1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
Return-Path: <ZmnSCPxj@protonmail.com>
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
by lists.linuxfoundation.org (Postfix) with ESMTP id CBC9CC016F
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 10 Jun 2020 23:01:55 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by whitealder.osuosl.org (Postfix) with ESMTP id C83E488509
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 10 Jun 2020 23:01:55 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id GfvqxDnjcGNr
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 10 Jun 2020 23:01:53 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-40140.protonmail.ch (mail-40140.protonmail.ch
[185.70.40.140])
by whitealder.osuosl.org (Postfix) with ESMTPS id 6BF65884FB
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 10 Jun 2020 23:01:53 +0000 (UTC)
Date: Wed, 10 Jun 2020 23:01:46 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
s=protonmail; t=1591830110;
bh=JUc8Ht9aSd3ClrwwPVpmBOsYewXaFm8E9q6JnLCIJX8=;
h=Date:To:From:Reply-To:Subject:In-Reply-To:References:From;
b=I3Jki/NyqfhGyrRMeTyDn4ymr766SVUZY0kXRDgGtVgAp5374a4aZIiqUt1NO8MK9
mXlLe4VJ+eav6T7u5ijwb/DEWZHe1E7pPNJ1avqQYflVZcQMCSFJYViBgCdub+GKoQ
N3eFcess2LUsK6VQ0RnGTHbMHXrfdMIqiJ9RYvQE=
To: Chris Belcher <belcher@riseup.net>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
From: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Reply-To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Message-ID: <HOE_CSoWptTdBQtIqu4GTe0LlDZtnS1jEBUEf4H-wFlD7Il0-y8TikYWxGc2DPYYErJPMePIuwIO752TyNfIleKYPrkDzLQFh2l6FAKo6jU=@protonmail.com>
In-Reply-To: <e7ab27e5-e235-f6a2-5023-1cdda5c12d0b@riseup.net>
References: <CAEPKjgfbQoXkB=cEp5Jc28ZihRSQe50M2x7k6=AjW+Vo5f=79g@mail.gmail.com>
<e7ab27e5-e235-f6a2-5023-1cdda5c12d0b@riseup.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [bitcoin-dev] Tainting, CoinJoin, PayJoin, CoinSwap
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jun 2020 23:01:55 -0000
Good morning nopara73 and Chris,
> One way to resist a likely taint analysis attack is to involve other
> parts of the bitcoin economy in your transactions. For example our
> exchange thief could deposit and then withdraw his stolen coins through
> a Bitcoin Casino or other bitcoin service hot wallet. His coins might no
> longer be 100% tainted from the exchange hack but perhaps have 5%
> exchange hack, 5% bitcoin ATM, 5% mined coins, etc etc. The numbers are
> made up and they depend on the exact algorithm but the main point is
> that involving the rest of the bitcoin economy in your transaction is
> one practical way to stop taint analysis being a useful attack against
> on you.
>
> Another important point is that taint isn't part of bitcoin's code
> anywhere. It is an external reality that surveillance companies impose
> on users. The only reason taint has any influence is because of
> censorship, for example an exchange which uses the services of a
> surveillance company has the power to freeze funds (i.e. censor a
> transaction) if they believe the user's deposit transaction is tainted.
Adding on to this, we can consider the *economics* of taint.
Tainted coins are less valuable than untainted coins.
However, as pointed out as well, taint is not a consensus among all Bitcoin=
users.
There are no cryptographic underpinnings that would allow all nodes to agre=
e on their individual taint analysis.
The people knocking on doors often have limited amounts of reach: there are=
real economic barriers to the knock-on-doors people being shipped to the o=
ther side of the Earth (fuel costs, ammunition costs, sociopolitical knock-=
on effects....).
Thus, suppose I am a miner with N coins.
As the coins have no history, they are "completely clean", as it were.
As a miner, I exist somewhere in the universe.
It is possible that I exist in some location on Earth (we cannot know; plea=
se ignore scurrilous slander that I am somehow existent outside of time and=
space).
Now suppose you have some tainted coins.
As noted, those coins are tainted only within some jurisdiction.
Outside that jurisdiction, however, they have no taint (taint is not a glob=
al consensus).
If I happen to live outside the jurisdiction where your coins are tainted, =
and I have some clean freshly-mined coins, I can offer this deal to you:
* Give me N+1 tainted coins for my N clean coins.
Now, again, the premise here is that there exists no global knock-on-doors =
people who can come to my datacenter and start asking questions to the sysa=
ds administering my computational substrate.
In that case, you might very well take the deal:
* You have not lost economic power, because the tainted coins, in your juri=
sdiction, are of lower value than N+1 anyway, and might even have value bel=
ow that of N clean coins.
* I have gained economic power, because the tainted coins, in my jurisdicti=
on, are not tainted and have the same cleanliness as my fresh mined coins.
This is a simple example of gains from trade, this time from jurisdictional=
arbitrage, thus such deals will exist.
--
But that is specious, as it assumes that there exists no global knock-on-do=
ors people.
Obviously, there could exist one or more entities who are able to ship knoc=
ks-on-doors people all over the globe, taking advantage of economies of sca=
le and reinvestment (more knock-on-doors people to knock on doors of people=
they can extract more economic power from to hire more knock-on-doors peop=
le) to achieve practically global coverage.
Against this, we must remember that ultimately censorship resistance of the=
coin is what can protect against such an attacker, which can impose its ow=
n non-consensual-but-pretty-damn-important view of taint practically global=
ly.
Censorship resistance requires that owners of coins have control of the key=
s (your keys your coins) and that they can offer bribes to miners to get th=
eir transactions committed (mining fees).
Custodiality makes it easier for fewer knock-on-doors people to need to be =
shipped to stop certain activities.
Now, the Bitcoin Casino example is of course an example of not your keys no=
t your coins i.e. custodiality.
For the purpose of mixing, the "Bitcoin Casino" here is simply aggregating =
multiple UTXOs and then sending them back out to many other new UTXOs.
This is in fact the same operation that CoinJoin does, it aggregates multip=
le UTXOs and creates many new UTXOs to different clients with shared taint.
The advantage is that CoinJoin is still your keys your coins, you still own=
the keys with which to sign the CoinJoin transaction, and thus improve cen=
sorship resistance of your mixing operation.
For CoinSwap as well, we can consider that a CoinSwap server could make mul=
tiple CoinSwaps with various clients.
This leads to the CoinSwap server owning many small UTXOs, which it at some=
point aggregates into a large UTXO that it then uses to service more clien=
ts (for example, it serves many small clients, then has to serve a single l=
arge client that wants a single large UTXO for its own purposes).
This aggregation again leads to spreading of taint.
CoinSwap, in this regard, is something like the cofunctor of CoinJoin.
Again, the advantage here is that CoinSwap is still your keys your coins, c=
ompared to the situation with Bitcoin Casino which is custodial.
(@Chris: I think it would be a good design for SwapMarket makers to avoid s=
pending-together its owned coins when swapping, but if it *does* need to do=
so (i.e. its coins are all too split up and it becomes unable to serve a c=
lient without spending more than one coin in a tx), to spend-together *all*=
its UTXOs and try to serve as many takers as possible in a single tx, to s=
imulate precisely the batching operations that custodial services use, thus=
appearing as some new custodial service, without actually *being* custodia=
l.)
Thus, we should consider that CoinJoin and CoinSwap improve the censorship =
resistance, and thus improve our global resistance to a potential global at=
tacker using taint analysis.
Regards,
ZmnSCPxj
|
