Topic: CoinShuffle: Practical Decentralized Coin Mixing for Bitcoin (Read 23723 times)

Mimblewimble allows for a very simple coin shuffling protocol [1] with the following properties:

* Users submit self-spends throughout the day. No interaction needed for shuffling.
* Shuffling is performed at the end of the day by a set of mixnodes that cannot steal any coins.
* Invalid self-spends are automatically filtered out. No need to abort or restart the shuffling.
* As long as at least one mixnode is honest, then no one learns the input output links.
* The size of the shuffle is limited only by blocksize and could easily be over a thousand.
* Each shuffle only grows the chainsize by a small constant (~100 byte), thanks to MW cut-through.

Widespread use of the protocol would leave the transaction graph mostly obscured.
We welcome review of the proposal.

[1] https://forum.grin.mw/t/mimblewimble-coinswap-proposal

I wrote a simulation of the P2P shuffling process of CoinShuffle. If someone is looking at this idea who's familiar with .NET, it can help in understanding it: https://github.com/nopara73/CoinShuffleSimulation2

Hi gmaxwell,

you and the joinmarket team helped me a lot to get this far with my joinmarket proxy and I feel bad for "betraying" you by saying negative things about JM maybe blind to CS having the same problems but as far as I understand it, JM does not aim to avoid the taker from learning the matching, which is at best a short cut to achieve some degree of mixing and at worst makes the whole endeavor of mixing pointless, as interested parties will inevitably outbid others just to get a glimpse at the matching. And they can do this under the radar, as knowing some UTXOs will help them to know a lot of the mixing without constantly probing every maker actively.

As far as I understand, in CS there is no obvious way to learn any matching as long as there are fair players at all. It allows you to single out the DOS players and that leaves the disruptors to spying, where they can only decrease the privacy probabilistically, to the point of learning one user's matching if they totally eclipse attack him. But as all would pay their share of the fee and makers can't earn from it, this would force attackers to provide activity that others would take for legit activity and use this great tool, which in turn would make the attacker fail to single out all honest players all the time.

In JM with its asymmetric structure with makers not actually caring about their privacy and having an incentive to share data among them, I also see the incentives aligned against anonymity.

That is remarkably inexplicable to me.  JM is very actively developed by a community of developers. It was created with basically no anti-DOS mechanisms, though the original CJ post (technically the "appendix" post I made right below it) went over several different anti-DOS mechanisms, because it's perfectly reasonable to get something working before making it strong-- especially since JM's main motivation is gumming up automated analysis more than itself providing strong privacy.

But it's quite straight-forward to add in strong anti-DOS and better privacy, on top of a working and vibrant system; doubly so in that the coinshuffle description provides no special structural immunity to those dos attacks: the same anti-dos mechanisms are needed.  You shouldn't let that fact that a single person in the JM space is advocating one anti-dos method that would harm casual usage as at all indicative of ... well, anything.

It's one of it's properties to not need a protocol change. All the blinding and shuffling happens outside of the protocol and then all parties sign the resulting transaction which again is just a regular coinjoin transaction.

The reason they are working on a BIP is probably to standardize the process, not to hard-fork bitcoin.

This loos nice, but if we need to change the core protocol for this, than I'm not really down. We have several altcoins to do exactly this.

Hi TimRuffing and Kristov Atlas,

sorry for having missed this last post somehow in my other comment.

I'd really love to help with such a reference implementation, with a wallet-integration-perspective. At Mycelium we see fungibility as a very urgent issue and having worked on a JoinMarket Proxy myself, I feel like JoinMarket might be a dead end precisely due to what CoinShuffle claims to solve. At least from the Wallet-perspective.

For this, I wonder what harm would be done if the current state of implementation was already public for others to tinker with.

I'm particularly interested in ease of integration with wallets and my focus in Joinmarket there was to not share private keys with the mixing module, which in the link above was a server but for mobile wallets could be an app working like the orbot TOR proxy locally on the device.

I see a couple of issues with this approach:

1. You need other participants in order to use coinshuffle. What happens when no one at the moment wants to coinshuffle X amount of Bitcoins with you? Do you just wait around?

2. Given the huge political hurdle of adding anything at the bitcoin protocol level..I presume this is not going to be at the protocol level?

Bitcoin will never truly be fungible until changes at the protocol level are made for all bitcoins in existence.

Quoting myself:
We'll provide more information, including a mailing list, soon.

Regarding JoinMarket, I'm not sure. It seems that it is not so sophisticated as CoinShuffle, but that's rather a first guess. Is there a technical description of how it works under the hood? I can only find descriptions of how to use it.
Also, JoinMarket seems to understand the problem as a economic one and someone is gets fees for enabling the mixing. CoinShuffle is different here, the participants just pay the single transactions fee for the CoinJoin transaction, which is very low and can even be split among all participants. But there is no party that gets an additional mixing fee (on top of the transaction fee).

Jumblr implements a fully decentralized coinshuffle. The fee is 0.1% for bitcoin, it should work for other coins also, but bitcoin shuffling is the only one that matters.

I am looking for someone to head up the marketing for this. It just went into testing this weekend.

It uses the InstantDEX/SuperNET network for the directory, but the actual coinshuffle is all between the participating nodes.

James

I've followed the JoinMarket project which I recently discovered, but I just came across this.  Is this project still active, and if so, where can I find current information?  How would this compare to JoinMarket transactions?

NXT has implemented CoinShuffle now. It will be available in the next major release (1.6.x)

Darkwallet's webpage still lists coinjoin as their shuffling method. Anyone know the status of Dark Wallet's coinshuffle implementation or any other implementations?
https://www.darkwallet.is/

Dark uses coinjoin. A system like this would eliminate Dark and all the other altcoins using coinjoin.

Fibrecoin developed and released a privacy solution that is based on CoinShuffle
https://bitcointalksearch.org/topic/m.10834848

I thought they were implementing CoinJoin instead. EDIT: true, Amir confirmed that: https://www.reddit.com/r/Bitcoin/comments/2ijsw1/the_coming_of_darkwallet/cl2qow6

On the other hand, I see a problem with CoinShuffle. The participants are supposed to sign their messages "with their addresses"; this assumes that the inputs they provide were paid to standard P2PH addresses, but they cannot use outputs sent to P2SH (those starting with a 3, e.g., "multi sig" addresses). Participants could still be required to reveal their script and then sign their handshaking rounds with a key contained there (if there is any).

Amir says it's being worked on for Dark Wallet.

Is a full working version of coinshuffle being developed? The research site says the current version was just a proof of concept for testing and not usable for real coins.

paper looks pretty solid

Is anyone aware of ongoing blockchain forensics tracking notable coins?
Have pretty much all stolen/hacked/scammed coins been obfuscated via mixing/shuffling?