diff options
| author | ZmnSCPxj <ZmnSCPxj@protonmail.com> | 2020-06-10 23:01:46 +0000 |
|---|---|---|
| committer | bitcoindev <bitcoindev@gnusha.org> | 2020-06-10 23:01:55 +0000 |
| commit | da3fc33ffce3e3609a8ee0872302dd452cf24a30 (patch) | |
| tree | 6c950f6a135e013328adc31770ba53649f7f3665 | |
| parent | e25b0c415e63cb6233df15b8cb76786a91817ac8 (diff) | |
| download | pi-bitcoindev-da3fc33ffce3e3609a8ee0872302dd452cf24a30.tar.gz pi-bitcoindev-da3fc33ffce3e3609a8ee0872302dd452cf24a30.zip | |
Re: [bitcoin-dev] Tainting, CoinJoin, PayJoin, CoinSwap
| -rw-r--r-- | 8e/b3f49990f2c45814eeb75436760cdb12fa29fa | 182 |
1 files changed, 182 insertions, 0 deletions
diff --git a/8e/b3f49990f2c45814eeb75436760cdb12fa29fa b/8e/b3f49990f2c45814eeb75436760cdb12fa29fa new file mode 100644 index 000000000..17ea19322 --- /dev/null +++ b/8e/b3f49990f2c45814eeb75436760cdb12fa29fa @@ -0,0 +1,182 @@ +Return-Path: <ZmnSCPxj@protonmail.com> +Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) + by lists.linuxfoundation.org (Postfix) with ESMTP id CBC9CC016F + for <bitcoin-dev@lists.linuxfoundation.org>; + Wed, 10 Jun 2020 23:01:55 +0000 (UTC) +Received: from localhost (localhost [127.0.0.1]) + by whitealder.osuosl.org (Postfix) with ESMTP id C83E488509 + for <bitcoin-dev@lists.linuxfoundation.org>; + Wed, 10 Jun 2020 23:01:55 +0000 (UTC) +X-Virus-Scanned: amavisd-new at osuosl.org +Received: from whitealder.osuosl.org ([127.0.0.1]) + by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) + with ESMTP id GfvqxDnjcGNr + for <bitcoin-dev@lists.linuxfoundation.org>; + Wed, 10 Jun 2020 23:01:53 +0000 (UTC) +X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 +Received: from mail-40140.protonmail.ch (mail-40140.protonmail.ch + [185.70.40.140]) + by whitealder.osuosl.org (Postfix) with ESMTPS id 6BF65884FB + for <bitcoin-dev@lists.linuxfoundation.org>; + Wed, 10 Jun 2020 23:01:53 +0000 (UTC) +Date: Wed, 10 Jun 2020 23:01:46 +0000 +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; + s=protonmail; t=1591830110; + bh=JUc8Ht9aSd3ClrwwPVpmBOsYewXaFm8E9q6JnLCIJX8=; + h=Date:To:From:Reply-To:Subject:In-Reply-To:References:From; + b=I3Jki/NyqfhGyrRMeTyDn4ymr766SVUZY0kXRDgGtVgAp5374a4aZIiqUt1NO8MK9 + mXlLe4VJ+eav6T7u5ijwb/DEWZHe1E7pPNJ1avqQYflVZcQMCSFJYViBgCdub+GKoQ + N3eFcess2LUsK6VQ0RnGTHbMHXrfdMIqiJ9RYvQE= +To: Chris Belcher <belcher@riseup.net>, + Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org> +From: ZmnSCPxj <ZmnSCPxj@protonmail.com> +Reply-To: ZmnSCPxj <ZmnSCPxj@protonmail.com> +Message-ID: <HOE_CSoWptTdBQtIqu4GTe0LlDZtnS1jEBUEf4H-wFlD7Il0-y8TikYWxGc2DPYYErJPMePIuwIO752TyNfIleKYPrkDzLQFh2l6FAKo6jU=@protonmail.com> +In-Reply-To: <e7ab27e5-e235-f6a2-5023-1cdda5c12d0b@riseup.net> +References: <CAEPKjgfbQoXkB=cEp5Jc28ZihRSQe50M2x7k6=AjW+Vo5f=79g@mail.gmail.com> + <e7ab27e5-e235-f6a2-5023-1cdda5c12d0b@riseup.net> +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf-8 +Content-Transfer-Encoding: quoted-printable +Subject: Re: [bitcoin-dev] Tainting, CoinJoin, PayJoin, CoinSwap +X-BeenThere: bitcoin-dev@lists.linuxfoundation.org +X-Mailman-Version: 2.1.15 +Precedence: list +List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org> +List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, + <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe> +List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/> +List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org> +List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help> +List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, + <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe> +X-List-Received-Date: Wed, 10 Jun 2020 23:01:55 -0000 + +Good morning nopara73 and Chris, + + +> One way to resist a likely taint analysis attack is to involve other +> parts of the bitcoin economy in your transactions. For example our +> exchange thief could deposit and then withdraw his stolen coins through +> a Bitcoin Casino or other bitcoin service hot wallet. His coins might no +> longer be 100% tainted from the exchange hack but perhaps have 5% +> exchange hack, 5% bitcoin ATM, 5% mined coins, etc etc. The numbers are +> made up and they depend on the exact algorithm but the main point is +> that involving the rest of the bitcoin economy in your transaction is +> one practical way to stop taint analysis being a useful attack against +> on you. +> +> Another important point is that taint isn't part of bitcoin's code +> anywhere. It is an external reality that surveillance companies impose +> on users. The only reason taint has any influence is because of +> censorship, for example an exchange which uses the services of a +> surveillance company has the power to freeze funds (i.e. censor a +> transaction) if they believe the user's deposit transaction is tainted. + +Adding on to this, we can consider the *economics* of taint. + +Tainted coins are less valuable than untainted coins. + +However, as pointed out as well, taint is not a consensus among all Bitcoin= + users. +There are no cryptographic underpinnings that would allow all nodes to agre= +e on their individual taint analysis. + +The people knocking on doors often have limited amounts of reach: there are= + real economic barriers to the knock-on-doors people being shipped to the o= +ther side of the Earth (fuel costs, ammunition costs, sociopolitical knock-= +on effects....). + +Thus, suppose I am a miner with N coins. +As the coins have no history, they are "completely clean", as it were. + +As a miner, I exist somewhere in the universe. +It is possible that I exist in some location on Earth (we cannot know; plea= +se ignore scurrilous slander that I am somehow existent outside of time and= + space). + +Now suppose you have some tainted coins. +As noted, those coins are tainted only within some jurisdiction. +Outside that jurisdiction, however, they have no taint (taint is not a glob= +al consensus). + +If I happen to live outside the jurisdiction where your coins are tainted, = +and I have some clean freshly-mined coins, I can offer this deal to you: + +* Give me N+1 tainted coins for my N clean coins. + +Now, again, the premise here is that there exists no global knock-on-doors = +people who can come to my datacenter and start asking questions to the sysa= +ds administering my computational substrate. + +In that case, you might very well take the deal: + +* You have not lost economic power, because the tainted coins, in your juri= +sdiction, are of lower value than N+1 anyway, and might even have value bel= +ow that of N clean coins. +* I have gained economic power, because the tainted coins, in my jurisdicti= +on, are not tainted and have the same cleanliness as my fresh mined coins. + +This is a simple example of gains from trade, this time from jurisdictional= + arbitrage, thus such deals will exist. + +-- + +But that is specious, as it assumes that there exists no global knock-on-do= +ors people. +Obviously, there could exist one or more entities who are able to ship knoc= +ks-on-doors people all over the globe, taking advantage of economies of sca= +le and reinvestment (more knock-on-doors people to knock on doors of people= + they can extract more economic power from to hire more knock-on-doors peop= +le) to achieve practically global coverage. + +Against this, we must remember that ultimately censorship resistance of the= + coin is what can protect against such an attacker, which can impose its ow= +n non-consensual-but-pretty-damn-important view of taint practically global= +ly. + +Censorship resistance requires that owners of coins have control of the key= +s (your keys your coins) and that they can offer bribes to miners to get th= +eir transactions committed (mining fees). +Custodiality makes it easier for fewer knock-on-doors people to need to be = +shipped to stop certain activities. + +Now, the Bitcoin Casino example is of course an example of not your keys no= +t your coins i.e. custodiality. + +For the purpose of mixing, the "Bitcoin Casino" here is simply aggregating = +multiple UTXOs and then sending them back out to many other new UTXOs. + +This is in fact the same operation that CoinJoin does, it aggregates multip= +le UTXOs and creates many new UTXOs to different clients with shared taint. +The advantage is that CoinJoin is still your keys your coins, you still own= + the keys with which to sign the CoinJoin transaction, and thus improve cen= +sorship resistance of your mixing operation. + +For CoinSwap as well, we can consider that a CoinSwap server could make mul= +tiple CoinSwaps with various clients. +This leads to the CoinSwap server owning many small UTXOs, which it at some= + point aggregates into a large UTXO that it then uses to service more clien= +ts (for example, it serves many small clients, then has to serve a single l= +arge client that wants a single large UTXO for its own purposes). +This aggregation again leads to spreading of taint. +CoinSwap, in this regard, is something like the cofunctor of CoinJoin. +Again, the advantage here is that CoinSwap is still your keys your coins, c= +ompared to the situation with Bitcoin Casino which is custodial. + +(@Chris: I think it would be a good design for SwapMarket makers to avoid s= +pending-together its owned coins when swapping, but if it *does* need to do= + so (i.e. its coins are all too split up and it becomes unable to serve a c= +lient without spending more than one coin in a tx), to spend-together *all*= + its UTXOs and try to serve as many takers as possible in a single tx, to s= +imulate precisely the batching operations that custodial services use, thus= + appearing as some new custodial service, without actually *being* custodia= +l.) + +Thus, we should consider that CoinJoin and CoinSwap improve the censorship = +resistance, and thus improve our global resistance to a potential global at= +tacker using taint analysis. + +Regards, +ZmnSCPxj + |