Topic: CoinJoin: Bitcoin privacy for the real world - page 33. (Read 294649 times)

There's actually an efficient MPC protocol now that appears to be as secure as my scheme requires! (Which I personally use to call SMPC = *secure* multiparty computation)

http://phys.org/news/2013-09-breakthrough-cryptography-result.html - also links to it's paper

Hopefully it will be released as open source as well.

Very true.  Unfortunately Tor (et al) are not yet to the point that many would like.  :-)

And

https://twitter.com/jgarzik/status/376210228863172609
https://twitter.com/jgarzik/status/376210514562404352

One thing to be aware of is the potential lack of security even using Tor right now, so one should be using Tor 2.4 or later even though it is alpha. See below.  Once CoinJoin is live, one should be aware of Tor versions for best practices in privacy.

http://arstechnica.com/security/2013/09/majority-of-tor-crypto-keys-could-be-broken-by-nsa-researcher-says/

Tor gateway or merely the normal default Tor node mode (internal node that does not go out getting files of the lightnet for someone else somewhere out on the Tor/dark net?

-MarkM-

Watching, and hopefully participating.

First of all, that's not a solution, and secondly, the pseudo-problem you're trying to solve is not under the scope of Bitcoin.

Bitcoin is a currency, not a surveillance protocol. So the improvements on Bitcoin should be made in the direction of the former and not the direction of the latter.

It is not the responsibility of users of currency to facilitate the investigations of third parties. Though I reject the idea that anyone should assist the investigations of any presumed authority that claims to be a "monopoly on violence."*

For the same reason I reject the idea that a fully anonymous Bitcoin is "less responsible" than a pseudonymous Bitcoin.

The records that participants voluntarily keep are for their use only, and exist to prevent fraud and extortion, not to hold people accountable for transactions deemed unethical by the local oligarchy's inquisitors.

It is further beyond ridiculous to want to avoid bribes to oligarchs because you fear that bribery will cause them to abuse power. Even if you naively thought politicians would be beneficent rulers without the influence of bribery, the political structure of governing cannot be cured of the ignorance that causes the majority of the damage.

If you doubt this, consider the knowledge that politicians of the world possess. Name the politician that is a professional in the fields of medicine, road construction, gumball manufacturing, carpentry, and aeronautics. Name for me one politician for whom it cannot be said is an intellectual infant in the vast majority of all fields he claims to be arbiter of.

If any particular oligarchy is indistinguishable from a mob of infants deciding on arbitrary matters, then it hardly matters if their intentions are good or evil. Their actions can only be inept, heavy-handed, short sighted, and destructive.

TLDR
There will always be Luddite puerile power mad oligarchs in the world, that's not Bitcoin's problem.

*Barry Soetoro Jr

I think it's kind of moot in any case. Being able to keep good records on your own, privately, is an essential feature to offer— just the basis of good book keeping. Your political motivations for doing so (or not) really aren't important for the technology.

Yeah, you seem pretty lost. The technology is not going to do what you want ... sorry. There was time when ISPs and banks weren't required to keep records (I don't think you would remember it), the world was definitely a better place then. These are requirements that were brought in by the police state surveillance grid that you recognise as malignant, but not their methods ....

It's not my business to know that. I'm not asking for a stasi coin where I know what everyone purchased. Thats not the case I was making. I'm saying if we go anonymous then each of us will have an increased level of responsibility. We will have to keep track of all of our own purchases and when the investigators question us we will have to give them that information. We will have to explain receipt by receipt and in detailed records what we did with our coins. We will basically be required to report our economic activity just as banks are required to do so now because we will essentially be our own personal banks.

I admit that is better than the way things are now where everything we purchase with a credit card is automatically known to the whole world. They know what books we read, what movies we watch, and more without having to have a warrant or any reason to know it. No one is supporting their ability to snoop on us without a warrant.

At the same time it was also made clear to me that Bitcoin is not private enough. I'm in agreement that Bitcoin needs greater privacy protection. The question is how do we do it in a smart way. Do it in the wrong way and the whole experiment could fall apart. In my opinion the right way is we have anonymous purchases but also an pseudo-anonymous way to report our purchases if there is an investigation.

Imagine there is an incident and you want to be pro-active to separate yourself from the child trafficking incident? The way to do this would be to upload pseudo-anonymously your transaction details complete with notes on what you purchased to the investigator and digitally sign it. This would rule you out immediately.

The only concern I have about it is minimizing the risk of false positives and of people getting sucked into incidents in dragnets. The investigators have a job to do, we want privacy. I don't see why we have can't both win.

