sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
nanotube has joined #bitcoin-wizards
fkinglag has quit [Ping timeout: 258 seconds]
fkinglag has joined #bitcoin-wizards
AbramAdelmo_ has quit [Remote host closed the connection]
AbramAdelmo has joined #bitcoin-wizards
AbramAdelmo_ has joined #bitcoin-wizards
AbramAdelmo has quit [Ping timeout: 260 seconds]
Inigo_Montoya has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
AbramAdelmo_ has quit [Remote host closed the connection]
luke-jr has quit [Remote host closed the connection]
luke-jr has joined #bitcoin-wizards
justanotheruser has joined #bitcoin-wizards
shush has joined #bitcoin-wizards
ddustin has quit [Remote host closed the connection]
fiatjaf_ has quit [Quit: Leaving]
ddustin has joined #bitcoin-wizards
fiatjaf has joined #bitcoin-wizards
ddustin has quit [Remote host closed the connection]
ddustin has joined #bitcoin-wizards
shush has quit [Ping timeout: 260 seconds]
ddustin has quit [Read error: No route to host]
ddustin has joined #bitcoin-wizards
ddustin has quit [Remote host closed the connection]
ddustin has joined #bitcoin-wizards
ddustin has quit [Ping timeout: 258 seconds]
TheoStorm has quit [Quit: Leaving]
shush has joined #bitcoin-wizards
queip has quit [Ping timeout: 260 seconds]
jcorgan has quit [Ping timeout: 258 seconds]
jcorgan has joined #bitcoin-wizards
queip has joined #bitcoin-wizards
<M7918070_[m]>
I've been thinking of a quasi-decentralized non-custodian way to set up a crypto-to-crypto exchange for a while now
AbramAdelmo has joined #bitcoin-wizards
AbramAdelmo_ has joined #bitcoin-wizards
<M7918070_[m]>
It's stupidly simple, you basically do cross-chain atomic swaps but without the atomic part. It works for all civilized cryptocurrencies, even those without smart contracts.
<M7918070_[m]>
So, you send signed messages to a central server proving you control the cryptocurrency you want to trade. It adds you into an orderbook and matches trades. When it's matched you, it asks you to sign again, to make sure you're still on the line.
<M7918070_[m]>
It generates 2-of-2 multisig addresses for both parties, and provides both parties the requisite information to generate them by themselves. Both parties sign them with the key they used to put out the ad and exchange these messages.
<M7918070_[m]>
Then, the exchange asks both parties to sign transactions moving funds into the 2-of-2 multisig address, moving funds back (refund), and moving funds out.
<M7918070_[m]>
It then sends out the first set of transactions to fund the contract, waits until they have cleared, and then sends out the final set. If a transaction is broadcast so that only one of the funding transactions clear, it refunds the other one.
AbramAdelmo has quit [Ping timeout: 240 seconds]
<M7918070_[m]>
So, this is just a very convoluted way to do escrow. But the fine point is that the broker doesn't ever have custody of any cryptocurrency, and doesn't need to charge a fee or anything (very trivial software). That means there are no regulatory requirements, meaning random people could run it in their basement as an onion service.
<M7918070_[m]>
Assuming the operator isn't colluding with either party to intentionally defraud the "customers", is there anything that could go wrong in this scheme?
AbramAdelmo_ has quit [Remote host closed the connection]
pinheadmz has joined #bitcoin-wizards
Belkaar has quit [Ping timeout: 260 seconds]
Belkaar has joined #bitcoin-wizards
Belkaar has quit [Changing host]
Belkaar has joined #bitcoin-wizards
AbramAdelmo has joined #bitcoin-wizards
AbramAdelmo_ has joined #bitcoin-wizards
AbramAdelmo has quit [Ping timeout: 265 seconds]
AaronvanW has quit []
fiatjaf has quit [Quit: Leaving]
Inigo_Montoya has quit []
<gmaxwell>
wtf is with that nopara post on bitcoin-dev, re-coinjoin amounts? seems fairly obviously bogus to me. Yes, in some cases with a lot of inputs, by chance some of the outputs will have a large anonymity set. But often many of the outputs will not. Enumerating all of them them in the workst case can be expensive, but commonly enumerating some of them is cheap.
<gmaxwell>
But what I don't get is why this seems to be non-obvious to anyone. Do people also think that big sudoku's are intractable?
<gmaxwell>
*if* you assume things like "every user could also be paying another user"-- arbritarily, then sure, almost all mappings are valid. But that isn't how people use transactions.
AbramAdelmo_ has quit [Remote host closed the connection]
<M7918070_[m]>
The people who want to hide could just split their transactions up, no?
<M7918070_[m]>
They could even frame others: If they see a 0.00716 BTC input, they could send a 0.00716 BTC output to the drug market/hitman just to mess with people.
AbramAdelmo has joined #bitcoin-wizards
AbramAdelmo_ has joined #bitcoin-wizards
AbramAdelmo has quit [Ping timeout: 265 seconds]
ddustin has joined #bitcoin-wizards
AbramAdelmo_ has quit [Remote host closed the connection]
AbramAdelmo has joined #bitcoin-wizards
shush has quit [Remote host closed the connection]
shush has joined #bitcoin-wizards
shush has quit [Remote host closed the connection]
shush has joined #bitcoin-wizards
shush has quit [Remote host closed the connection]
AbramAdelmo has quit [Remote host closed the connection]
shush has joined #bitcoin-wizards
AbramAdelmo has joined #bitcoin-wizards
AbramAdelmo has quit [Remote host closed the connection]
shush has quit [Remote host closed the connection]
justanotheruser has quit [Ping timeout: 265 seconds]
Guyver2 has joined #bitcoin-wizards
justanotheruser has joined #bitcoin-wizards
Kiminuo has joined #bitcoin-wizards
Seyaryuki has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
jonatack has quit [Ping timeout: 265 seconds]
_whitelogger has joined #bitcoin-wizards
<waxwing>
i found myself thinking something more concrete though: if i wanted to use such a large coinjoin (eg 100 in/out) to do a payment, the problem is I'd be using 2 outs not an arbitrary number
<waxwing>
and then you only have a number of possibilities quadratic in the number of outputs, which isn't nearly big enough (e.g. 100**2 cf range of possible output amounts like around 10^7 or 8 or something)
<waxwing>
you can ofc just make random large numbers of outputs but that's problematic. anyway i think the main point of brittleness (it might be fine on average but maybe you are screwed in this particular case) hits the idea pretty hard.
justanotheruser has quit [Ping timeout: 245 seconds]
<waxwing>
oh i see now they were considering a setup like 100 in, 10 out, i was imagining something different (100 in, 100 out). well anyway.
<waxwing>
was chatting with laurentmt on mastodon about it, he summarises the issue well imo: we tend to easily find upper bounds in these kinds of analyses, but they're useless, we need lower bounds.
TheoStorm has joined #bitcoin-wizards
<gmaxwell>
right, the attacker wins if with decent odds, he can deanon *any* outputs... he doesn't have to deanon all outputs.
<gmaxwell>
of course, one can use coinjoin in a way that doesn't strongly produce privacy to mess up simplistic analysis... I pointed this out in the original CJ thread (and for some reason the fact that I did this for a long time caused people to think that matching up outputs wasn't something that had been thought of)
Seyaryuki has quit [Remote host closed the connection]
joeykrim1 has joined #bitcoin-wizards
shush has joined #bitcoin-wizards
shush has quit [Ping timeout: 248 seconds]
AaronvanW has quit [Remote host closed the connection]
_whitelogger has joined #bitcoin-wizards
Kiminuo has joined #bitcoin-wizards
lowentropy has quit [Ping timeout: 240 seconds]
lowentropy has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 258 seconds]
<waxwing>
yeah good point. if you don't look at it as intended to provide *guarantees*, then a whole variety of different designs are viable. so my quote of 'useless' above isn't entirely right, even an average case win can be interesting., from that pov.
<gmaxwell>
well for example, in a future world where signature aggregation materially reduces transaction costs...
<gmaxwell>
it would make a lot of sense to pretty eagerly try to coinjoin, even if you don't care about any privacy improvement at all.
AaronvanW has joined #bitcoin-wizards
<gmaxwell>
and people coinjoining for privacy would be happy to take on some of those users to help share their fees and also because with the possibility that some users are join-paying, really every mapping is possible...
<waxwing>
yeah i somehow try to straddle slightly conflicting views of it; on the one hand i've kind of campaigned for people to realise the 'intrinsic fungibility'; satoshis aren't watermarked; even basic transactions are not deterministically interpretable one-way only; while at the same time, we want to make a stab at creating a real confusion effect so that fixed-interpretation-analysis doesn't seem so plausible.
<waxwing>
the economic incentive plus uneven amount area is the reason we should definitely keep our eye on these lines of thinking i guess.
<waxwing>
in other news, we still need a trick that makes CT palatable so that this particular thorny issue is solved. that seems rather more on-topic :)
<gmaxwell>
waxwing: rhavar had a thing where you could give your coins list to a server and it could compute a set of inputs for each party to send usign an smt solver, that made the participants indistinguishable.
justanotheruser has quit [Ping timeout: 246 seconds]
justanotheruser has joined #bitcoin-wizards
Chris_Stewart_5 has joined #bitcoin-wizards
Guyver2_ has joined #bitcoin-wizards
Guyver2 has quit [Ping timeout: 264 seconds]
davispuh has joined #bitcoin-wizards
justanotheruser has quit [Ping timeout: 252 seconds]
davispuhh has joined #bitcoin-wizards
davispuh has quit [Ping timeout: 268 seconds]
Guyver2_ has quit [Quit: Going offline, see ya! (www.adiirc.com)]
bildramer has quit [Ping timeout: 248 seconds]
justanotheruser has joined #bitcoin-wizards
<M7918070_[m]>
gmaxwell What about just rounding it? I'm not an expert on game theory, but isn't this a Schelling point? If you input 0.00719 BTC and get 7x 0.001 BTC outputs + 1 0.00019 BTC output, and everyone else does the same, then it's very fungible. And the remaining 0.00019 BTC output can be combined with other such outputs of yours in a new CoinJoin TXN to get new fungible homogeneously sized outputs.