Pages:
Author

Topic: CoinShuffle: Practical Decentralized Coin Mixing for Bitcoin (Read 23791 times)

legendary
Activity: 990
Merit: 1108
A comparison with other approaches
Mixcoin
Zerocoin / Zerocash / Anoncoin
CoinSwap

Mimblewimble allows for a very simple coin shuffling protocol [1] with the following properties:

* Users submit self-spends throughout the day. No interaction needed for shuffling.
* Shuffling is performed at the end of the day by a set of mixnodes that cannot steal any coins.
* Invalid self-spends are automatically filtered out. No need to abort or restart the shuffling.
* As long as at least one mixnode is honest, then no one learns the input output links.
* The size of the shuffle is limited only by blocksize and could easily be over a thousand.
* Each shuffle only grows the chainsize by a small constant (~100 byte), thanks to MW cut-through.

Widespread use of the protocol would leave the transaction graph mostly obscured.
We welcome review of the proposal.

[1] https://forum.grin.mw/t/mimblewimble-coinswap-proposal
member
Activity: 103
Merit: 327
I wrote a simulation of the P2P shuffling process of CoinShuffle. If someone is looking at this idea who's familiar with .NET, it can help in understanding it: https://github.com/nopara73/CoinShuffleSimulation2
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
I feel like JoinMarket might be a dead end precisely due to what CoinShuffle claims to solve.
That is remarkably inexplicable to me.  JM is very actively developed by a community of developers. It was created with basically no anti-DOS mechanisms, though the original CJ post (technically the "appendix" post I made right below it) went over several different anti-DOS mechanisms, because it's perfectly reasonable to get something working before making it strong-- especially since JM's main motivation is gumming up automated analysis more than itself providing strong privacy.

But it's quite straight-forward to add in strong anti-DOS and better privacy, on top of a working and vibrant system; doubly so in that the coinshuffle description provides no special structural immunity to those dos attacks: the same anti-dos mechanisms are needed.  You shouldn't let that fact that a single person in the JM space is advocating one anti-dos method that would harm casual usage as at all indicative of ... well, anything.

Hi gmaxwell,

you and the joinmarket team helped me a lot to get this far with my joinmarket proxy and I feel bad for "betraying" you by saying negative things about JM maybe blind to CS having the same problems but as far as I understand it, JM does not aim to avoid the taker from learning the matching, which is at best a short cut to achieve some degree of mixing and at worst makes the whole endeavor of mixing pointless, as interested parties will inevitably outbid others just to get a glimpse at the matching. And they can do this under the radar, as knowing some UTXOs will help them to know a lot of the mixing without constantly probing every maker actively.

As far as I understand, in CS there is no obvious way to learn any matching as long as there are fair players at all. It allows you to single out the DOS players and that leaves the disruptors to spying, where they can only decrease the privacy probabilistically, to the point of learning one user's matching if they totally eclipse attack him. But as all would pay their share of the fee and makers can't earn from it, this would force attackers to provide activity that others would take for legit activity and use this great tool, which in turn would make the attacker fail to single out all honest players all the time.

In JM with its asymmetric structure with makers not actually caring about their privacy and having an incentive to share data among them, I also see the incentives aligned against anonymity.
staff
Activity: 4284
Merit: 8808
I feel like JoinMarket might be a dead end precisely due to what CoinShuffle claims to solve.
That is remarkably inexplicable to me.  JM is very actively developed by a community of developers. It was created with basically no anti-DOS mechanisms, though the original CJ post (technically the "appendix" post I made right below it) went over several different anti-DOS mechanisms, because it's perfectly reasonable to get something working before making it strong-- especially since JM's main motivation is gumming up automated analysis more than itself providing strong privacy.

But it's quite straight-forward to add in strong anti-DOS and better privacy, on top of a working and vibrant system; doubly so in that the coinshuffle description provides no special structural immunity to those dos attacks: the same anti-dos mechanisms are needed.  You shouldn't let that fact that a single person in the JM space is advocating one anti-dos method that would harm casual usage as at all indicative of ... well, anything.
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
This loos nice, but if we need to change the core protocol for this, than I'm not really down. We have several altcoins to do exactly this.

It's one of it's properties to not need a protocol change. All the blinding and shuffling happens outside of the protocol and then all parties sign the resulting transaction which again is just a regular coinjoin transaction.

The reason they are working on a BIP is probably to standardize the process, not to hard-fork bitcoin.
sr. member
Activity: 574
Merit: 250
In XEM we trust
This loos nice, but if we need to change the core protocol for this, than I'm not really down. We have several altcoins to do exactly this.
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
Quoting myself:
I've just started a collaboration with Kristov Atlas. We will write a BIP draft including a more detailed, development-oriented specification of the protocol including all the nitty-gritty details. We also plan talk to wallet developers and I will definitively write some code as soon as a reasonable version of the BIP is there. Contributions and collaborations are welcome in all stages, of course. Smiley
We'll provide more information, including a mailing list, soon.

Regarding JoinMarket, I'm not sure. It seems that it is not so sophisticated as CoinShuffle, but that's rather a first guess. Is there a technical description of how it works under the hood? I can only find descriptions of how to use it.
Also, JoinMarket seems to understand the problem as a economic one and someone is gets fees for enabling the mixing. CoinShuffle is different here, the participants just pay the single transactions fee for the CoinJoin transaction, which is very low and can even be split among all participants. But there is no party that gets an additional mixing fee (on top of the transaction fee).

Hi TimRuffing and Kristov Atlas,

sorry for having missed this last post somehow in my other comment.

I'd really love to help with such a reference implementation, with a wallet-integration-perspective. At Mycelium we see fungibility as a very urgent issue and having worked on a JoinMarket Proxy myself, I feel like JoinMarket might be a dead end precisely due to what CoinShuffle claims to solve. At least from the Wallet-perspective.

For this, I wonder what harm would be done if the current state of implementation was already public for others to tinker with.

I'm particularly interested in ease of integration with wallets and my focus in Joinmarket there was to not share private keys with the mixing module, which in the link above was a server but for mobile wallets could be an app working like the orbot TOR proxy locally on the device.
legendary
Activity: 2492
Merit: 1473
LEALANA Bitcoin Grim Reaper
I was just pointed here from the joinmarket IRC and wonder if there is anything to add to the OP? Is there code being worked on? Is it production ready?

Bitcoin needs improved fungibility and it needs it yesterday. I remember how back in the days of BitcoinSpinner a trade partner told me that I had $xxx going through my address, which I wasn't aware at that point, and bip44 only marginally improves the situation. Most people using bitcoin today, assuming privacy, will have a surprise once they realize how horrible the bitcoin privacy actually is.

I see a couple of issues with this approach:

1. You need other participants in order to use coinshuffle. What happens when no one at the moment wants to coinshuffle X amount of Bitcoins with you? Do you just wait around?

2. Given the huge political hurdle of adding anything at the bitcoin protocol level..I presume this is not going to be at the protocol level?

Bitcoin will never truly be fungible until changes at the protocol level are made for all bitcoins in existence.
newbie
Activity: 14
Merit: 10
I've followed the JoinMarket project which I recently discovered, but I just came across this.  Is this project still active, and if so, where can I find current information?  How would this compare to JoinMarket transactions?

Quoting myself:
I've just started a collaboration with Kristov Atlas. We will write a BIP draft including a more detailed, development-oriented specification of the protocol including all the nitty-gritty details. We also plan talk to wallet developers and I will definitively write some code as soon as a reasonable version of the BIP is there. Contributions and collaborations are welcome in all stages, of course. Smiley
We'll provide more information, including a mailing list, soon.

Regarding JoinMarket, I'm not sure. It seems that it is not so sophisticated as CoinShuffle, but that's rather a first guess. Is there a technical description of how it works under the hood? I can only find descriptions of how to use it.
Also, JoinMarket seems to understand the problem as a economic one and someone is gets fees for enabling the mixing. CoinShuffle is different here, the participants just pay the single transactions fee for the CoinJoin transaction, which is very low and can even be split among all participants. But there is no party that gets an additional mixing fee (on top of the transaction fee).
legendary
Activity: 1176
Merit: 1134
Jumblr implements a fully decentralized coinshuffle. The fee is 0.1% for bitcoin, it should work for other coins also, but bitcoin shuffling is the only one that matters.

I am looking for someone to head up the marketing for this. It just went into testing this weekend.

It uses the InstantDEX/SuperNET network for the directory, but the actual coinshuffle is all between the participating nodes.

James
full member
Activity: 223
Merit: 132
I've followed the JoinMarket project which I recently discovered, but I just came across this.  Is this project still active, and if so, where can I find current information?  How would this compare to JoinMarket transactions?
legendary
Activity: 1680
Merit: 1001
CEO Bitpanda.com
NXT has implemented CoinShuffle now. It will be available in the next major release (1.6.x)
legendary
Activity: 1153
Merit: 1000
Is a full working version of coinshuffle being developed? The research site says the current version was just a proof of concept for testing and not usable for real coins.

Amir says it's being worked on for Dark Wallet.

I thought they were implementing CoinJoin instead.
EDIT: true, Amir confirmed that: https://www.reddit.com/r/Bitcoin/comments/2ijsw1/the_coming_of_darkwallet/cl2qow6

On the other hand, I see a problem with CoinShuffle. The participants are supposed to sign their messages "with their addresses"; this assumes that the inputs they provide were paid to standard P2PH addresses, but they cannot use outputs sent to P2SH (those starting with a 3, e.g., "multi sig" addresses). Participants could still be required to reveal their script and then sign their handshaking rounds with a key contained there (if there is any).

Darkwallet's webpage still lists coinjoin as their shuffling method. Anyone know the status of Dark Wallet's coinshuffle implementation or any other implementations?
https://www.darkwallet.is/
hero member
Activity: 504
Merit: 500
eidoo wallet
Is this system better than DarkCoin (which is not CoinJoin like many people believe)?

Dark uses coinjoin. A system like this would eliminate Dark and all the other altcoins using coinjoin.
sr. member
Activity: 365
Merit: 250
I/O Digital Where Dreams Become Technology
Fibrecoin developed and released a privacy solution that is based on CoinShuffle
https://bitcointalksearch.org/topic/m.10834848
newbie
Activity: 53
Merit: 0
Is a full working version of coinshuffle being developed? The research site says the current version was just a proof of concept for testing and not usable for real coins.

Amir says it's being worked on for Dark Wallet.

I thought they were implementing CoinJoin instead.
EDIT: true, Amir confirmed that: https://www.reddit.com/r/Bitcoin/comments/2ijsw1/the_coming_of_darkwallet/cl2qow6

On the other hand, I see a problem with CoinShuffle. The participants are supposed to sign their messages "with their addresses"; this assumes that the inputs they provide were paid to standard P2PH addresses, but they cannot use outputs sent to P2SH (those starting with a 3, e.g., "multi sig" addresses). Participants could still be required to reveal their script and then sign their handshaking rounds with a key contained there (if there is any).
member
Activity: 114
Merit: 12
Is a full working version of coinshuffle being developed? The research site says the current version was just a proof of concept for testing and not usable for real coins.

Amir says it's being worked on for Dark Wallet.
legendary
Activity: 1153
Merit: 1000
Is a full working version of coinshuffle being developed? The research site says the current version was just a proof of concept for testing and not usable for real coins.
hero member
Activity: 672
Merit: 500
http://fuk.io - check it out!
paper looks pretty solid
full member
Activity: 221
Merit: 100
Is anyone aware of ongoing blockchain forensics tracking notable coins?
Have pretty much all stolen/hacked/scammed coins been obfuscated via mixing/shuffling?
Pages:
Jump to: