Topic: XMR vs DRK - page 41. (Read 69755 times)

I think you misunderstand. You're saying that nobody is trying to break Darksend. I am saying....'so is all the energy just going into trolling then?' (because there's certainly a lot of that going on!)

There seems to be a disconnect here. I know Darkcoin is build on a flaky foundation, I don't need to prove that. Proving the opposite is critical, and neither the Darkcoin leadership nor its proponents have done so (nor do I have any reason to believe they will do so).

When you make statements like the above I'm reminded that this thread is a landmine - if I spend the hours researching and extrapolating it will be pointless, as proponents will nitpick. The only way I could possibly win is to spend days and weeks creating a proof-of-concept to demonstrate validity, and even then there will just be some lipstick-on-a-pig move to patch one particular leak in the overflowing dam.

Majamina, your final comment and BlockaFett's comment is the real nail in the coffin here - I'm doing free analysis in my spare time (how much did Kristov Atlas get paid again?) based on virtually nonexistent technical documentation, so of course there are assumptions I have to make in the interest of expediency. An incorrect assumption in one area does not invalidate my analysis in another, unrelated area. Were this a formal analysis I would not have raised that point, as I would have gone through the code and done heaps of testing before asserting a fact.

At this stage there are a series of major flaws that remain untouched because of the obsession with "proving" that a single attack surface doesn't exist. There has not been a single iota of proof - stating something as if it is fact, or showing some graphs without a model showing its assumptions are not proof, not by any definition of the term. If you want further analysis and specifics I will gladly provide you with my hourly rate and expected engagement period, but beyond that I've reached the end of what I'm willing to do for free. That is not a cop-out, it is just the reality when every suggested attack has to get ground down to minutiae whilst ignoring large swathes of what attackers are capable of. The discussion in this thread has been like talking to someone who sticks their fingers in their ears and goes "na na na, you're wrong, na na na na".

Again, and for the record: you cannot discount an attack by claiming ignorance, simply stating it isn't possible, or turning everything into an accusation of trolling / FUD.

I have observed, in this thread and others, that the bulk of the Darkcoin proponents are like those in the anti-vaccination movement. It doesn't matter what I say, what Bitcoin core developers say, what cryptographers say, or what the creator of BitTorrent says about Darkcoin. It doesn't matter what anyone theorises, it won't even matter if a body of evidence is presented. Anti-vaccinators won't change their minds until their child dies, and Darkcoin proponents won't change their minds until people start suffering.

RationalWiki sums up what the parallel to what we're observing with Darkcoin:



I'd say this thread has been fun, but it hasn't.

It is.

This was back in late 2014 and has nothing to do with the current threat by that guy about deanonymizing darksend, so before you go accusing others of trolling, at least do your research first, newbie.

https://www.cryptocoinsnews.com/darkcoin-finds-fixes-darksend-privacy-bug/

https://bitcointalksearch.org/topic/darkcoin-exploit-found-in-2-hours-by-amateur-why-open-source-matters-for-anon-816141 - darkcoin exploit found in 2 hours by amateur (why open source matters for anon)

so all the energy is just going into trolling?     well, i think there was a recent thread about someone claiming to have broken Darksend, which came to nothing?

as for reward, there may be a small bounty for finding DS exploits, but the big reward is surely the reputational downside for DASH, which may allow another anon-focused coin to take over DASH market cap.

Dash actually was broken, at least Darksend was. When it was first open sourced there was a bug that allowed you to "deanonymize" transactions. I don't think anyone is really actively trying to break it at this moment, honestly, the reward for doing so is pretty petty. If someone did break it, they would probably keep the info to themselves for the moment.

do you have a specific vulnerability you want to bring to DRK's attention?  Sounds like more waffle and time wasting.

Johny M, I am reading from where majamina's chart was posted, up until I see my post. Having just read your post quoted here, I see that your question was not due to a lack of understanding statistics, but simply their application to masternodes. Please forgive my lack of approbation for you understanding of statistics. (FWIW--nice nym. )

OK...perhaps you can give us, say, the top-ten of those factors that can fingerprint the data.

Also could you please explain how it is trivial to extrapolate the data when you control 50% of the MNs in your example above.


OK, I'm still not sure this is a fair representation. Hopefully someone who knows more about Darksend can chime in. I'll do some more research in the meantime.

And no offence, but you got it wrong about Darksend yesterday so I'm not sure that your assessment can be considered reliable.

I don't think anyone's questioning the validity of the data, but rather that probabilistic analysis of this makes WAY too many assumptions.

