From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0A04CC016F for ; Wed, 10 Jun 2020 20:10:30 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id BE958263CE for ; Wed, 10 Jun 2020 20:10:29 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9uL-HvQjQh2O for ; Wed, 10 Jun 2020 20:10:28 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) by silver.osuosl.org (Postfix) with ESMTPS id EB57F2413D for ; Wed, 10 Jun 2020 20:10:27 +0000 (UTC) Received: from bell.riseup.net (bell-pn.riseup.net [10.0.1.178]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 49hyll46rzzFdsv for ; Wed, 10 Jun 2020 13:10:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1591819827; bh=MRTKyG27Ji55UL1UnOBE/a7mH2eqwdcDqMAiy09WoV4=; h=Subject:To:References:From:Date:In-Reply-To:From; b=T14eSdGEgJghD2Uvla89G5KuHrql29d6+CAYZ3hYeZifo9C30ib6DnCxJykydZDPz rcyH8VFt0T7Nj87LS3wlXZCvWaT76ofA080G2VC71dEywIY2G63DlLbahqC0kDw1qu OCHneT1vXZdL153UOHigMP1D5YPFolN2SuRx/gWo= X-Riseup-User-ID: 6461C3B3E201568E80F150F72702E733DC69816CCD5B4781D179ADE3D1D5F0AE Received: from [127.0.0.1] (localhost [127.0.0.1]) by bell.riseup.net (Postfix) with ESMTPSA id 49hylk6BPmzJmvv for ; Wed, 10 Jun 2020 13:10:26 -0700 (PDT) To: bitcoin-dev@lists.linuxfoundation.org References: From: Chris Belcher Autocrypt: addr=belcher@riseup.net; prefer-encrypt=mutual; keydata= xsFNBFPk74oBEACzBLjd+Z5z7eimqPuObFTaJCTXP7fgZjgVwt+q94VQ2wM0ctk/Ft9w2A92 f14T7PiHaVDjHxrcW+6sw2VI2f60T8Tjf+b4701hIybluWL8DntG9BW19bZLmjAj7zkgektl YNDUrlYcQq2OEHm/MGk6Ajt2RA56aRKqoz22e+4ZA89gDgamxUAadul7AETSsgqOEUDI0FKR FODzoH65w1ien/DLkG1f76jd0XA6AxrESJVO0JzvkTnJGElBcA37rYaMmDi4DhG2MY4u63VE 8h6DyUXcRhmTZIAj+r+Ht+KMDiuiyQcKywCzzF/7Ui7YxqeAgjm5aPDU2E8X9Qd7cqHQzFM7 ZCqc9P6ENAk5a0JjHw0d0knApboSvkIJUB0j1xDIS0HaRlfHM4TPdOoDgnaXb7BvDfE+0zSz WkvAns9oJV6uWdnz5kllVCjgB/FXO4plyFCHhXikXjm1XuQyL8xV88OqgDFXwVhKrDL9Pknu sTchYm3BS2b5Xq1HQqToT3I2gRGTtDzZVZV0izCefJaDp1mf49k2cokDEfw9MroEj4A0Wfht 0J64pzlBYn/9zor5cZp/EAblLRDK6HKhSZArIiDR1RC7a6s7oTzmfn0suhKDdTzkbTAnDsPi Dokl58xoxz+JdYKjzVh98lpcvMPlbZ+LwIsgbdH4KZj7mVOsJwARAQABzR9DaHJpcyBCZWxj aGVyIDxmYWxzZUBlbWFpbC5jb20+wsF+BBMBAgAoBQJT5O+KAhsDBQkSzAMABgsJCAcDAgYV CAIJCgsEFgIDAQIeAQIXgAAKCRDvc06md/MRKS8jD/9P9fSYSIVjltL9brAMfIu7wJn0H0lX TbcuCM2uQitJ3BNxI3c7aq5dEby27u5Ud54otncDJuRPQVDKs6H7t1rInitgJ1MTQ9/aQGFA btKcgtVIMFbeClzTTfWr4W7fE45NI7E9EANgk5JfmWh3U+KINYLF5RtqynYocrsP6zOV+G9A HCpBemd9TN60CoMLMyMzTHEW1oQffaVAXY8DgthEYO/odWYIod7VTmEm0zU1aSysPqMwPWNm 8XIl0f8SfKQyZlAU8e1eCFVCenkE44FKC5qQNYc2UxexEYtfCWChTGc4oHKxIyYmTCCefsQF LvgwtvlNHRXHSDKSPSNcRcpl8DFpNEKrmMlkJ8Mx+YR05CydlTQ0bI3FBohJC+UHrjD5I3hA wJUC1o+yVSOEd+zN3cG1EECIwkEQSmBgG5t/le2RdzfXOdpf9ku2/zoBpq00R54JxUKlfRM7 OPTv7X+1AKHkxOySdCZwGgvdh2Whuqs4kTvtco00gCFM9fBd5oi1RJuHtxHsj8+/XU15UItb jeo96CIlM5YUeoRLPT5mxZYWgYAARFeSFReNq/Tuwq9d8EokUrtAyrPayznliy53UJfWDVzl 925c0Cz0HWaP2fWj+uFcj/8K0bhptuWJQy0Poht1z3aJC1UjEgr1Xz8I7jeSJmIlA9plcJw2 k4dhWc7BTQRT5O+KARAAyFxAM28EQwLctr0CrQhYWZfMKzAhCw+EyrUJ+/e4uiAQ4OyXifRr ZV6kLRul3WbTB1kpA6wgCShO0N3vw8fFG2Cs6QphVagEH8yfQUroaVxgADYOTLHMOb7INS8r KI/uRNmE6bXTX27oaqCEXLMycqYlufad7hr42S/T8zNh5m2vl6T/1Poj2/ormViKwAxM+8qf xd8FNI4UKmq2zZE9mZ5PiSIX0qRgM0yCvxV39ex/nhxzouTBvv4Lb1ntplR/bMLrHxsCzhyM KDgcX7ApGm+y6YEsOvzw9rRCRuJpE4lth8ShgjTtNTHfklBD6Ztymc7q7bdPWpKOEvO5lDQ6 q8+KfENv862cOLlWLk7YR2+mHZ1PXGhWC7ggwEkfGJoXo0x8X+zgUKe2+9Jj4yEhfL0IbFYC z2J5d+cWVIBktI3xqkwLUZWuAbE3vgYA4h8ztR6l18NTPkiAvpNQEaL4ZRnAx22WdsQ8GlEW dyKZBWbLUdNcMmPfGi5FCw2nNvCyN6ktv5mTZE12EqgvpzYcuUGQPIMV9KTlSPum3NLDq8QI 6grbG8iNNpEBxmCQOKz2/BuYApU2hwt2E44fL8e6CRK3ridcRdqpueg75my6KkOqm8nSiMEc /pVIHwdJ9/quiuRaeC/tZWlYPIwDWgb8ZE/g66z35WAguMQ+EwfvgAUAEQEAAcLBZQQYAQIA DwUCU+TvigIbDAUJEswDAAAKCRDvc06md/MRKaZwD/9OI3o3gVmst/mGx6hVQry++ht8dFWN IiASPBvD3E5EWbqWi6mmqSIOS6CxjU0PncxTBPCXtzxo/WzuHGQg/xtNeQ0T8b2lBScZAw93 qm1IcHXLUe5w/Tap6YaDmSYCIZAdtbHzYfPW4JK7cmvcjvF8jhTFOBEOFVQkTi19G7caVot0 +wL1e2DRHDXAe5CinEpaLBlwHeEu/5j6wc3erohUZlK9IbAclj4iZTQbaq3EyqUXl59dBOON xmL5edJxzVishIYQGIyA9WP1SylXt+kO82NEqZG2OxdXAlzjuJ8C2pAG+nbLtDo4hcsiN/MA aX9/JB7MXclT5ioerF4yNgKEdfq7LmynsTUd8w/Ilyp7AD+BWoujyO94i8h9eKvjf9PvSwxQ uAjRpxne7ZJD8vCsMNXBHSbeEK2LiwStHL/w473viXpDD53J6OLxX6a5RummR+rixbMH7dgK MJQ7FlyDphm3or6CSkGEir1KA0y1vqQNFtHhguFapAWMDKaJjQQNgvZUmOo6hbZqmvUF1OWc d6GA6j3WOUe3fDJXfbq6P9Jmxq64op887dYKsg7xjQq/7KM7wyRcqXXcbBdgvNtVDP+EnzBN HyYY/3ms4YIHE5JHxQ9LV4yPcWkYTvb1XpNIFVbrSXAeyGHVNT+SO6olFovbWIC3Az9yesaM 1aSoTg== Message-ID: Date: Wed, 10 Jun 2020 21:10:19 +0100 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Subject: Re: [bitcoin-dev] Tainting, CoinJoin, PayJoin, CoinSwap X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jun 2020 20:10:30 -0000 Hello nopara73, On 10/06/2020 13:32, nopara73 via bitcoin-dev wrote: > The problem with CoinJoins is that desire for privacy is explicitly > signalled by them, so adversaries can consider them "suspicious." PayJoin > and CoinSwap solve this problem, because they are unnoticeable. I think > this logic doesn't stand for scrutiny. > >>>From here on let's use the terminology of a typical adversary: there are 3 > kinds of coin histories: "clean", "dirty" and "suspicious". > The aftermath of you using a "dirty" coin is knocks on your door. You using > a "suspicious" coin is uncomfortable questions and you using a "clean" coin > is seamless transfer. > > In scenario 1, you start out with a "clean" history. By using CoinJoins you > make your new coin's history "suspicious" so you have no incentive to > CoinJoin. By using CoinSwap/PayJoin your new coin can be either "clean" or > "dirty". What would a "clean" coin owner prefer more? Take the risk of > knocking on the door or answering uncomfortable questions? > > In scenario 2, you start out with a "dirty" history. By using CoinJoins you > make your new coin's history "suspicious" so you have an incentive to > CoinJoin. By using CoinSwap/PayJoin your new coin can either be "clean" or > "dirty". What would a "dirty" coin owner prefer more? And here's an > insight: you may get knocks on your door for a dirty coin that you have > nothing to do with. And you can prove this fact to the adversary, but by > doing so, you'll also expose that you started out with a "dirty" coin to > begin with and now the adversary becomes interested in you for a different > reason. > > You can also examine things assuming full adoption of PJ/CS vs full > adoption of CJ, but you'll see that full adoption of any of these solves > the tainting issue. > > So my current conclusion is that PJ/CS does not only not solve the taint > problem, it just alters it and ultimately very similar problems arise for > the users. Maybe the goal of unobservable privacy is a fallacy in this > context as it is based on the assumption that desiring privacy is > suspicious, so you want to hide the fact that you desire privacy. And the > solution to the taint issue is either protocol change or social change > (decent adoption.) > > PS.: Please try to keep the conversation to the Taint Issue as this email > of mine isn't supposed to be discussing general pros and cons of various > privacy techniques. > > Any thoughts? > > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > There are two concepts here: Taint analysis and the detectableness of privacy protocols. Taint analysis is quite an old technique, I remember seeing the blockchain.info explorer having a tool for calculating a value for taint back in 2013, long before any widely-used CoinJoin implementations were created. I think taint was first created to attack the privacy technique of simply sending coins to yourself multiple times. If those coins were for example stolen from an exchange's hot wallet then the taint between the exchange addresses and the later addresses would still be 100% even if the thief sent the coins to himself multiple times. A very important point is that it's difficult to reason about taint analysis algorithms because they are often hypothetical, likely closed-source, not available to the public for review and changing all the time. OP talks about the three categories "clean", "dirty" and "suspicious" which is one possibility. I've read about other taint analysis algorithms which result in a numerical score out of 100. Blockchain.info's algorithm calculated taint as a number expressing the relation between any two addresses, so it wouldn't make sense to say "an address" is tainted, instead you have to talk about a pair of addresses being tainted with each other. So even though it's hard to reason about the exact algorithm we can still talk about likely situations, and imagine what an adversary could do in the worst case or best case. One way to resist a likely taint analysis attack is to involve other parts of the bitcoin economy in your transactions. For example our exchange thief could deposit and then withdraw his stolen coins through a Bitcoin Casino or other bitcoin service hot wallet. His coins might no longer be 100% tainted from the exchange hack but perhaps have 5% exchange hack, 5% bitcoin ATM, 5% mined coins, etc etc. The numbers are made up and they depend on the exact algorithm but the main point is that involving the rest of the bitcoin economy in your transaction is one practical way to stop taint analysis being a useful attack against on you. Another important point is that taint isn't part of bitcoin's code anywhere. It is an external reality that surveillance companies impose on users. The only reason taint has any influence is because of censorship, for example an exchange which uses the services of a surveillance company has the power to freeze funds (i.e. censor a transaction) if they believe the user's deposit transaction is tainted. Therefore a way to resist the taint analysis attack is to actually use bitcoin as money, I.E. earn bitcoin, spend it with merchants, who then spend it with other merchants or pay their employees, where most entities along those links actually dont use a taint analysis algorithm. This is a general principle of bitcoin privacy by the way, if every entry- and exit-point requires giving up personal information then privacy is dead, regardless of whether we use CoinJoin/PayJoin/CoinSwap/whatever in between. This is a good place to again shill this list of peer-to-peer exchanges: https://github.com/cointastical/P2P-Trading-Exchanges/ So that's taint. Now for privacy protocols like CoinJoin. They also involve the rest of the bitcoin economy, because many different users link their coins together when using CoinJoin/PayJoin/CoinSwap/etc, so such protocols can be a way to resist taint analysis too just like the Bitcoin Casino mentioned earlier. However, what I think OP is talking about is the case where taint algorithms are reprogrammed to not just track exchange hack addresses, but also track privacy protocol transactions. So for example if the hypothetical taint algorithm comes across an Equal-Output CoinJoin it will assign it a different taint score even if its not linked to an exchange hack or anything like that. Such a reprogramming wouldn't be possible in undetectable privacy protocols like PayJoin and CoinSwap. They will have the economy-mixing effect of reducing taint (just like the Bitcoin Casino example above), but as OP writes that can just lead to the wrong person being under suspicion. And so such protocols on their own cant resist taint analysis forever, which is the point is OP making as well. The only permanent solution to taint analysis as I've mentioned is to use bitcoin as money, away from centralized choke points that can censor transactions and demand personal information. It's worth pointing out that using bitcoin as money wont help our exchange hacker much, this hacker will never be able to buy mansions or sports cars with their stolen bitcoin, because the authorities already require proof of the origin of funds before, for example, buying a big mansion. Nonetheless, unobservable privacy is also useful for other reasons than resisting taint analysis: * It improves the privacy of people who do not use it. * It helps stops censorship of privacy protocols (I.E. miners could one day refuse to mine equal-output CoinJoin transactions but still mine regular transactions) * It typically uses less block space, because information is removed from the blockchain rather than adding to the blockchain. Regards Chris Belcher