The solution I offer: We must regulate ourselves and be at least as responsible as traditional banks are now. This would mean we will have to keep track of whatever records/pseudo-identities necessary to help in whatever investigation. Just as ISP's are now required to keep records, and banks are required to keep records, if we each become our own ISP through a meshnet and we each become our own bank through peer to peer Bitcoin it actually means with this increase in freedom we will also have an increased responsibility. It's an unavoidable consequence of growing up as a new technology. Our transaction logs right now aren't very detailed, but in the future it will probably be a situation where every single Bitcoin transaction you make produces a detailed digital receipt which gets encrypted and emailed to your email address. Right now if you conduct transactions on Wallet A and then delete the wallet then all those transactions from that pseudo-identity are lost? No they are stored on the public ledger but what is lost is your connection to it.

Then you do transactions from wallet B and wallet C, and lets say you actually save transaction details here? Well then you have all the various off-chain transactions and websites with built in wallets, ultimately its messy.

At some point pressure will build to create a unified pseudo-identity management system where a user creates a persistent pseudo-anon master wallet identity and all the additional extra pseudo-identities are branched from that similar to the master password in Mozilla. Then the user could basically sign in once with the master identity and select any of the different pseudo-identities with their own wallets as a completely different identity. It does not change the fact that if something goes wrong they will have to own the master identity and all the pseudo-identities branched from it. The investigators looking for a specific wallet address could rule them out quick.

I don't see any other way it could play out.

I am not sure why that position could be argued with. There are three main costs attached with current currencies and payment systems: time, money and privacy.

Bitcoin and implementations like CoinJoin simply decrease those costs in spite of price controls like price floors such as linking identity to account/credit card, etc. with Coinbase and ACH accounts.

And if Bitcoin does not relentlessly drive down those costs then some substitute good will arise that will drive down those costs and the result, everything else being equal, will be decreased demand for Bitcoin and increased demand for the substitute because it has a lower cost but equal or greater utility.

Luckybit:


You're not offering any solutions at all as far as I can tell you're just blathering about philosophy of design, like too many of us here no doubt ..... at some point it comes down to "code it or it didn't happen".

Also your approach of trying to dream up and cover every possible use case is futile.  In the end, the coders get to decide what gets experimented with and the market gets to decide what gets adopted. My position is that strongly anonymous money is economically superior so the market will prefer to use it. I've seen zero evidence or research from the advocates for traceable (stasi) money that this is not the case. Ask yourself if you really want to know what that $100 bill in your wallet was used for before you owned it? Would you throw it away if you knew it had once been used to buy cocaine or pay for a hooker or a child slave? Money is money, an economic good, try not to confuse it with other technologies which it is not.

Nothing being discussed here is a "put in", this thread is about existing functionality which is fundamental to Bitcoin and has been there since day one, if not widely recognized.

You understand the concern there.  And your proposed solution is a correct one but for two issues: It doesn't reflect the behavior of current wallet software, and making additional payments in that 1:1 manner takes more space and pays more transaction fees. A third option of just ignoring unsolicited payments, though this would have some long term adverse impacts on the system.

Okay here is a potential attack which is enabled by anonymity in the Bitcoin network.

Let's say I'm a government agency and I decide to exploit the fact that Bitcoin allows anonymous transactions. What I could do is covertly corrupt and take over entire countries utilizing anonymous transactions. I could initiate a covert operation where my government prints unlimited amounts of fiat currency, then it's agents go and buy Bitcoins and then these agents can now bribe any politician anywhere in the world.  For sake of argument let's say the currency is the dollar and the agency is the CIA.

What is to stop that agency from playing Santa and bribing anyone and everyone with unlimited ability to buy Bitcoins or mine them? In this case being anonymous would allow for copious amounts of political corruption and opulence at the expense of democracy itself.

Now for a less conspiracy based attack, how about we look at Satoshi Nakamoto himself? A private citizen who has a million Bitcoins? If we make the network anonymous what is to stop him from taking over entire countries politically? He would essentially gain almost Jesus like power over countries where he would be able to bribe any politician, any private citizen, with anonymous payments into their Bitcoin wallets.

In a pseudo-anonymous world we would know at least that someone we suspect to be Satoshi Nakamoto or affiliated with the early blocks are spending coins and we would know what amounts and other little details so that we could limit corruption via transparency. How can we limit corruption in a world where the 1% can spend anonymously?

Despite the myth and rumor, cash is not anonymous. You cannot get cash from an ATM without being on camera. You cannot accept cash from another person without them potentially finding out your identity or seeing your face. If you send cash to a politician in the mail your finger prints and other evidence will be left behind. Bitcoin is different because if it becomes anonymous then any billionaire in the 1% could decide to buy a state political system and systematically bribe politicians with anonymous Bitcoin rewards and there would be no way to counter this except with a fork.

Ultimately I think anonymity seems to be more a reaction to government overreach but not a long term solution to government corruption. If you put in anonymity then the corruption may become more hidden, and governments wont lose any power. Governments will be able to finally get involved in manipulating the Bitcoin economy and network. They'll be able to do it covertly with operatives, but there is nothing to stop a government from doing this.

For that reason I think more thought on the philosophical level should go into how to implement anonymity in a way which it cannot easily be exploited by the bad guys or have unintended consequences. If corruption is why our governments are bad, enabling it is only going to make it worse. I think for myself what I want is the ability to buy something privately and not have what I buy be known, but I don't necessarily need my transactions hidden. Anyone can know my pseudonym spent X amount of Bitcoins, just so long as they don't know what I spent it on.

If people want to know what I spent it on they'll have to ask personally. That is private information. Secret is a different matter because then I wouldn't even be able to tell you. So how do we set things up so that if I wanted to help fight against corruption or clear myself in an investigation I can do so while also maintaining my anonymity? I think pseudo-anonymity would allow me to do it easiest because I could digitally sign my receipts detailing what I purchased and it could be released in the future to clear myself of any wrongdoing.

I think as long as the user has the ability to be pseudo-anonymous while also having the ability to do record keeping, then if there is an incident then Alice has detailed records of all her transactions and what she purchased which she can give to Gordon to prove her innocence. If she does not have this information then she cannot prove her innocence to Gordon and that is an existential danger to Alice. I'm interested in lowering the risk to Alice (who represents the user who is using Bitcoin for legitimate purposes). I don't want to help Mallory or Eve.



When we design these technologies we should look at use cases. In my thinking the user worth protecting in my use case models is Alice. Alice is the user who wants to use these technologies for legitimate purposes, who wants her privacy to buy books without Eve or Mallory knowing everything she buys without a warrant.

Gordan (the government agent) wants to investigate Mallory (the malicious user). if he has a warrant he should be able to go to Alice and get information from Alice to reconstruct the events. He will want to know what she purchased, when, what Bitcoin addresses she owns, etc. The addition of anonymity on the network puts an additional burden on Alice to keep records of everything she purchases. It also will make it much more likely that she'll be contacted by Gordon as part of an investigation.

The solution I offer is to make detailed record keeping easy and simple. These records should be good enough that if investigators do have a warrant that you can show that you're not a threat. This is necessary to protect Alice by lowering her risk of being falsely accused and it helps save Gordon time because he wont have to worry about as many false positives.

Mallory and Eve are the problem characters. Eve wants to wiretap everyone without a warrant or reason and just snoop around. Mallory wants to hack everyone or use the Bitcoin network for malicious purposes such as pursuit of political power, as part of a crime network, or perhaps a government plot or conspiracy.

Alice justs wants to be able to buy books and not have everyone know what book she's buying and when. If there is a warrant Alice is willing to provide the information to clear herself and prove she's not involved with terrorism. The point here is that any design has to make it easy for the user to deal with different plausible scenarios. The default user is Alice, but Mallory or Gordon could also be users of the Bitcoin network.

The idea I have is to empower Alice to collect and store her own digital fingerprint and digital trail. This trail could be useful if she's ever questioned by Gordon. It should have as much or as little detail as deemed necessary to legally clear herself and the amount of detail in the records should be set by Alice but it is clear to me that there can be no invisible transactions in a secure system.

The transactions have to be recorded somewhere by someone. It does not have to be recorded by Eve though. So when you take transactions off the public ledger, in my opinion you must record transactions on a private ledger of your own. This means Alice can have anonymous transactions, but she's going to have to keep detailed records of account of each of these transactions, because someday she's may have to explain those transactions. The assumption people have is that Alice will be able to have anonymous transactions without any added responsibility, that is very unlikely. In my opinion it means more responsibility on Alice.

It's going to reach a point eventually where if Alice cannot explain every transaction by providing her private ledger to Gordon during the investigation, that she could be jailed. As a result it may become just as important to backup your transactions and digital details as it is to backup your wallet. Right now it's all handled by Bitcoin itself so no one is forced to religiously record every transaction they make.

I don't quite understand this.  These dust are being sent to old addresses.  That means that whomever has the private key that can spend the money at the old txout can also use that same key to spend the money at the new "tiny little payment" txout? 

So if the dust is spent, there is evidence that the old address represents someone who is still paying attention and still has the key to that old money.  That seems like something important to know in trying to assess the real currency supply (ie, someone wants to estimate how much bitcoin has been lost).  That is not particularly dangerous or adversarial; it's just good sense to know. 

But it is dangerous to privacy, because if dust sent to multiple different addresses is gathered together into one account, that could be taken for evidence that the different addresses are in fact controlled by the same person?

Do I understand the threat right?

The correct solution then for the account holder, is to use the 'dust' and the 'old account' with the same key both as txin for a new transaction, with a single output.  There is no harm in letting someone know that the money has not been lost and that its owner is still paying attention, but consolidating the dust together with the account whose key it shares should do no harm to privacy. 

Is there any reason why that solution would be the wrong thing for the account holders to do?

Dropbox?

I don't see how that solves anything. You just openly linked your own inputs together yourself, then.


General SMC/MPC (myself I usually abbreviate it as SMPC) does exist. But it seems to be less efficient than specific ones like for sorting. I am eagerly waiting for efficient general SMPC to become usable for average joes.

I have done some work previously on the problem and came up with a (theoretical) solution that is quite analogous to CoinJoin but that uses a fixed network off 2-party txs instead of a potentially bigger one. You can see the video here
http://www.youtube.com/watch?v=6hc8qaR_Fok&list=PLUOP0P68GJ3BGjfqoLLnzAefk3ZzXQtJ7&index=35
but as there is a lot of what I am talking about that has already been discussed here, I would like to simply upload the pdf. Is there a website similar to pastebin where I can do that for pdfs? I also have a more detailed description of the network that might be of interest here that is also in pdf format.

Someone previously proposed using Secure Multiparty Computing before to implement CJ, but one must realise that SMC is only a set of tools. E.Z.Yang proposed one specific implementation using sorting, which is a cool idea, but according to Yang himself is currently not feasible in practice. In his own words, "The big obstacle is that secure multiparty sorting is somewhat difficult to implement with large keys (since integer comparison operations tend to only handle a few bits at a time)." The hunt is still on to find an efficient way to use SMC to solve the problem.

I am quite excited that people are working on making this work and will be trying the programs proposed here when I can.

Edit:
Link to the video's pdf: https://www.dropbox.com/s/nvkvo1dl3xif87v/PresentationBitcoin2013.pdf

Interesting point... though it depends on the specifics: Perhaps the  transactions linking them to their identities were the CJ ones and the later apparent CJ is just a single person.

Don't let me overstate the indistinguishably too much, there are many potential transaction pattern side channels (e.g. from the use of compressed or uncompressed public keys, for example, down to what times of day transactions happen) but at a low level these transactions are not fundamentally unusual.

I think it's pretty hard, not in the overall components but in all the details.  My expectation is that there will be multiple systems for some time, if not forever, offering differing properties and tradeoffs. The harm from the anonymity set reduction that would result from that may be partially addressed by users that use multiple tools, and from them making their transactions look externally indistinguishable.

Even in the centralized model think it can be fairly easily arranged so that random non-participating observers can't tell what txins are in flight, e.g. a meeting point host is selected an inputs are only revealed to it. Maaku has also already implemented chaum blinded signatures, so the input-output correspondence can be hidden from the meeting point.

I think there are different application and threat models in flight here. For me the most important in the short term are the weakest ones— just getting a non-trivial number of joint transactions in use in order to disrupt the analysis for all users (including ones who've never used CJ) will be a big practical improvement.

hi,
i'm thinking about coinjoin transactions and how they are supposed to be indistinguishable from normal transactions.

some notes:
a) the number of participants of a coinjoin transaction must be variable.
    otherwise, if _all_ coinjoin transactions contain 55 inputs, then that's a pretty strong distinguisher.

b) the distinguishability of the coinjoin transaction is equal to its weakest link.
    that is, if two people in a coinjoin tx use input addresses that have been reused and can be linked to their identity, then the whole coinjoin tx has been busted.

i also wonder whether building a decentralized coinjoin system is as easy as some people here believe it is.
i think it's a good idea to design it and state its threat model before standarizing coinjoin.
otherwise, we will be stuck with the centralized coinjoin variant, where anyone can join the public channels and log the mixes.

cheers!