You're still approaching it probabilistically - a thousand factors can fingerprint the data and let our hypothetical attacker extrapolate (eg. output ordering). The more complication you layer on top the more likely it is to have cascading failures.


You're misunderstanding. If you are only ever going to perform a single transaction then the attacker only has one chance of observing it. However, you are (presumably) going to receive funds on more than one occasion and use Darksend to pre-mix them. The danger is greater for a seller, who will do this more often, than for an individual who gets paid his salary once-a-month. For both, though, our hypothetical doesn't only have one chance to catch you, they have an indefinite number of chances. And you can take it as a given that the number of MasterNodes they control will grow over time, not decrease, especially if it gets used for illicit activity by a portion of the userbase.

I just popped in because I heard about majamina's chart and wanted to check it out. I must commend him for his patience in dealing with the discussion I see going on here.

Johny, either you have never studied statistics/probability or your Mnemonics aren't working. One coin toss will yield either a head or a tail. This equates to your "Either a transaction is traceable or it isn't." But what about the set of a billion coin tosses? While each is either heads or tails the set in a normal distribution tends towards .5 of each. Majamina's excellent chart shows that for anything less than close to 100% of the masternodes compromised, the chance of tracing any single transaction is vanishingly small.

For the gentleman (whose name I forgot sorry!) The refusal to comment on the implications of the chart, should the data be valid, shows yourself to be disingenuous. As a scientist and educator, I have no problem challenging the data behind a graph while recognizing the implication of that graph as it stands. It saves time, and shows respect for a worthy opponent. (Not to mention, demonstrates you have at least the education necessary to comprehend the math behind it.) There were many (and still a few, though much less) who disputed the validity of the data coming out of the LHC when the discovery of the Higg's Boson was announced. There was no disputing of the fact that the charts seemed to indicate that fact--if--the data was subsequently verified; which it was.

Your unwillingness to commit to the significance of majamina's chart reveals a mindset more concerned with preserving your personal status than one of someone who is truly in pursuit of the truth. That was sadly apparent after my reading the first few posts on this thread, and why I have refused to participate here.  I will watch for a little while to see the response this post gets. And maybe, if, it is received (and even countered) in a respectful manner I continue to check in.

Peace to you all...

Isn't it to a massively lesser degree?

No blinding:

(1200/2400)^8 = 0.00390625

Blinding

((1200/2400)^20)^8) = 6.84228E-49   (i'll let you work out the percentage, excel only displays 30 decimal places)


I think this misrepresents how darksend works. Once you've mixed your coins you're good to go....if someone collected small amounts of information from a small number of MNs about those rounds of mixing, but didn't get enough to decode the transaction, when you mix at a later date this is completely unrelated to the earlier mixing session. How would you expect to correlate these sessions today, tomorrow or next week?

The problem with the probabilities discussion is that it relies heavily on a gambler's approach (I suspect Evan is/was a pro poker player or similar). It forgets two things:

An Attacker Can Extrapolate Data

If you have an attacker that owns 50% of the 2400-strong MN network through a combination of legal (subpoena+gag order) and illegal (hacking, torturing the operator into compliance) you would typically calculate "probabilities" for unmasking an 8-round Darksend like this:

(1200/2400)^8 = 0.00390625

However, consider the following series of Darksend mixing rounds:

    1            2            3            4            5            6            7            8
observed -> unobserved -> observed -> unobserved -> observed -> unobserved -> observed -> unobserved

Because there's only a single block between the observed rounds it is trivial for the attacker to extrapolate the unobserved rounds. In fact, unwinding an unobserved gap of 2 or 3 transactions is not infeasible.

This substantially changes things, and makes pure probabilistic thinking an incorrect analysis.

MasterNode blinding modifies the parameters, but not the outcome. An attacker can still extrapolate missing data, to a greater or lesser degree.

An Attacker Has Unlimited Time

If an attacker can control a portion of the network surreptitiously for a short period of time it can be accepted as a given that they can control it indefinitely and only grow their monitoring base by dedicating resources to taking over the remaining nodes (again through a combination of available methods). But let's assume that, hypothetically, they only control a portion of the network and are unable to grow it.

They will collect detailed MN data indefinitely, and will be able to extrapolate data and make "best guess" efforts at correlations. Remember that all they have to do is provide a tenable link between two people, and they can use external evidence to cement the rest. In fact, they can use parallel construction to attribute "good old fashioned police work" instead of a sophisticated and ongoing compromise.

They also don't need to observe a specific Darksend path - they have infinite time. They may not be able to observe enough of your Darksend mixing today, but what about tomorrow? Or next week? The more you mix (a natural result of time and usage) the greater their chances of figuring one of them out and being able to find this tenable link.

Of course, there can be continued attempts at obfuscation: increasing the minimum number of Darksend rounds to 150 or 200 to increase the probability of a big observation gap, for instance, but ultimately you're just increasing the complexity until you have an unbridled and unmanageable mess...and that is when an attacker stops needing to do complicated stuff and can just exploit the mistakes that are always made in overcomplicated systems.

And in the interests of balance and fair play, here is the chart for 1 ROUND of darksend:

8 ROUNDS:

The curve is going to look similar at that scale, but the probabilities are obviously much smaller as you go through the list. Interestingly, with 1% of nodes compromised and 8 rounds, the probability is so small that Excel can't seem to calculate it and displays '0'

8 ROUNDS OF DARKSEND:

1.00%   0.000000000000000000000000000000%
2.00%   0.000000000000000000000000000000%
3.00%   0.000000000000000000000000000000%
4.00%   0.000000000000000000000000000000%
5.00%   0.000000000000000000000000000000%
6.00%   0.000000000000000000000000000000%
7.00%   0.000000000000000000000000000000%
8.00%   0.000000000000000000000000000000%
9.00%   0.000000000000000000000000000000%
10.00%   0.000000000000000000000000000000%
11.00%   0.000000000000000000000000000000%
12.00%   0.000000000000000000000000000000%
13.00%   0.000000000000000000000000000000%
14.00%   0.000000000000000000000000000000%
15.00%   0.000000000000000000000000000000%
16.00%   0.000000000000000000000000000000%
17.00%   0.000000000000000000000000000000%
18.00%   0.000000000000000000000000000000%
19.00%   0.000000000000000000000000000000%
20.00%   0.000000000000000000000000000000%
21.00%   0.000000000000000000000000000000%
22.00%   0.000000000000000000000000000000%
23.00%   0.000000000000000000000000000000%
24.00%   0.000000000000000000000000000000%
25.00%   0.000000000000000000000000000000%
26.00%   0.000000000000000000000000000000%
27.00%   0.000000000000000000000000000000%
28.00%   0.000000000000000000000000000000%
29.00%   0.000000000000000000000000000000%
30.00%   0.000000000000000000000000000000%
31.00%   0.000000000000000000000000000000%
32.00%   0.000000000000000000000000000000%
33.00%   0.000000000000000000000000000000%
34.00%   0.000000000000000000000000000000%
35.00%   0.000000000000000000000000000000%
36.00%   0.000000000000000000000000000000%
37.00%   0.000000000000000000000000000000%
38.00%   0.000000000000000000000000000000%
39.00%   0.000000000000000000000000000000%
40.00%   0.000000000000000000000000000000%
41.00%   0.000000000000000000000000000000%
42.00%   0.000000000000000000000000000000%
43.00%   0.000000000000000000000000000000%
44.00%   0.000000000000000000000000000000%
45.00%   0.000000000000000000000000000000%
46.00%   0.000000000000000000000000000000%
47.00%   0.000000000000000000000000000000%
48.00%   0.000000000000000000000000000000%
49.00%   0.000000000000000000000000000000%
50.00%   0.000000000000000000000000000000%
51.00%   0.000000000000000000000000000000%
52.00%   0.000000000000000000000000000000%
53.00%   0.000000000000000000000000000000%
54.00%   0.000000000000000000000000000000%
55.00%   0.000000000000000000000000000000%
56.00%   0.000000000000000000000000000000%
57.00%   0.000000000000000000000000000000%
58.00%   0.000000000000000000000000000000%
59.00%   0.000000000000000000000000000000%
60.00%   0.000000000000000000000000000000%
61.00%   0.000000000000000000000000000000%
62.00%   0.000000000000000000000000000000%
63.00%   0.000000000000000000000000000001%
64.00%   0.000000000000000000000000000010%
65.00%   0.000000000000000000000000000116%
66.00%   0.000000000000000000000000001340%
67.00%   0.000000000000000000000000014858%
68.00%   0.000000000000000000000000159011%
69.00%   0.000000000000000000000001643821%
70.00%   0.000000000000000000000016431848%
71.00%   0.000000000000000000000158977548%
72.00%   0.000000000000000000001490045153%
73.00%   0.000000000000000000013541214552%
74.00%   0.000000000000000000119419474830%
75.00%   0.000000000000000001022826903227%
76.00%   0.000000000000000008514806145328%
77.00%   0.000000000000000068947103756535%
78.00%   0.000000000000000543421016471357%
79.00%   0.000000000000004171906883622430%
80.00%   0.000000000000031217485503160500%
81.00%   0.000000000000227825861182904000%
82.00%   0.000000000001622618343797370000%
83.00%   0.000000000011284823741053800000%
84.00%   0.000000000076680647226003000000%
85.00%   0.000000000509363843932281000000%
86.00%   0.000000003309422376006270000000%
87.00%   0.000000021041680357344600000000%
88.00%   0.000000130986803482614000000000%
89.00%   0.000000798731961465741000000000%
90.00%   0.000004773110738113080000000000%
91.00%   0.000027965511772018800000000000%
92.00%   0.000160713505949909000000000000%
93.00%   0.000906299558920186000000000000%
94.00%   0.005017144113258120000000000000%
95.00%   0.027275759107716400000000000000%
96.00%   0.145679112273953000000000000000%
97.00%   0.764676040310662000000000000000%
98.00%   3.946136563891700000000000000000%
99.00%   20.027702685748900000000000000000%
100.00%   100.000000000000000000000000000000%

1.00%   0
2.00%   1.4615E-272
3.00%   2.1847E-244
4.00%   2.136E-224
5.00%   6.8423E-209
6.00%   3.193E-196
7.00%   1.6432E-185
8.00%   3.1217E-176
9.00%   4.7731E-168
10.00%   1E-160
11.00%   4.1959E-154
12.00%   4.6666E-148
13.00%   1.7019E-142
14.00%   2.4015E-137
15.00%   1.4949E-132
16.00%   4.5624E-128
17.00%   7.4444E-124
18.00%   6.9759E-120
19.00%   3.9864E-116
20.00%   1.4615E-112
21.00%   3.5899E-109
22.00%   6.1324E-106
23.00%   7.5241E-103
24.00%   6.8202E-100
25.00%   4.68168E-97
26.00%   2.48734E-94
27.00%   1.0428E-91
28.00%   3.50982E-89
29.00%   9.63118E-87
30.00%   2.18475E-84
31.00%   4.14831E-82
32.00%   6.66801E-80
33.00%   9.16707E-78
34.00%   1.08799E-75
35.00%   1.12431E-73
36.00%   1.01953E-71
37.00%   8.17101E-70
38.00%   5.82607E-68
39.00%   3.71824E-66
40.00%   2.13599E-64
41.00%   1.11024E-62
42.00%   5.2467E-61
43.00%   2.2644E-59
44.00%   8.96248E-58
45.00%   3.26589E-56
46.00%   1.09965E-54
47.00%   3.43287E-53
48.00%   9.96777E-52
49.00%   2.70006E-50
50.00%   6.84228E-49
51.00%   1.6264E-47
52.00%   3.63526E-46
53.00%   7.65842E-45
54.00%   1.52406E-43
55.00%   2.87098E-42
56.00%   5.12961E-41
57.00%   8.70917E-40
58.00%   1.4076E-38
59.00%   2.16931E-37
60.00%   3.19301E-36
61.00%   4.49545E-35
62.00%   6.06276E-34
63.00%   7.8431E-33
64.00%   9.74531E-32
65.00%   1.16449E-30
66.00%   1.33977E-29
67.00%   1.48583E-28
68.00%   1.59011E-27
69.00%   1.64382E-26
70.00%   1.64318E-25
71.00%   1.58978E-24
72.00%   1.49005E-23
73.00%   1.35412E-22
74.00%   1.19419E-21
75.00%   1.02283E-20
76.00%   8.51481E-20
77.00%   6.89471E-19
78.00%   5.43421E-18
79.00%   4.17191E-17
80.00%   3.12175E-16
81.00%   2.27826E-15
82.00%   1.62262E-14
83.00%   1.12848E-13
84.00%   7.66806E-13
85.00%   5.09364E-12
86.00%   3.30942E-11
87.00%   2.10417E-10
88.00%   1.30987E-09
89.00%   7.98732E-09
90.00%   4.77311E-08
91.00%   2.79655E-07
92.00%   1.60714E-06
93.00%   9.063E-06
94.00%   5.01714E-05
95.00%   0.000272758
96.00%   0.001456791
97.00%   0.00764676
98.00%   0.039461366
99.00%   0.200277027
100.00%   1

You can be on both sides, can't you?