Topic: XMR vs DRK - page 53. (Read 69802 times)

Sorry, I meant that fluffpony thinks so (and you are not sure about it). Sorry if I keep trying to break things down to a very simple outcome. I just want to understand the practical implications of those discussions. Practical like for users who don`t care about the tech details (like myself...), but who would be extremely pissed (and endangered) if they discovered that they face jailtime because of some problems with the change of their supposedly anonymized Dash. So, yes, Darksend is safe enough and the MN problem is still up for debate (but a potential problem is about as likely as a 51% attack on BTC by the NSA). Correct?

For me that is not such an easy assumption, because even if you own the majority of amount in a darksend mixing process, you can' tell if the other transactions are just one or multiple people.

At least it is a plaussible deniable that you can't know if it was one or more person. Even if you obeserv it for a long time and analyse it like "these addresses are coming up in this block, these in this and so on, than you could conclude, these addresses must be owned by the same person because they come up all together in a timeframe. BUT darksend mixing, doesn't send all your address trough mixing each time a mixing is going on. So your addresses will randomly splitet and an timing analyses would be not working. And its plaussible deniable - just because you could assume it would be the same person, you cant tell for sure. You just can assume.

But perhaps you can write a whitepaper about your idea, that would be very nice, there is also a big bounty if you get that to work.

I wasn't addressing your post but frankly, if you want to play the probabilities game, you're hella paranoid at those odds. Further, it doesn't factor in masternode blinding of inputs, further squashing probabilities out.

It's like you guys posting cryptographic proofs that ring signatures work--yes, I don't think anyone is arguing that (at least I'm not), but I also know that 99% of the people on here and those that will ultimately use the currency won't know what they even mean. You guys posting cryptographic proofs would be no different than Dash posting statistical probabilities of the odds of tracing a DS transaction (with the odds easier to understand than cryptography). At least in my jurisdiction, with proving things without reasonable of doubt, I'll take odds such as those even if you didn't calculate them appropriately.

No, I'm not sure you can compromise the MN network in any practical sense, assuming it works as designed.

Ok, so you could somehow compromise the MN network, but you can`t be de-anonymized because you did not do enough "opsec" other than mixing your coins.

How does that solve the issues my post mentioned?



You can just own the major amount of coinjoin-transactions to trace back what happens; no need to mess with masternodes. Combined with other statical analysis approaches this is quiet powerful?

Well, I'm still not convinced by your assessment of MN network vulnerability. You seem to be in realms of the theoretical rather than the practical....

I wouldn't conclude that

But i would say, yes for me thats enough anonymity, in the end everything is "exploitable" its just a question of "costs", like fluffypony said - yes you need more power then in the whole universe so for now thats not possible, but you cant know whats there in the future, and you can't know if the attacker got lucky and just needs 1 min, because he was lucky. (I hope i don't misqoute fluffypony here, but i interpret this that way.)


So you can calculate the security of your darksend by yourself with a few assumption you have to take (because you cant know) like

darksend with 50 rounds, masternode network has 2000 masternodes, and i assume for me in worst case 1500 of these are bad actors.

So i got something like:
(1500/2000)^50 = 0.000005 => its a chance of 1 : 1750000 that a bad actor (with 1500 of 2000 MN) statistically can observe my mixing.

For me thats enough secure to say its anonym. But for some it may be not enough, because they cant know if there and how many bad actors are in the net. so if all 2000 out of 2000 are bad actors, you can be sure it won't be anonym anymore. (I think thats the point im reading about MNs are not trustless, because you can't know if they save the darksend or not - but thats not my view of it)

Assuming the wallet is already denominated, then in your scenario, the DS inputs would be two 10s, nine 1s and three .10s with the rounded up change going to the network... yes, it very much solves the issue you are trying to point out.

No, there was one deanonymisation problem I posited late today which proved to be incorrect (that users can trivially and unwittingly deanonymise themselves, through change addresses, when sending successive post-mixing transactions). Thus far I believe the rest of my assertions to be correct.

So to put that in laymens terms: darksend is fine for usage in darkmarkets after all and fluffpony agrees?

yes its right there could be a fee of up to 0.00999999 DRK/DASH ~ 51 cents right now.

But i don't see that as a problem, if price goes up, its no problem to adjust the lowest denomination to 0.01 or 0.001 ...

And if you do not want to "support" the network with that 51 cent miners fee, you could also adjust the amount you send, to a "denominational" amount, so you'll give it as tip to whoever you pay. (Ofc you can't do this if the reciever handles the transaction automatically and he needs the amount to be exactly what he stated)

OK gotcha.

I still think the scale of the attack is critical here. To consider the likelihood of such an attack ever being successful we need to know how many nodes must be compromised to break Darksend and unravel privacy.

