A Simple Guide To Effectively And Safely Mixing Bitcoins
4 stars based on
34 reviews
CoinJoin is a trustless method for combining multiple Bitcoin payments taint analysis blockchain bitcoins multiple spenders into a single transaction to make it more difficult for outside parties to determine which spender paid which recipient or recipients.
Unlike many other privacy solutions, coinjoin transactions do not require a modification to the bitcoin protocol. This type of transaction was first described in posts [1] [2] by gmaxwell. Bitcoin is often promoted as a tool for privacy but the only privacy that exists in Bitcoin comes from pseudonymous addresses which are fragile and easily compromised through reuse, "taint" analysis, tracking payments, IP address monitoring nodes, web-spidering, and many other mechanisms.
Once broken this privacy is difficult and sometimes costly to recover. Traditional banking provides a fair amount of privacy by default. Your inlaws don't see that you're buying birth control that deprives them of grand children, your employer doesn't learn about the non-profits you support with money from your paycheck, and thieves don't see your latest purchases or how wealthy you are to help them target and scam you.
Poor privacy in Bitcoin can be a major practical disadvantage for both individuals and businesses. Even when a user ends address reuse by switching to BIP 32 address chainsthey still have privacy loss from their old coins and the joining of past payments when they make larger transactions.
Privacy errors can also create externalized costs: You might have good practices but when you trade with people who don't say ones using "green addresses" you and everyone you trade with loses some privacy. A loss of privacy also presents a grave systemic risk for Bitcoin: If degraded privacy allows people to assemble centralized lists of good and bad coins you may find Bitcoin's fungibility destroyed when your honestly accepted coin is later not taint analysis blockchain bitcoins by others, and its decentralization along with it when people feel forced to enforce popular blacklists on taint analysis blockchain bitcoins own coin.
A Bitcoin transaction consumes one or more inputs and creates one or more outputs with specified values. Each input is an output from a past transaction. For each input there is a distinct signature scriptsig which is created in accordance with the rules specified in the past-output that it is consuming scriptpubkey.
The Bitcoin system is charged with making sure the signatures are correct, that the inputs exist and are spendable, and that the sum of the output values is less than or equal to the sum of the input values any excess becomes fees paid to miners for including the transaction. It is normal for a transaction to spend many inputs in order to get enough value taint analysis blockchain bitcoins pay its intended payment, often also creating an additional 'change' output to receive the unspent and non-fee excess.
There is no requirement that the scriptpubkeys of the inputs used be taint analysis blockchain bitcoins same; i. And, in fact, when Bitcoin is correctly used with one address per payment, none of them will be the same.
When considering the history of Bitcoin ownership one could look at transactions which spend from multiple distinct scriptpubkeys as co-joining their ownership and make an assumption: How else could the transaction spend from multiple addresses unless a common party controlled those addresses?
In the illustration 'transaction 2' spends coins which were assigned to 1A1 and 1C3. So 1A1 and 1C3 are taint analysis blockchain bitcoins the same party?
This assumption is incorrect. Usage in a single transaction does not prove common control though it's currently pretty suggestiveand this is what makes CoinJoin possible:. The signatures, one per input, inside a transaction are completely independent of each other. This means that it's possible for Bitcoin users to agree on a set of inputs to spend, taint analysis blockchain bitcoins a set of outputs to pay to, and then to individually and separately sign a transaction and later merge their signatures.
The transaction is not valid and won't be accepted by the network until all signatures are provided, and no one will sign a transaction which is not to their liking. To use this to increase privacy, the N users would agree on a uniform output size and provide inputs amounting to at least that size. The transaction would have N outputs of that size and potentially N more change outputs if some of the users provided input in excess of the target.
All would sign the transaction, and then the transaction could be transmitted. No risk of theft at any point. In the illustration 'transaction 2' has inputs from 1A1 and 1C3. Say we beliece 1A1 is an address used for Alice and 1C3 is an address used for Charlie. Which of Alice and Charlie owns which of the 1D and 1E outputs? The idea can also be used more casually. When you want to make a payment, find someone else who also wants to make a payment and make a joint payment together.
Doing so doesn't increase privacy much, but it actually makes your transaction smaller and thus easier on the network and lower in fees ; the extra privacy is a perk.
Such a transaction is externally indistinguishable from a transaction created through conventional use. Because of this, if these transactions become widespread they improve the privacy even of people who do not use them, because no longer will input co-joining be strong evidence of common control. There are many variations of this idea possible, and all can coexist because the idea requires no changes to the Bitcoin system. Let a thousand flowers bloom: An example 2-party coinjoin transaction.
Another example is this 3-party coinjoin. Any transaction privacy system that taint analysis blockchain bitcoins to hide user's addresses should start with some kind of anonymity network. This is no different. Fortunately networks like Tor, I2P, Bitmessage, and Freenet all already exist and could all be used for taint analysis blockchain bitcoins. Freenet would result in rather slow transactions, however. However, gumming up "taint analysis" and reducing transaction sizes doesn't even require that the users be private from each other.
So even without things like tor this would be no worse than regular transactions. In the simplest possible implementation where users meet up on IRC over tor or the like, yes they do. The next simplest implementation is where the users send their input and output information to some meeting point server, and the server creates the transaction and asks people to sign it.
The server learns the mapping, but no one else does, and the server still can't steal the coins. Using chaum blind signatures: The users connect and provide inputs and change addresses and a cryptographically-blinded version of the address they want their private coins to go to; the server signs the tokens and returns them. The users anonymously reconnect, unblind their output addresses, and return them to the server. The server can see that all the outputs were signed by it and so all the outputs had to come from valid participants.
Later people reconnect and taint analysis blockchain bitcoins. The same privacy can be achieved in a decentralized manner where all users act as blind-signing servers. I don't know if there is, or ever would be, a reason to bother with a fully distributed version with full privacy, but it's certainly possible. Yes, this can be DOS attacked in two different ways: However, if all the signatures don't come in within some time limit, or a conflicting transaction is created, you can simply leave the bad parties and try again.
With an automated process any retries would be invisible to the user. So the only real risk is a persistent DOS attacker. In the non-decentralized or decentralized but non-private to participants case, gaining some immunity to DOS attackers is easy: They are then naturally rate-limited by their ability to create more confirmed Bitcoin transactions. Gaining DOS immunity in a decentralized system is considerably harder, because it's hard to tell which user actually broke the rules.
One solution is to have users perform their activity under a zero-knowledge proof system, so you could be confident which user is the cheater and then agree to ignore them.
In all cases you could taint analysis blockchain bitcoins anti-DOS mechanisms with proof of work, a fidelity bond, or other scarce resource usage. But I suspect that taint analysis blockchain bitcoins better to adapt to actual attacks as they arise, as we don't have to commit to a single security mechanism in advance and for all users.
I also believe that bad input exclusion provides enough protection to get started. The anonymity set size of a single transaction is limited by the number of parties in it, obviously. And transaction size limits as well as failure retry risk mean that really huge joint transactions would not be wise.
But because these transactions are cheap, there is no limit to the number of transactions you can cascade. This allows the anonymity set to be any size, limited only by participation. In practice I expect most users only taint analysis blockchain bitcoins to prevent nosy friends and thieves from prying into their financial lives, and to recover some of the privacy they lost due to bad practices like address reuse.
These users will likely be taint analysis blockchain bitcoins with only a single pass; other people will just operate opportunistically, while others may work to achieve many passes and big anonymity sets. As a taint analysis blockchain bitcoins and computer science geek I'm super excited by Zerocoin: But as a Bitcoin user and developer the promotion of it as the solution to improved privacy disappoints me.
Some of these things may improve significantly with better math and software engineering over time. Zerocoin requires a soft-forking change to the Bitcoin protocolwhich all full nodes must adopt, which would commit Bitcoin to a particular version of the Zerocoin protocol. This cannot happen fast—probably not within years, especially considering that there is so much potential for further refinement to the algorithm to lower costs.
It would be politically contentious, as some developers and Bitcoin businesses taint analysis blockchain bitcoins very concerned about being overly associated with "anonymity". Network-wide rule changes are something of a suicide pact: CoinJoin transactions work todayand they've worked since the first day of Bitcoin. They are indistinguishable from normal transactions and thus cannot be blocked or inhibited except to the extent that any other Bitcoin transaction could be blocked.
ZC could potentially be used externally to Bitcoin in a decentralized CoinJoin as a method of mutually blinding the users in a DOS attack resistant way. This would allow ZC to mature under live fire without taking its costs or committing to a specific protocol network-wide. The primary argument Taint analysis blockchain bitcoins can make for ZC over CoinJoin, beyond it stoking my crypto-geek desires, is that it may potentially offer a larger anonymity set.
But with taint analysis blockchain bitcoins performance and scaling limits of ZC, and the possibility to construct sorting network transactions with CJ, or just the ability to taint analysis blockchain bitcoins hundreds of CJ transactions with the storage and processing required for one ZC transactions, I don't know which would actually produce bigger anonymity sets in practice. Though the ZC anonymity set could more easily cross larger spans of time.
The anonymity sets of CoinJoin transactions could easily be big enough for common users to regain some of their casual privacy and that's what I think is most interesting. CoinWitness is even rocket-sciency than Zerocoin, it also shares many of the weaknesses taint analysis blockchain bitcoins a privacy-improver: Novel crypto, computational cost, and the huge point of requiring a soft fork and not being available today.
It may have some scaling advantages if taint analysis blockchain bitcoins is used as more than just a privacy tool. But it really is overkill for this problem, and won't be available anytime real soon. There exist no ready made, easy-to-use software for doing this. You can make the transactions by hand using bitcoin-qt and the raw transactions API, as we did in that "taint rich" thread, but to make this into a practical reality we need easy-to-use automated tools.