Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1SAWDX-0001Tt-19 for bitcoin-development@lists.sourceforge.net; Thu, 22 Mar 2012 00:49:27 +0000 Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.216.54 as permitted sender) client-ip=209.85.216.54; envelope-from=gmaxwell@gmail.com; helo=mail-qa0-f54.google.com; Received: from mail-qa0-f54.google.com ([209.85.216.54]) by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1SAWDW-0003uE-9l for bitcoin-development@lists.sourceforge.net; Thu, 22 Mar 2012 00:49:26 +0000 Received: by qao25 with SMTP id 25so42628qao.13 for ; Wed, 21 Mar 2012 17:49:20 -0700 (PDT) MIME-Version: 1.0 Received: by 10.224.202.66 with SMTP id fd2mr8777961qab.9.1332377360845; Wed, 21 Mar 2012 17:49:20 -0700 (PDT) Received: by 10.229.14.211 with HTTP; Wed, 21 Mar 2012 17:49:20 -0700 (PDT) In-Reply-To: References: Date: Wed, 21 Mar 2012 20:49:20 -0400 Message-ID: From: Gregory Maxwell To: Watson Ladd Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -1.1 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (gmaxwell[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.5 AWL AWL: From: address is in the auto white-list X-Headers-End: 1SAWDW-0003uE-9l Cc: bitcoin-development@lists.sourceforge.net Subject: Re: [Bitcoin-development] Proposal for a new opcode X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2012 00:49:27 -0000 On Wed, Mar 21, 2012 at 6:02 PM, Watson Ladd wrote: > -My protocol works, your's doesn't. It's not enough to have a mix, the > mix needs to be verifiable to avoid > one of the mixers inserting their own key and removing a key that > should be in there. That doesn't mean you can't make your protocol > work with some more magic, but magic is required. If the final step fails (someone says their address is missing) you challenge the mixes to disclose half of their correspondences. You can then prove which (if any) mixes defected. Why I didn't bother elaborating is ... I think you can even avoid the fancy protocol where you must take care to only disclose alternating halves at each mix because the addresses are throwaway: If the it fails in the final stage everyone publishes _everything_ and the cheater is instantly and provably identified and can be excluded from the next attempt which is then performed using totally new addresses and the disclosed addresses are never used. Care would need to be taken to avoid fake-failures (e.g. the exchange says 'it fails' triggering disclosure then sending anyways=E2=80=94 but the participants co= uld prove this cheating and stop using the exchange), I think there isn't much risk there if the participants are themselves the mixes. I need to think this through a bit more. [snip] > On a related note, private keys and signatures have better proofs of > knowledge then hashes. Has this been considered in the P2SH > conversation? There might be ways to use this to make even better > methods for enhancing anonymity. It's not something I thought about=E2=80=94 In general the P2SH tends to be a superset of other schemes, e.g. you can do a signature to prove you access to a private key, then you can show someone a script using that key to show control of a P2SH address. There are lot of interesting things you can do with bitcoin if you can construct (potentially interactive) proofs for knowing the preimages of has= hes.