Ok that's the key element I was missing, that basically there are no change addresses (although if 0.1 is the minimum that means every anonymous payment you make will incur an additional cost of as much as $0.51 at present, presumably this lower bound will decrease in future).

BlockaFett: now's the time you do a little happy dance and write lots of bold text about how one of my conclusions was incorrect. You can even call it "BS" and say that I "don't understand anything" if it'll help you with your self-esteem problems:)

Snooping the traffic won't do much good, you can just use end-to-end encryption to defeat that. It would require some level of access to the machine itself, either remote or physical. For the surreptitious access rootkits would be most appropriate (although not entirely required, less sophisticated options are available if it just has to monitor on-disk logs or watch the daemon's activity in-memory), as they can just monitor the daemon, see what it is doing, and periodically report back. For the more obvious take-overs they would just use the operator or his laptop/desktop to gain access to the box and install their own MN daemon that periodically reports back.

I know you are capable of it, we had a few posts with each other, so i know you are not someone who doesn't understand things.

The thing is you arguing on a wrong assumption about darksend!

Its realy not how it works if you use darksend.

Ill try to give an example.

If you have 50 drk in addr1
after starting the darksend denomination process you have (for example):
10 drk in addr2
10 drk in addr3
10 drk in addr4
10 drk in addr5
1 drk in addr6
1 drk in addr7
1 drk in addr8
1 drk in addr9
1 drk in addr10
1 drk in addr11
1 drk in addr12
1 drk in addr13
1 drk in addr14
0.1 drk in addr15
0.1 drk in addr16
0.1 drk in addr17
0.1 drk in addr18
0.1 drk in addr19
0.1 drk in addr20
0.1 drk in addr21
0.1 drk in addr22
0.1 drk in addr23
0.1 drk in addr24

so now all these addresses contain drk which has been mixed in the process of darksend with other users who also started the darksend mixture.
So there is no direct connection between these addresses.

so now you send
20.72368 that means darksend will use your previous mixed addresses - for this it will be something like:
addr2 + addr3 + addr15 + addr16 + addr17 + addr18 + addr19 + addr20 + addr21 - this will add to 20.8 - you have to pay 20.8, the difference goes to the miners exactly for the fact wo don't want any change address! (you could have also send 20.8 instead so you wont sponsor the miners)

so now these addresses are all gone out of your pool, if you now spend the rest, there is no connection between these addresses used in the first and the ones used in the second send right now.

BlockaFett my friend, I can tell you're passionate about this subject by virtue of the massive amounts of insults you hurl and the sheer amount of bold in your replies. However, please remember that this is a cordial discussion, and if I conclude something based on an incorrect understanding I will absolutely admit that my conclusion was incorrect and based on false assumptions or faulty logic.

I'm not perfect, I will make mistakes, and I do reach conclusions on a regular basis that are incorrect. Over and above that I am analysing a technology I did not create and that has no formal model I can study, and so much of the data I am working with is based on what I have observed and read about the subject matter, and is thus open to change.

All of that does not imply I am talking "total BS" or I have "no idea what I am talking about", it just means that the model I have been forced to construct in my head is in a necessary state of flux.

It's also immensely frustrating when I am trying to reply to comments in the order in which they appear in the thread, and in the time it takes me to thoughtfully reply to one person you've submitted 5 posts that consist of:

- "fluffypony once again proves he knows nothing"
- "why hasn't he answered the simple question?"
- "hah such garbage"
- "obviously wrong and complete BS"
- "still waiting on a reply to that question from 3.7 seconds ago??"

Try and chillax, this is a technical and non-technical back-and-forth, not a personal attack on your family and your second child:)

When you say 'take over his MN' what are you actually describing? Denial of service? Snooping Traffic? Replacing the daemon with a compromised version?

Need to understand what you actually mean and how it relates to security of the network and any information gathering.

We don't want to kill it, we just want to own that arbitrary amount through a combination of legal wrangling (eg. forcing the operator to hand over control or throwing the operator in prison so we can take over his MN, via the SEC or FinCEN or the IRS or similar), rubberhose cryptanalysis attacks (beating the operator with a rubberhose until he gives us access to his MN), court orders to the datacenter or VPS provider, or plain ol' hacking.

Some of those methods will throw up warning sirens among the community, because not all operators will obey gag orders etc., but some of them can be done without the operator even knowing their MN has been compromised by LEA. If LEA starts with the surreptitious methods and manages to compromise, say, 50% of the MasterNodes, then by the time they start using more obvious tactics to compromise the remainder it will be too late for the community to suddenly react and fix it.

Therefore, the securing of MasterNodes would have to be absolute, indelible, ongoing, and without failure or slip-up.

why not make a reasonable contribution to the thread.

perhaps can have two threads:

1. XMR vs DRK - reasonable, friendly debate

2. XMR vs DRK - mud-slinging and trolling