Author

Topic: The perfectly anonymous coin - general ideas (Read 978 times)

hero member
Activity: 725
Merit: 501
Boycott Qatar 2022
I don't think anon is a real world problem that needs to be solved. It is more of a gimmick and possibly useful for illegal acts, but otherwise why bother.

Because I don't want my wife to divorce me (or own me in court) because she linked my BTC address to a camgirl's BTC address.

Because I don't want a competing company to know my billing history.

Because I don't want my boss to fire me (or not promote me, ever)  because he linked my BTC account with a trade union.

Because I don't want my Republican Senator knowing that I donated to my Democratic Representative.

Because I don't want marketing companies targeting me based off of linkages they made off the BTC blockchain.

Because I believe in the cypherpunk dream of digital cash, and not in the BTC apology of "it's good enough!"

Because I want control of my finances without it being broadcast for the whole world to eavesdrop on.


+1
 
We should be able to spend our crypto just like cash, anonymously.
legendary
Activity: 1750
Merit: 1036
Facts are more efficient than fud
I don't think anon is a real world problem that needs to be solved. It is more of a gimmick and possibly useful for illegal acts, but otherwise why bother.

Because I don't want my wife to divorce me (or own me in court) because she linked my BTC address to a camgirl's BTC address.

Because I don't want a competing company to know my billing history.

Because I don't want my boss to fire me (or not promote me, ever)  because he linked my BTC account with a trade union.

Because I don't want my Republican Senator knowing that I donated to my Democratic Representative.

Because I don't want marketing companies targeting me based off of linkages they made off the BTC blockchain.

Because I believe in the cypherpunk dream of digital cash, and not in the BTC apology of "it's good enough!"

Because I want control of my finances without it being broadcast for the whole world to eavesdrop on.


sr. member
Activity: 266
Merit: 250
I don't think anon is a real world problem that needs to be solved. It is more of a gimmick and possibly useful for illegal acts, but otherwise why bother.
legendary
Activity: 1778
Merit: 1000
NAVAJOCOIN is coming up. Serious work is being done here - DEVs are perfecting the code.
legendary
Activity: 2758
Merit: 1075
have you seen crave, it does anon pretty gd Shocked
hero member
Activity: 672
Merit: 500
GEOcoin, drop em on a map, someone else pick em up

Cool im buying 100 btc worth
member
Activity: 71
Merit: 10
GEOcoin, drop em on a map, someone else pick em up
legendary
Activity: 1276
Merit: 1001
My impression of ring signatures is that only a limited number of people can participate in each ring signature

That is kinda correct. The more other outputs you select to mix with increases the tx size, which increases the fee you have to pay for this tx to get mined. There is also an instantaneous block size limit, which prevents "too large" transactions from being included, but that limit grows as usage grows.

There is a paper that can sign in O(N^1/2) I believe, which is being looked at by the Monero labs people (and maybe other CN coins). If this was to be found usable, you could then have huge mixins for a much more reasonable fee. There's also a proposal from... adam3us I think ? offering a linear size reduction (at the cost of a slightly larger constant IIRC).

For CN coins, the ring signature is made for a denomination, by the way, so this process is repeated for each denomination.

(I'm not sure of how it is arranged which ones participate). For example, in one instance when I tried only 10 could participate, so the probability is 1/10 that a member of the ring did the transaction, which is far less anonymous than the theoretical 1/N, where N=all users of the coin.

Choice is (theoretically) arbitrary. I believe it's currently a uniform distribution, but it could be anything. You could even select whatever outputs you like in the blockchain AIUI.

Also, I'm not sure to what extent one can analyze standard denominations and sums of them etc with Cryptonote coins. One problem is that some transaction sizes (small or large) might be less common than others, reducing anonymity. Is the transaction size hidden in a ring signature?

There are attacks. See https://lab.getmonero.org/ and in particular the 1 and 4, and the proposed changes in 4 to mitigate and prevent some.

Also, when ring signatures includes old transactions, can this be arbitrarily far back in time?

As far back as the first tx that includes an output of the size you need. Which is pretty much near the start of the chain, unless you happen to want a denomination that's 10% of the supply or so Smiley

newbie
Activity: 9
Merit: 0
Quote

Step 3 seems unnecessary. AFAIK cryptonote coins achieve this same effect by including old transactions with new transactions in the ring signature.  Steps 1 and 2 also are covered by ring signature coins. Step 4 might always be up to the sender--though zerocash or quantum money might be able to fix this in the future (not sure as most of this work is still fringe).

I just don't know enough about ring signatures - I wish someone would explain them to me.

My impression of ring signatures is that only a limited number of people can participate in each ring signature (I'm not sure of how it is arranged which ones participate). For example, in one instance when I tried only 10 could participate, so the probability is 1/10 that a member of the ring did the transaction, which is far less anonymous than the theoretical 1/N, where N=all users of the coin.

Also, I'm not sure to what extent one can analyze standard denominations and sums of them etc with Cryptonote coins. One problem is that some transaction sizes (small or large) might be less common than others, reducing anonymity. Is the transaction size hidden in a ring signature?

Also, when ring signatures includes old transactions, can this be arbitrarily far back in time?
legendary
Activity: 1750
Merit: 1036
Facts are more efficient than fud
newbie
Activity: 9
Merit: 0
Could it in theory be possible to create the perfectly anonymous coin?

Note the below example is completely unrealistic because of the growth in blockchain size it would imply, but it is still interesting as a theoretical construction or a way to take anonymity to the limit.

I am aware of systems such as Cryptonote, Shadowcoin and BitcoinDark, but I'm no expert on them and I'm not sure to what extent they achieve the "perfect anonymity" described below.

First, my definition of anonymous simply means that the probability that a certain person did something is the same for all persons. So if there are N people using the system, then the probability that a certain act was done by any person is 1/N. Here the key concept is "any act" for example it could be sending a transaction of a certain size (and/or amount) in a time interval or just sending any transaction in a time interval or sending something to a certain adress.

The below coin is not meant so much for practical use, but as a pure anonymization tool. For example:

Bitcoin ->(exchange)-> Perfectly anonymous coin ->(super anonymous transaction)-> Perfectly anonymous coin ->(exchange)-> Bitcoin in a new unused wallet.

As I see it the following conditions would have to be satisfied:
("Analyze" here means statistically correlate, deducing probabilities that are not equal to 1/N for everyone etc)

0) Enough people (N)
1) Impossible to analyze transaction amounts and sizes.
2) Impossible to analyze address usage
3) Impossible to analyze timestamps
4) Hide IP adresses


Here are the conditions in more detail:

0) Enough people (N) must use the coin. This cannot be enforced and is not part of the technology as such.


1) It should be impossible to track transactions of certain sizes (both size in bytes and amount in coins). This could be accomplished by forcing all transactions to be of the form: "1 coin from A to B", where A and B are addresses. For example if you want to send 100 coins, you must sent 100 transactions of 1 coin each. Transactions less than 1 are not allowed. Messages are not allowed. I guess this would mean that the price of 1 coin should not be too high - but maybe that will be self-regulating? It the price of 1 coin was too high less people would use it and the price would go down.
That the only allowed transaction is "1 coin A to B" could be enforced by miners - every other transaction is treated as invalid and is ignored. Of course I'm completely ignoring the issue of fees.


2) Tracking adresses should be impossible. Every address should be deposited to only once and can only contain 1 coin. When the coin is sent the adress must never be used again.
How to enforce? One way is with the software, but this still leaves open the possibility of someone making their own client that re-uses adresses which might ruin anonymity for themselves, but also others. Maybe the miners could ignore all transactions that uses an adress that has been used up (received and sent 1 coin). However the list of used addresses for them to keep track of would be staggering? (They are stored on the blockchain)
An example:
So if you receive 56 coins from someone, the only allowable way to do that would be to receive 1 coin at a time each to a different address that has never been used before. The problem is that the sender knows that these addresses is probable to all belong to the same receiver which would allow the sender to further analyze that persons transactions in the future. Maybe one must use some sort of stealth addresses like in Cryptonote or similar?

edit: Because of 3) below, the sender cannot analyze what happens to the money sent, because the receiver is forced to send the money to new addresses, either his own or somebody else.


3) Analysis of timestamps must be impossible: If a transaction takes place when it is daytime in the pacific, then it is more probable that a person living there has made the transaction - hence ruining the perfect 1/N probability which is anonymity. If you know when someone comes home each day, a persons habits with respect to time, then timestamps would ruin anonymity, but only if the users themselves can choose when to make transactions. Therefore:
All users are forced to send precisely 1 coin every x minutes, either to themselves or someone else following the above rules. The problem here is enforcement - the client software could do this automatically, but anyone could make their own client not following these rules. If x is too long a time, then you would only be able to send and receive every so often, and if x is small, the blockchain would grow rapidly. Still maybe one cannot rule out the idea of such a currency being used for a limited amount of time for pure anonymization purposes and then stop using it when the blockchain is too large and start over again?
Another problem is that the timestamps will not necessarily be exactly equally divided because of differences in network speed for different people, which could be used to create profiles, hence contributing to de-anonymization. Another option is to send in randomly distributed times, but they must be truly random in that the time intervals must not be serially correlated or in any other way non-random.


4) Hiding IP adresses: This I simply assume that all users can do themselves using suitable proxies/TOR/I2P etc, or alternatively that the client has a builtin proxy. I don't consider this as an interesting part of the coins protocol as such but I'm more interested in a completely non-analyzable blockchain.  



If the above assumptions are met the entire blockchain would look something like this:

1 coin A->B  Time: T0 + x*1
1 coin C->D  Time: T0 + x*1
1 coin E->F  Time: T0 + x*1
1 coin G->H  Time: T0 + x*1
....
1 coin I->J  Time: T0 + x*2
1 coin B->L  Time: T0 + x*2
1 coin M->N  Time: T0 + x*2
1 coin O->P  Time: T0 + x*2
....

.......



As I see it this would be completely impossible to analyze. You cannot see just by looking at the blockchain which addresses belong to the same person (unless you have the private key) and every address is used for only one input and one output. You don't know which transactions are people sending to another person or to themselves because everyone sends all the time. You cannot track transaction sizes because they are all equal.



Jump to: