Topic: Ultimate Bitcoin Privacy - Discussion - page 2. (Read 1573 times)

Excellent stuff, but I think you should make the image a little bigger, as it is hard to read the small parts of the text without clicking.


I don't completely understand where the two anonymity sets come from. Do you mean the coins are taken from the 1BTC and 0.1BTC anonymity sets? And in which order?


Of course, the rouge moneyball gallery want everyone to use CDBCs instead of dollar notes, so nothing to see here.

Banks shouldn't really be concerned about mixers. That's more of the Fed's problem.

Absolutely, it's important to understand that Whirlwind goes above and beyond the standard, generic mixer, assuming we trust their word, which I do (but that's up to everyone here to make their own decision).


Thanks! What I think is so industry-changing about the blind certificate model is how these blind certificates are as good as cash, so they're transferrable, fungible, and they store value. No other mixer creates something like that. You could have secondary markets built where people could swap around their blind certificates to further enhance their privacy, which is something Theymos proposed back in 2018 when he briefly discussed blind certificates. It's exciting to be a witness to the beginning of all of this because for once, it's something bigger than just a single mixer. If successful, it creates an entirely new, layered system where others can build off the blind certificate model that Whirlwind creates.

Another thing that is so interesting IMO is how applying blind certificates to payments/money was first proposed 40 years ago. You have to wonder "how has this not been built before?" I think once in a lifetime, you might get lucky and stumble upon sort of "ancient wisdom" (for lack of a better term) that has been merely forgotten until now. My favorite entrepreneur example of this sort of thing is Gose: a type of beer that is becoming very popular only in recent years, yet it was invented in the 1200s. It went completely extinct before being rediscovered and reintroduced in the 1980s by a normal man who owned a pretty small pub in Germany. This was a man who searched through history to find an "ancient wisdom" sort of drink and reintroduce roughly the same formula in modern time. And boom, he became a multi-millionaire. That's what we're seeing happen with this blind certificate model - something that was first proposed very publicly 40 years ago, but then for one reason or another, no one stepped up to actually put it into practice.

If we could debate the reasons why, I'd argue that the corporate banking system has had a hand in suppressing this technology. It's utterly a direct threat to their existence. There's no other way to put it.

Great explanation and I'm glad you found the idea interesting enough to allocate time for this!

I want to mention that while we certainly could store logs about every transaction and we can't prove that we don't, in case you believe that we don't then I'll tell you how the current system works: we only store a Notes public key and balance in the database, when you generate a Note that is its corresponding private key. So in the database the Notes are not stored in chronological order, it's random. There is no link between a Note's public key and its corresponding deposit because we don't store anything about that. If you want to take it a step further you could withdraw a small percentage of the Note or combine 2 of them together so you alter the link between the exact deposit amount and Note public key balance in our database.

Whirlwind is built in a way that makes it possible to implement Blind Certificates, as an example our version would look like this:

There will be 5 Blind Certificates denominations, 10BTC | 1BTC | 0.1BTC | 0.01BTC | 0.001BTC

Each one will have it's own Anonymity set, which means that if there are 100 x 1BTC Blind Certificates issued, if you redeem one of them it could be any of the 100 issued certificates from Whirlwind's perspective. The only known information to anyone including us is that one of the 100 issued certificates was redeemed.

The flow looks like this: User deposits 1.1BTC using the Note method and now holds a private key. With this private key he would then issue two Blind Certificates, one of them for 1BTC, and the other for 0.1BTC. Now his deposit is provably anonymous. Whenever he wants to withdraw, he redeems the two Blind Certificates for one or more Notes, and he follows the normal Note withdrawal procedure. In this case the user would be protected by 2 Anonymity sets, the public one which is the one that is now shown on the website, and by the Blind Certificates one, which proves beyond any doubt that you indeed got complete anonymity using the service.

For the moment I'll wait until people understand how Whirlwind works in it's current form and the service starts to see some more serious usage, and if this concept generates interest until then I'll implement it in a fairly short timeframe.

I hate the word "revolutionize," so I mean it when I say that blind certificates could actually revolutionize the mixer industry. They're going to be important to understand if you're in this space, so as a weekend project, I tried my best to create an easy-to-understand explanation graphic. Of course my guide simplifies the info a little, but it's meant to explain this stuff to beginners. There's more to add at a later date, but this should be a good start!

Crossposting this - very important update!


Update completed - everything is back online working in normal conditions | Please keep in mind that if you experience issues with the Clearnet version it's most likely because of our DDoS protection system, I am still tweaking it while we are under attack continuously. I'll sort it out without a doubt but it takes some time to do that, so until everything is set please use the Tor version if you experience any issues on Clearnet, that will most likely work without any issues at all.

I am working on displaying the anonymity set on the main page for each one of your selected outputs (number of deposits it could have originated from), so users know exactly how anonymous their bitcoin really is after using our service. I still feel like most users are not yet aware of how Whirlwind actually works and why it's the superior choice from a privacy perspective, so understanding what anonymity set means and seeing it grow each time you enter the website should make it easier for everyone to grasp the concept. It's just a matter of time until everyone gets used to the system and understands the undeniable advantages it offers.

I believe the decision to make the fees optional is wise for 2 reasons:
1. The only disadvantage of Whirlwind's mechanism is that at the start of the service the privacy set is weak due to the fact that there are few deposits. Making the fees optional should encourage more users to give the service a try, and by doing this they are helping all future users by increasing the anonymity set, making everything more secure.
2. A donation based business model was already proven to work before

The current plan is to leave the fees optional indefinitely, but if we won't generate enough revenue to be sustainable after the first 3 months we will have to implement a minimum fee again.

I'll answer any question or concern you might have!

Great question - the short answer is no, it wouldn't be possible for us to exit scam at that point.

Technical explanation

Whirlwind is based on a backend + validator (signer) model. The backend interacts with users by generating deposit addresses and processing withdrawals, while the validators (signers) validate all of the backend's actions. Whenever a withdraw transaction is being sent, the signatures must be retrieved from all validators which are able to verify the transaction is correct.

When a user deposits BTC using the fast withdraw method, the backend sends the deposit hash to the validators and whitelists the receiving addresses. After the signature is sent to the backend, the validators delete all proofs of those receiving addresses, keeping only the deposit transaction hash so that they would not accept a “duplicate proof”.

When a user deposits BTC using the Note method, the backend sends the deposit hash to the validators and they assign credit to the Note’s public key. When the user wants to withdraw his BTC, he must send a signature to the backend which will process this. This signature will also be sent to the validators which will check it and remove credit from the note’s public key and whitelist the receiving addresses.

If an attacker compromises the backend server, he would not be able to forge user Note signatures in order to fool a validator to send him funds, because only the users have access to the Note’s private keys. Again, the proofs are deleted after their use.

Comments

As explained above the signers are doing way more than just signing transactions, that's why I previously said that the only way we could get exploited is if an attacker gains access to all signers at once without us noticing.
Everything I said above would be provable at that point since the whole codebase would be open-source (if not open-source then at the very least all signers would have complete access to frontend/backend/signers code)

Let's assume there are multiple trusted signers, and the system is nicely decentralized. Would it still be possible for you to pull an exit scam by creating notes that give you access to large funds? Wouldn't the signers just sign it? And if not: how would the signers know whether or not the note was created legitimately after a deposit?

Yes you have been open and transparent about Whirlwind and your posts demonstrate it. I think that is what people here appreciate when a team member or owner interacts with them in a transparent manner taking the time to provide explanations and answer questions no matter how difficult to explain or articulate.

As you stated, members only have your word to go by but the reviews and feedback of the website are positive and as your service progresses members will begin to make their own judgements in increasing numbers about the service and quality of service you provide. I tested the service and posted my review, it is a very simple service to use.

As for mixers seemingly launching on a daily basis, I have to say I cannot recall a time here when this many were being promoted via signature campaigns or a time when this many were using ANN threads frequently. It does provide competition for each other but if you have created something unique from your competitors from a technical perspective then they will have to play catch up.

Thank you for the feedback! Everything is working as usual now.

Update
-Clearnet is back online with improved DDoS protection and stability
-Added "You can withdraw as many times as you want from a single Note." on the Withdraw Note page
-Added "All deposits made within 24 hours will be considered valid, regardless if they are still pending or confirmed." on the Deposit page

Can confirm I've received the funds about 1 hour ago.
Thank you for the quick reply. Will use your service again for sure. 

Apologies for the delay, as I said in the ANN thread I'm currently working on some features so that's why withdrawals may be a bit delayed. You have nothing to worry about, all withdrawals will be processed as soon as the upgrade is done in the next hours.

Deposits are unaffected, you can still use the service. Thanks for understanding

Any known problems with the site? 300$ are stuck, it's been 1 hour since 2 confirmations and the site keeps saying "in 0 hours". The input address forwared the coins already to another address so...

edit: Wrong thread I appologize, but I guess you'll see my message anyway.

Both, but at this point I'm only relying on the camera. If I observe anything out of the ordinary then I'll just get another server and set it up in the backup location, but I highly doubt it will come to this.

Yes, everything besides the frontend Tor link and the clearnet reverse proxy server will be changed. The frontend server will be changed too, we will only keep the current Tor link so it's less confusing for users.

I don't want to cause any issues for anyone, let alone hurt the whole forum so I'll stop discussing this here, the only reason I did in the first place was because I thought users would prefer this over having to trust me, but I'll run the service this way for a while and whenever I'll get the chance to make everything trustless I will. If anyone has any ideas in this direction you're welcome to DM or email me and I'll gladly discuss further.

It's impossible to answer this question in a way that would have any sort of weight and I don't want to appear like I'm asking users to trust me just because I'm writing some messages here. My expertise/intentions will become clear from my actions as time goes on and that's the only way I can prove myself other than decentralizing the service.

I've been very transparent about every detail of Whirlwind, I've built everything from the ground up. I took the time to analyze every aspect of this business and I believe I came up with something unique in the Bitcoin space, something that our competitors don't even come close to from a technical standpoint.

It seems like a different mixer launches every day, but if you have a more in-depth look you will notice that each one of them has some major issues.
Use of jambler.io as their backend/very weak privacy set/ use of Cloudflare/ use of mixing codes which basically means keeping logs.

Even though I could have taken a lot of shortcuts in order to get the service out in 10x less time,  I chose to do everything the right way and made no compromises at all.

Or just as a hidden service.

After a quick navigation of the website anybody can see it is simple to use and the Fast or Notes options are extremely easy to select. It is a basic no-nonsense to the point website that is easy to navigate and that is a plus for end users and that should play a very important part as your business grows.

Having said that one of the fears people must have is about sending funds to mixers at the unfortunate time the mixer decides to exit scam (and to my knowledge it does happen from to time because people end up posting about getting scammed). Keeping that in mind this would be a very difficult question to answer but what can you say here and now to give confidence to forum members that a future exit scam is the furthest thing from your mind and what your very long term strategy is?

So since he said it's true, this means we can run this thing in the same fashion as a Tor exit node. Therefore, you should take exactly the same precautions as you would when you run a Tor exit node - use ISPs that are Tor-friendly, make sure you have lawyers and a good legal team, use hosting providers and datacenters that are OK with Tor traffic, and so on.

Just like how some countries try to charge Tor node operators with shady darknet actions that its users do, so these countries will try to charge those who host decentralized mixer frontends and backends, so everyone make sure you guys are not hosting them in countries hostile to mixers, such as the USA.

---

Buuuut....

I suggest not relying only on Bitcointalk community members. Try to involve the greater bitcoin community in this, for example, on reddit, twitter, and the various Bitcoin conventions. The last thing the forum administration wants is the resemblance that it's openly facilitating mixer activity.

Did you mean physical access? Or does this mean there's a camera pointed at the server?

When you move a server to a different provider, do you also create a new multisig (so the privkey/seed from the retired server is no longer valid)?

I am taking opsec very seriously so even though the answers to these questions might seem obvious to me I'll say it out loud for the record

1.Where do you run this? Your home, or you use some provider?
I can't disclose the exact setup that we're running but there are >5 servers, all but one are from different providers. The last one is one of the signers and it's a physical server in a secure location that we have visual access to 24/7, so it can't be tampered with.

2.How much access does the site provider have?
The other providers besides the one where we run the clearnet server (which is public) should not even be aware that we are using them. Regardless even if they knew there is nothing they can do since no single server holds all keys. So noone besides me has access to anything unless they break into all servers at once without me noticing, including the physical server. I will also change all servers and rotate providers once in a while just to be sure.

3.What rights do they have? How much information do they have about you?
They have 0 information about me, same as everyone else. Worst they could do is shut down a server, and that really doesen't do anything since we can replace it in 10 minutes and have everything up and running again like it never happened.

4.Are you doing everything via anonymous networks?
Yes

If as an operator you can't even protect yourself, then there is no way you can protect your users and this is what this service is all about. I'm also willing to put my money where my mouth is, so if anyone can manage to find the IP of any of the signers (no time limit and no requirement to hack it, only finding the IP is enough) I will offer a considerable bounty.

Correct

Where do you run this? Your home, or you use some provider? How much access does the site provider have? What rights do they have? How much information do they have about you? Are you doing everything via anonymous networks?

Alright, so everyone can setup a front end (whose source code, as I've read, you'll publish at some point) and connect to some backend that is hosted by the trusted members?

The goal of this thread is to have a discussion regarding this issue. If at any point we come to the conclusion that it's riskier to run Whirlwind as a community project then I will simply continue to do it myself. I don't understand your point about Bitcointalk as a forum getting dragged into this since it has nothing to do with Whirlwind

Correct

-Can you be more specific about this question? What do you mean by what's our setup
-No idea at the moment, we would all have to agree on a "procedure"
-If we manage to implement the multi-sig with multiple trusted members, then even if I go missing 1 hour after that it does not matter. The remaining members can run the service as if it never happened, so the service can continue with or without me

1.I'm still trying to figure out if there is a way to do this, if I have any ideas I will write about them before I implement anything. Here is an idea I had, but we need the Blind Certificates in order for it to work. It would be possible to prove your funds are not coming from specific addresses without revealing which one your deposit actually is.
2.Your first point is my biggest concern and something for which I'm not convinced that a solution even exists. We will come to a conclusion together after more discussions, whatever that may be