before any of these ridiculous blacklist proposals take off. So for the next 30 days, I will match donations to the CoinJoin bounty fund (3M8XGFBKwkf7miBzpkU3x2DoWwAVrD1mhk), up to a maximum of 5 BTC. Just donate to that address, and in 30 days I'll donate the difference between the current received amount (16.21420773) and the received amount at that time (max 5 BTC).

Theymos, you rock! I've already donated but you've inspired me to send a little more.



administrator
Activity: 5222
Merit: 13032
CoinJoin needs to be nicely implemented in Bitcoin-Qt before any of these ridiculous blacklist proposals take off. So for the next 30 days, I will match donations to the CoinJoin bounty fund (3M8XGFBKwkf7miBzpkU3x2DoWwAVrD1mhk), up to a maximum of 5 BTC. Just donate to that address, and in 30 days I'll donate the difference between the current received amount (16.21420773) and the received amount at that time (max 5 BTC).

Edit: Paid 5 BTC.
legendary
Activity: 3430
Merit: 3080
The mixing application described in the OP uses same valued outputs
And I believe that drastically reduces its usefulness.

It's fine as an academic exercise but how people actually use their bitcoins in the real world is considerably more messy. Unless you can handle situations where the users need to mix differing amounts of coins you'll either degrade the mixing to uselessness or else end up with a double coincidence of wants problem where nobody can find suitable partners top mix with.

A decentralised approach would provide enough variety so that the number of people who have to compromise would decrease, but I agree that this harms the effectiveness of the anonymity of inputs. It would also be less easy to convince a nosy listing agency that you were settling several hundred payments in a single transaction... especially when several hundred other CoinJoin participants could be making the same claim to the very same transaction to the same agency. It's not possible that you're all the sole originator of the same transaction.
sr. member
Activity: 279
Merit: 250
The mixing application described in the OP uses same valued outputs
And I believe that drastically reduces its usefulness.

It's fine as an academic exercise but how people actually use their bitcoins in the real world is considerably more messy. Unless you can handle situations where the users need to mix differing amounts of coins you'll either degrade the mixing to uselessness or else end up with a double coincidence of wants problem where nobody can find suitable partners top mix with.

Yea, and to that effect there should be a step prior to the CJ where outputs are made uniform.
legendary
Activity: 1400
Merit: 1013
The mixing application described in the OP uses same valued outputs
And I believe that drastically reduces its usefulness.

It's fine as an academic exercise but how people actually use their bitcoins in the real world is considerably more messy. Unless you can handle situations where the users need to mix differing amounts of coins you'll either degrade the mixing to uselessness or else end up with a double coincidence of wants problem where nobody can find suitable partners top mix with.
legendary
Activity: 905
Merit: 1012
Consider a hypothetical CoinJoin transaction with several inputs and two outputs, A and B.

Output A is 5.21875 BTC and Output B is 3.4375.

...

The mixing application described in the OP uses same valued outputs for two reasons: (1) to avoid this sort of identification, and (2) to prevent the facilitator from learning identities through blind signatures. This requires that within a single transaction, the mixed outputs must have the same value denominations (or be divided into groups of same-valued denominations). The hypothetical given is a weaker protocol than the OP.

That said, there is no reason that the common denomination used by one transaction has to match or be a multiple of the common denomination of another - that gains you nothing as far as I can tell.
legendary
Activity: 1008
Merit: 1001
Let the chips fall where they may.
Perhaps we should seriously speed up initiatives like CoinJoin, CoinSwap and CoinControl so people start massively mixing coins and make such efforts unfeasible.

And/or incorporating it into clients so people wouldn't have to bother. E.g. I wouldn't mind to spend a millibit a week in network fees just to have my coins periodically mixed.

Such coins are not at rest, thus can be stolen by a determined cracker.
legendary
Activity: 1974
Merit: 1030
Code:
Key from Pieter (pgp signature to be provided later):

0292782efcb08d621c360d055f407c8e75ffbbd06f6b7009c1432ca9eaa6732592

Oops, seems that a signature was forgotten Wink. I'll donate half a coin to this as soon as the sig is in place!

Please everyone consider donating.
legendary
Activity: 3430
Merit: 3080
Perhaps we should seriously speed up initiatives like CoinJoin, CoinSwap and CoinControl so people start massively mixing coins and make such efforts unfeasible.

And/or incorporating it into clients so people wouldn't have to bother. E.g. I wouldn't mind to spend a millibit a week in network fees just to have my coins periodically mixed.
Exactly what I am talking about.

We must make coin mixing almost as common as sending them. This way governments will have no choice but face the reality.

I think there are too many compliant goody goodies out there for this to work. You only have to craft a well thought through smear campaign against anonymising and most people will be too anxious to rebel against it, they will believe the nonsense is true.

There are fewer miners than users, and they are naturally determined risk takers. They are easier to convince of the drawbacks than average users, especially as they have probably got more BTC balance whose long term value and viability they wish to protect.
sr. member
Activity: 321
Merit: 250
Yes.  Mixing must be the norm, not the exception.

If it is the exception, then even the fact that you are engaging in it is suspicious.

Perhaps we should seriously speed up initiatives like CoinJoin, CoinSwap and CoinControl so people start massively mixing coins and make such efforts unfeasible.

And/or incorporating it into clients so people wouldn't have to bother. E.g. I wouldn't mind to spend a millibit a week in network fees just to have my coins periodically mixed.
Exactly what I am talking about.

We must make coin mixing almost as common as sending them. This way governments will have no choice but face the reality.
legendary
Activity: 3430
Merit: 3080
Another option is to make CoinJoin/CoinSwap really popular. Perhaps make the client suggest mixing like by adding "mix coins with other's users coin" checkbox in the send coins GUI.

This way regulators will have no other way than to accept Bitcoin the way it is - mixed and untraceable.

More difficult to popularise anonymising features than it is to find out what colour the biggest miners like their address lists. If they want the lists transparent, instead of red, black blue green or white, then they should prefer to ban any such coloured listed addresses from their transaction inclusions.

Let's push to hit these lists right at their fundamentals, make them undesirable and unusable, not the other way around.
legendary
Activity: 1470
Merit: 1006
Bringing Legendary Har® to you since 1952
Perhaps we should seriously speed up initiatives like CoinJoin, CoinSwap and CoinControl so people start massively mixing coins and make such efforts unfeasible.

And/or incorporating it into clients so people wouldn't have to bother. E.g. I wouldn't mind to spend a millibit a week in network fees just to have my coins periodically mixed.
Exactly what I am talking about.

We must make coin mixing almost as common as sending them. This way governments will have no choice but face the reality.
legendary
Activity: 1974
Merit: 1030
Perhaps we should seriously speed up initiatives like CoinJoin, CoinSwap and CoinControl so people start massively mixing coins and make such efforts unfeasible.

And/or incorporating it into clients so people wouldn't have to bother. E.g. I wouldn't mind to spend a millibit a week in network fees just to have my coins periodically mixed.
Pages:
Jump to: