Pages:
Author

Topic: MtGox database leak: why you should always mix your coins. (Read 4616 times)

sr. member
Activity: 434
Merit: 250
In Hashrate We Trust!
Why is it often people from eastern Europe or Russia that hacks people for profit?
Don't they have any ethics at all?

I know some good hackers, they hack for fun but they never do it to hurt innocent people.
hero member
Activity: 518
Merit: 521
Remember what I was writing about CoinJoin upthread:

And here is our friendly Bitcoin csore developer...

...

Well I got another reply from CORE BITCOIN DEVELOPER gmaxell and here is my rebuttal...posting here in case he deletes my post there as he has threatened me in a private message (which I also publish below)...

https://bitcointalksearch.org/topic/m.5653238

I see those (other than gmaxwell who is not very ad hominem in his response, other than the slight "over and over" which is irrelevant to the technical response) who posted while I was sleeping have relished in their boastful snobbery.

Now let's deal with the humbling facts.

And my post to which you are replying is in fact explaining the DOS (denial-of-service) is insoluble if you can't identify the participants in order to rate-limit them.

And again in that post you admit there is a DOS problem. You didn't solve it. And you can't solve it in a decentralized setting unless you have non-ephemeral identification of the participants. Which is precisely the point of my prior post to which you are replying

You are asserting it, (over and over again) but it doesn't make it true. It was explained in adequate detail previously enough for other people to understand it and implement tools that address it.

Quote
Incorrect. What I wrote is functionally equivalent to what you described. The point is the transaction can be jammed in the final round.

It's actually not, since it's not actually possible in the Bitcoin protocol to do what (it sounds like) you're describing, but more importantly performing the operation in that order defeats the anti-dos. If you lead with the inputs they provide a trivial anti-dos mechanism.

And precisely how do you identify which input is the adversary when the correlation of the inputs and the outputs is necessarily cryptographically blinded?

As far as I can see, you can't.

I am confident that now you see the functionally w.r.t. to anti-DOS of what I described and what you described are equivalent, i.e. any one who is the least bit mathematical can see that the salient mathematical foundation of CoinJoin is that the correlation between the inputs and outputs must be cryptographically blinded, thus it makes no difference mathematically for anti-DOS whether the inputs or outputs are specified in the first round of the protocol.

As for whether my proposed protocol of putting the outputs in the first round is implementable on the Bitcoin blockchain, it is irrelevant since we are talking about a general protocol here and an altcoin could be designed to allow a transaction where outputs and inputs can be signed to point to the transaction nonce (a hash of any number) plus the addresses of the inputs OR outputs. I didn't bother to check how Bitcoin signs the transactions, because it is conceptually irrelevant to our discussion. Perhaps in Bitcoin the signature of the transaction must include all the inputs AND outputs. The reason I presented my formulation (in fact I mentioned the ring signatures idea from Adam Back in the Zerocoin thread months ago in this thread) is because it is more powerful conceptually than one gmaxell described. I thought gmaxell would appreciate that since I think he is a math guy.

Quote
And exactly how do you propose to identify that adversary in a decentralized setting?  Wink My point is you can't, at least not without breaking anonymity, and anonymity was the entire point of mixing.

Because they fail to sign. There is no need to identify them beyond identifying their input coins to achieve rate limiting, and no need to identify the input/output correspondence.

I'll repeat it, since maybe other people are having problems following the link:

I will quote from your more detailed description upthread.

This is an extremely interesting idea.  Could you elaborate on how the Zerocoin transaction stages map to the stages of CoinJoin transaction creation?

For non-decenteralized coincoin, you simply pass around a transaction and sign it. It's a single sequence and an atomic transaction, you'd make two loops through the users, one to discover the inputs and outputs, and another to sign them. There really aren't stages to it.

Making a decenteralized CoinJoin secure, private, and resistant to DOS attack (people refusing to sign in order to make it fail) is trickier... for the privacy and dos attack resistance you can use ZC:

Presume the participants for a transaction are sharing some multicast medium and can all communicate.  They need to accomplish the task of offering up inputs (txid:vout) for inclusion in the transaction and then, in an unlinkable way, providing outputs to receive their coins.

Each participant connects and names bitcoin input(s), an address for change (if needed), and the result of performing a ZC mint transaction to add to the ZC accumulator. They sign all this with the keys for the corresponding inputs proving its theirs to spend.

Then all the parties connect again anonymously and provide ZC redeem transactions which specify where the resulting bitcoins should go.

Zerocoin (ZC) requires a trusted party to generate the parameters, thus it is the antithesis of decentralized, so you have a logical error above.

https://github.com/Zerocoin/libzerocoin/wiki/Generating-Zerocoin-parameters

This isn't the only way to do this in a decentralized manner, the way to do it with blind signatures is fairly similar:

Each participant connects, names Bitcoin input(s), an address for change (if needed), a key for blind signing, and a blinded hash of the address they want paid. They sign all this with the keys for the corresponding inputs proving its theirs to spend.

Each participant then blind signs the blinded hashes of all participants (including themselves).

And so how can you correlate which input is the one who didn't blind sign all?

As far as I can see, you can't.

I've dug very deep (into cryptography research papers) lately into trying to find a way to delink inputs from outputs without a trusted party, and I have realized that mathematically it can't be done. It is a fundamental conceptualization.

The only way to delink without anti-DOS is to use an accumulator commitment scheme with common NP-hard parameters that can be presented in an NIZKP (non-interactive zero knowledge proof) which will always require a trusted party to generate the common parameters for the trapdoor math.

This is just one example of a way to address this. There are several other ones possible— and discussed early on in this thread.  Other ones include publishing commitments and then if the process fails having everyone reveal their intended outputs (which they then discard and never use) in order to avoid being banned, or using an anonymous accumulator instead of blind signing to control access.

That isn't anti-DOS.

Each spender commits a hash of his intended output. Then everyone does the blinded protocol. If the blinded protocol fails, everyone including the adversary reveals the link between inputs and outputs, because by definition the output key must be an abundant resource so that it is not costly to reveal it and generate a new one to try again.

, or using an anonymous accumulator instead of blind signing to control access.

A ZKP + accumulator isn't decentralized as I explained above.

Tada!  Tongue


Here is the private message he sent me and my response to him... (bold emphasis is mine)

Go read my post in his thread from yesterday. It wasn't belligerent. It was a discussion of the technical issues and asked for technical comments. How is discussing technical facts belligerent?

Looks to me like below he is trying to justify an imminent abuse his authority...

Note about the veracity and quality of my technical arguments, perhaps this one by me about the quantum computing threat qualifies.

AnonMint, Every post you've made here has been error and confusion.
Keep your ad hominem attacks out of it please. I asked kindly for technical comments.

It wasn't an ad hominem— I'm not expressing any opinion about your character. I can only assume that if you treat other people like you do people on the forum that you'd be starving in the streets or incarcerated, so presumably you're actually a nice person when you're not hiding behind a pseudonym on a Bitcoin forum...

Regardless, Your behavior in the technical subform is not very productive.  I have warned you previously.  Your responses come across as universally belligerent which is particularly aggravating to people because they are often confused in the technical details. Whatever approach you are using is not effectively communicating to people and not getting you useful answers because many people have you on ignore.

Your posts have been cited as an example by technical experts as to why they no longer participate in the forum... and I've certainly experienced it myself.

If you do not adopt a style which is less aggressive or up your level of technical mastery to the nearly flawless state which would be required to justify your aggressiveness I will exclude you from the technical subforum.

Cheers.  
hero member
Activity: 784
Merit: 1000
https://youtu.be/PZm8TTLR2NU
Information is power. Never give it away.
The internet & cryptocurrency are the beginnings of a world where this paradigm no longer holds sway. That is the world I want to live in.

"As the Americans learned so painfully in Earth's final century, free flow of information is the only safeguard against tyranny. The once-chained people whose leaders at last lose their grip on information flow will soon burst with freedom and vitality, but the free nation gradually constricting its grip on public discourse has begun its rapid slide into despotism. Beware of he who would deny you access to information, for in his heart he dreams himself your master."

Free flow of information. Wikipedia. Torrents. Cryptocurrency. Our technology is taking us in a direction away from centralization of power. Away from dictators and sociopaths running our world.

Mankind's age of empires is over. The future is about decentralization, cooperation, openness, transparency, and truth.

Well said sir.  I too want to live in that world.
We are building it together, my friend. Right now.

http://www.youtube.com/watch?v=yhzNhLgPX9o

"We're all here to do what we're all here to do. I'm interested in one thing, Neo. The future. And believe me, I know - the only way to get there is together."
-The Oracle
full member
Activity: 140
Merit: 100
Put your trust in MATH.
Information is power. Never give it away.
The internet & cryptocurrency are the beginnings of a world where this paradigm no longer holds sway. That is the world I want to live in.

"As the Americans learned so painfully in Earth's final century, free flow of information is the only safeguard against tyranny. The once-chained people whose leaders at last lose their grip on information flow will soon burst with freedom and vitality, but the free nation gradually constricting its grip on public discourse has begun its rapid slide into despotism. Beware of he who would deny you access to information, for in his heart he dreams himself your master."

Free flow of information. Wikipedia. Torrents. Cryptocurrency. Our technology is taking us in a direction away from centralization of power. Away from dictators and sociopaths running our world.

Mankind's age of empires is over. The future is about decentralization, cooperation, openness, transparency, and truth.

Well said sir.  I too want to live in that world.
hero member
Activity: 784
Merit: 1000
https://youtu.be/PZm8TTLR2NU
Information is power. Never give it away.
The internet & cryptocurrency are the beginnings of a world where this paradigm no longer holds sway. That is the world I want to live in.

"As the Americans learned so painfully in Earth's final century, free flow of information is the only safeguard against tyranny. The once-chained people whose leaders at last lose their grip on information flow will soon burst with freedom and vitality, but the free nation gradually constricting its grip on public discourse has begun its rapid slide into despotism. Beware of he who would deny you access to information, for in his heart he dreams himself your master."

Free flow of information. Wikipedia. Torrents. Cryptocurrency. Our technology is taking us in a direction away from centralization of power. Away from dictators and sociopaths running our world.

Mankind's age of empires is over. The future is about decentralization, cooperation, openness, transparency, and truth.
legendary
Activity: 1148
Merit: 1018
I don't see how mixing coins is supposed to protect my identity.

What is the argument?

Bitcoin is pseudoanonymous: as soon as someone links one of your addresses to you (because you made a payment to him, or because a database of a service such as Gox is leaked) then he can learn your total BTC balance - or at least the total BTC balance of the wallet to which that address belongs - with trivial blockchain analysis.

By mixing your coins you make that task much more difficult, and thus you eliminate yourself from the list of easy targets in a situation as per the Gox database leak.

Said with other words: by not mixing your coins you are revealing your whole balance to the recipient of every transaction you make... And that is an important privacy breach.
legendary
Activity: 1148
Merit: 1018
...
Also using the centralized (VPN, mixer, tumbler, laundry) identifies you as someone that deserves extra monitoring by the authorities.
...

NSA views encryption as evidence of suspicion and will target those who use it:

https://bitcointalksearch.org/topic/nsa-views-encryption-as-evidence-of-suspicion-and-will-target-those-who-use-it-511198

That's why everybody should use encryption by default. Its years I'm using the Tor Browser Bundle for +50% of my browsing, basically for everything that is not linked with my real identity (banking stuff and such), and also for my QT instances, Bitmessage, IRC and so on. I also use PGP to sign (and sometimes to also encrypt) important work communications. I may be putting a red target on my back, but I confess I'm not worried about it. If they decide to look into me they will just lose their time as I'm not doing anything illegal, for me end to end encryption and onion routing for standard browsing are just healthy safety procedures that everybody should use. If I'd be doing something illegal, which I'm not, I would use Tor/encryption in a very different way: firstly and foremost I would have a dedicated machine in which I would run throwaway VM instances connecting through chained VPNs with very strict firewall rules, with Tor at the very end of such chain - and I would obviously never connect for such activities from any network used also for my non-illegal activity. I'd say that is just common sense - and wildly offtopic: the OP is about using easy procedures to avoid being an easy target for script kiddies and/or meatspace criminals targeting "bitcoin users" as a whole.
legendary
Activity: 1736
Merit: 1006
...
Also using the centralized (VPN, mixer, tumbler, laundry) identifies you as someone that deserves extra monitoring by the authorities.
...

NSA views encryption as evidence of suspicion and will target those who use it:

https://bitcointalksearch.org/topic/nsa-views-encryption-as-evidence-of-suspicion-and-will-target-those-who-use-it-511198

A certain three letter agency should turn their all-seeing digital spotlight on themselves with that same air of moral heroism.
sr. member
Activity: 420
Merit: 250
True... As of recent a lot of people have been saying watch out for criminal activity/community/etc.   Who has been approached/affected/threatened?

promoJo
full member
Activity: 392
Merit: 116
Worlds Simplest Cryptocurrency Wallet
I don't see how mixing coins is supposed to protect my identity.

What is the argument?
hero member
Activity: 518
Merit: 521
...
Also using the centralized (VPN, mixer, tumbler, laundry) identifies you as someone that deserves extra monitoring by the authorities.
...

NSA views encryption as evidence of suspicion and will target those who use it:

https://bitcointalksearch.org/topic/nsa-views-encryption-as-evidence-of-suspicion-and-will-target-those-who-use-it-511198
legendary
Activity: 1148
Merit: 1018
After the Gox dabatase leak the names and home addresses of pretty much everybody involved in BTC are now public, at least among the criminal community.

Those singing the song that goes "I don't mix my coins because I have nothing to hide" are either:

a) totally brainwashed/incredibly naive
b) just stupid.

Even if you mined the vast majority of your coins and used an exchange just to cash out a minor part of your holdings, your total BTC balance can be discovered by trivial blockchain analysis, following the links with just one deposit/withdrawal address.

Morale of the story: Everybody should ALWAYS mix their coins and use Tor for BTC related activities. Information is power. Never give it away.

LOL, yeah but, didn't those same users just lose their ass and are now broke?

Not at all. Only a minority of Gox customers had still positive balances, the majority had already left Gox for good in the past, I'd say that an "orderly stampede" started to happen after the many red flags that were blatantly obvious since at least April, 2013 - just check the leaked info, the accounts with positive balances are just a fraction of the total Gox userbase.
hero member
Activity: 518
Merit: 521
LOL, yeah but, didn't those same users just lose their ass and are now broke?

The OP is also about people who cashed out before the Mt.Gox problems, yet their data may still have been leaked after the cash out event.
full member
Activity: 140
Merit: 100
Put your trust in MATH.
After the Gox dabatase leak the names and home addresses of pretty much everybody involved in BTC are now public, at least among the criminal community.

Those singing the song that goes "I don't mix my coins because I have nothing to hide" are either:

a) totally brainwashed/incredibly naive
b) just stupid.

Even if you mined the vast majority of your coins and used an exchange just to cash out a minor part of your holdings, your total BTC balance can be discovered by trivial blockchain analysis, following the links with just one deposit/withdrawal address.

Morale of the story: Everybody should ALWAYS mix their coins and use Tor for BTC related activities. Information is power. Never give it away.

LOL, yeah but, didn't those same users just lose their ass and are now broke?
hero member
Activity: 518
Merit: 521
And here is our friendly Bitcoin csore developer...

AnonMint, Every post you've made here has been error and confusion.

Keep your ad hominem attacks out of it please. I asked kindly for technical comments.

The very first post in the thread points out that decentralized versions take more work because of the anti-DOS proofing.

And my post to which you are replying is in fact explaining the DOS (denial-of-service) is insoluble if you can't identify the participants in order to rate-limit them.

[A couple posts down](https://bitcointalksearch.org/topic/m.2984051) I give some examples of how it can be done.

And again in that post you admit there is a DOS problem. You didn't solve it. And you can't solve it in a decentralized setting unless you have non-ephemeral identification of the participants. Which is precisely the point of my prior post to which you are replying

You're presuming a broken model that I don't believe anyone here has ever suggested.

Incorrect. What I wrote is functionally equivalent to what you described. The point is the transaction can be jammed in the final round.

Since you didn't see the equivalence let me explain it. I thought you were smart enough to deduce such things. I chose to let the signatures of inputs go in the second and final round and point to a transaction because I envisioned using ring signatures. And the transaction won't be valid (blockchain will reject it) if the inputs are less than the outputs, so my version is just as safe as yours. And the DOS problem is equivalent. Come on you are a math guy, you can surely see that without me needing to explain it you.

And if you think about it a while you will realize, by inverting the operations and using a ring signature, mine has advantages suchas that not all have to sign in the first round before proceeding to the second round (they get excluded from second round too). Yet the DOS issue remains in the final.

You'd always being the protocol by specifying the inputs in which you intend to sign. Signature authority over inputs is the principle scarcity that allows you to may the system dos-attack resistant. After the inputs are signed, outputs can be specified in a cheat proof way, and then the only avenue for disruption is refusing to sign which can be addressed by blacklisting your inputs (and other rate limiting tokens) and restarting.

Well now you see your error. You can reread my post again, and admit I was correct.

From your upthread post:

If a party fails to sign, everyone else is convinced that its because they are jamming the process (intentionally or maliciously) and then can all ban (ignore in the future) whatever costly identity they used to enter the mix, or — if there is no other mechanism— that particular txin which they used.

And exactly how do you propose to identify that adversary in a decentralized setting?  Wink My point is you can't, at least not without breaking anonymity, and anonymity was the entire point of mixing.
hero member
Activity: 518
Merit: 521
Anonymint: we are not discussing being safe against a global adversary such as the NSA, we all know that mixers + Tor is probably not enough to defeat them because of honeypots, timing attacks, deep packet inspection, etc...

We are discussing using basic security procedures in order not to be "the low hanging fruit" and thus being reasonably safe against the casual hacker/criminal doing trivial blockchain and network analysis to easily link identities to BTC balances. For that purpose running your wallet through Tor and using a decentralized and trustless mixer such as coinjoin should be enough.

The government and the criminals are sometimes one in the same.

But (uninformed) trust is all that is holding up the $150 trillion in fractional reserves, so you won't find too many people that subscribe to my view (yet). They will learn by 2020.

And you did not address my technical point about CoinJoin, which has nothing to do with the NSA.

In short, we are pretty well f8cked approaching the 2016ish global conflagrapocalpyse.


Adam Back (the creator of Hashcash which Bitcoin is based on) explains the anonymity problem (jump to 24:25 mins into the video).
legendary
Activity: 1148
Merit: 1018
Anonymint: we are not discussing being safe against a global adversary such as the NSA, we all know that mixers + Tor is probably not enough to defeat them because of honeypots, timing attacks, deep packet inspection, etc...

We are discussing using basic security procedures in order not to be "the low hanging fruit" and thus being reasonably safe against the casual hacker/criminal doing trivial blockchain and network analysis to easily link identities to BTC balances. For that purpose running your wallet through Tor and using a decentralized and trustless mixer such as coinjoin should be enough.
hero member
Activity: 518
Merit: 521
Listen up please to learn some new technical information...

Got any good suggestions for trustless and low-fee mixers?  I think all the P2P mixer projects are not yet fully ready, as far as I know.

...

Tumblers like bitcoinfog provide better obfuscation, but the (huge) trade-off is that you should trust an unknown third party. I'd never risk more than 1% of my holdings to such services, but I think the service they provide is necessary and should be used, albeit with care and with just a very minor portion of ones funds at a time.

Problem is there is no way to know if a centralized service (VPN, exchange, mixer, tumbler, laundry) is hacked, under NSA gag order, dishonest, buggy, etc..

Also using the centralized (VPN, mixer, tumbler, laundry) identifies you as someone that deserves extra monitoring by the authorities.

A decentralized solution is always best, as it should look like regular transactions.

Yes, I think CoinJoin should be a very good start.  But do any really decentralised and fully working implementations of CoinJoin exist already?  I don't think so and would be interested to know if they are.

I'm not aware of any either but don't let that deter you from using one of the already existing solutions even if they aren't perfect.

A decentralized CoinJoin will have difficulty forming transactions (including unequal or equal transaction amounts) that look like this if anyone can join:

https://blockchain.info/tx/e4abb15310348edc606e597effc81697bfce4b6de7598347f17c2befd4febf3b?show_adv=true

A sharedcoin transaction will look something like this: https://blockchain.info/tx/e4abb15310348edc606e597effc81697bfce4b6de7598347f17c2befd4febf3b (picked at random). As you can see multiple inputs and outputs make the determining the actual sender and receiver more difficult.

The server does not need to keep any logs and transactions are only kept in memory for a short time. However If the server was compromised or under subpoena it could be force...

Because the way it must work is the users sign the transaction first with their requested outputs, then in the second round they sign their payments as inputs to the transaction. If the payment inputs are less than the total, then the transaction is invalid. There is no way to determine who cheated and rate limit them. Thus the saboteur can stomp on every attempt to create a CoinJoin transaction and destroy the decentralized system.

DarkCoin says they can solve this by charging a fee, but you will see I originally proposed that idea in the CoinJoin thread and the requirement is all the participants must be permanently identified and then must use divide-and-conquer to whittle down to who was the saboteur. But identification defeats the mixing!

Thus I have not yet seen a workable decentralized CoinJoin that can scale. And I don't expect one.

I posted this to the CoinJoin thread to get their technical peer-review of my statement.

Now, if the zerocoin concept would be implemented in bitcoin, it would be cool.

Just forget zerocoin even in an altcoin it won't work. Because it requires a trusted person to hold the private key that can unlock everything including taking all the zerocoins. This can't be fixed (contrary to ruminations otherwise), it is a fundamental mathematical property of the way zero knowledge proofs work when combined with an accumulator.

Also zerocoin has to be dedicated to preset transactions amounts (e.g. 1 BTC) else the anonymity set can be trivially collapsed by comparing input and output transaction amounts.

Never recommend noobs to use Tor, it's a honeypot where they are worse off than not using Tor at all.
Noobs should use a trustworthy VPN instead.
The optimal solution is VPN + Tor.

Not if you stay in-network. Unfortunately, my services (bitcoin node) are not tor-enabled yet. Namecoin has the potential to facilitate this with human-readable addresses as well.

Not true. Tor is always subject to timing analysis by an entity such as the NSA (which is recording ans storing nearly all global encrypted traffic in Utah) which can see the encrypted packets running between Tor nodes.

Popular VPNs are also very likely all honeypots and unpopular ones give only a small anonymity set.

Currently the only known way to be reliably anonymous is use a connection to the internet that can't be traced to you, e.g. netcafe without cameras any where and don't drive your car as that has secret tracking built-in according to CEO of Ford, a throw-away mobile device and simm that doesn't have your id registered and used for no other activity, etc.
legendary
Activity: 1148
Merit: 1018
Morale of the story: Everybody should ALWAYS mix their coins and use Tor for BTC related activities. Information is power. Never give it away.
Never recommend noobs to use Tor, it's a honeypot where they are worse off than not using Tor at all.

I disagree, with a caveat: do not use Tor to access stuff linked with your real name, and always use end to end encryption to avoid eavesdropping.
legendary
Activity: 1008
Merit: 1001
Let the chips fall where they may.
Never recommend noobs to use Tor, it's a honeypot where they are worse off than not using Tor at all.
Noobs should use a trustworthy VPN instead.
The optimal solution is VPN + Tor.

Not if you stay in-network. Unfortunately, my services (bitcoin node) are not tor-enabled yet. Namecoin has the potential to facilitate this with human-readable addresses as well.
Pages:
Jump to: