--- Day changed Thu Feb 14 2019
01:12 -!- puddinpop [~puddinpop@unaffiliated/puddinpop] has quit [Remote host closed the connection]     
02:45 -!- siom_ [~siom@31.13.191.152] has joined #joinmarket     
04:36 -!- drBtc [9a48a857@gateway/web/freenode/ip.154.72.168.87] has joined #joinmarket     
04:37 < drBtc> I can sell your bitcoins for you and send you western Union
04:41 < drBtc> everyone here is silent
04:51 < belcher> drBtc trading bitcoins here is off topic, try #bitcoin-otc
06:18 -!- drBtc [9a48a857@gateway/web/freenode/ip.154.72.168.87] has quit [Ping timeout: 256 seconds]     
07:12 -!- undeath [~undeath@hashcat/team/undeath] has joined #joinmarket     
07:20 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has quit [Excess Flood]     
07:21 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has joined #joinmarket     
08:20 < midnightmagic> belcher_: hey.. uh..  is that PoR guy asserting that the Joinmarket project key was swept into MtGox or something? Am I just reading that wrong?
09:06 < midnightmagic> Weird. Buddy's being pretty aggressive about it.
09:08 < belcher> midnightmagic laurenmt, me and a few others said his analysis on QuadrigaCX had some flaws and he took it personally
09:08 < belcher> he probably lost some money on that exchange so passions are running high
09:09 < midnightmagic> belcher: :-( The samourai dev I think is aiming to take that bounty.
09:09 < belcher> theres no way that guy will give out $1000
09:10 < midnightmagic> belcher: gmax also criticized the qcx analysis. He seems sure enough about himself that I get the feeling I'm misinterpreting him somehow.
09:10 < midnightmagic> This is the reason why I never post anything about chain analysis. :(
09:10 < belcher> yes     
09:11 < midnightmagic> belcher: There's a friend of mine who's including wallet fee behaviour in coinjoin disambiguation for his own analysis. I mean state-of-the-art is good but as far as I can tell nobody else is doing that.
09:11 < midnightmagic> or rather..  nobody else is doing that publically.
09:11 < belcher> what exactly is he doing?
09:12 < midnightmagic> Different wallets pay different fees based on block pressures-- and it's consistent enough that if two wallets coinjoin perfectly, the fees they pay in subsequent transactions appear to identify them uniquely.
09:13 < midnightmagic> (Sometimes.)
09:13 < belcher> but only like 3 wallet softwares even create coinjoins, i dont see how that helps. i must be missing something?
09:15 < midnightmagic> manual coinjoins still go on. anything that can be coerced into signing a tx. also, fees can be used to bewtter-detect what are change addresses too.
09:15 < midnightmagic> electrum wallet..
09:15 < waxwing> midnightmagic, you should know that joinmarket gives the user the option of either using Bitcoin Core's estimate or specifying their own sats/byte fixed rate, but specifically randomizes the latter to avoid watermarking.
09:15 < midnightmagic> belcher: bitcoin-core of different versions also change how much fees they pay.
09:16 < midnightmagic> waxwing: that doesn't help for historical data. :(  but I'm glad to hear it.
09:16 < waxwing> so i don't think JM watermarks individual users by their fee choice; but ofc JM txs are trivially watermarked as such, basically always.
09:16 < belcher> any idea how many manual coinjoins even happen? it must be very few as it involves interactivity and raw transactions
09:16 < waxwing> yeah for the first year-2years it was even just a constant number.
09:16 < midnightmagic> Ah. Sorry I'm not being clear. When I refer to coinjoins I'm referring specifically to manually-done coinjoins by people attempting to be careful about it.
09:17 < belcher> ok i see
09:17 < midnightmagic> I'm not trying to assert anything about JM.
09:17 < waxwing> (oh i'm forgetting, it being constant was fine, it's when users can choose but fix it there's a problem)
09:17 < midnightmagic> I would refer to JM joins as JM joins..
09:17 < belcher> that could be an interesting heuristic for finding the change addresses of non-coinjoins
09:18 < waxwing> midnightmagic, electrum, hmm that's interesting, but it has more than one allowed approach to fees, you can set it statically yourself if you want (i've done that, often).
09:18 < midnightmagic> belcher: he has a whole bag of weird tricks, and he's done the work to attempt to verify how clear they are on his own. And I think he may be one of the very few people who has a full copy of the mtgox data.
09:19 < belcher> theres a lot of papers published listing ideas of clustering together addresses and transactions, iv been reading them a lot lately
09:19 < waxwing> but if you coinjoin with one guy on electrum and another guy on something else(e.g. joinmarket but not coinjoin)then it'd be very easy to distinguish the outgoing via other watermarks.
09:19 < belcher> do you know if he has anything new compared to whats already been published?
09:19 < midnightmagic> waxwing: I suspect that manual fee payment of more-than-necessary based on fee pressures is probably just collected into a single bucket in that case.
09:20 < midnightmagic> belcher: I would guess so. He has an incredibly gifted and compulsive mind, but I don't stay up on what's published, and I also don't have a complete list of stuff my friend does.
09:21 < midnightmagic> belcher: I do know that there is historical data in scraped sites and twitter results that is more comprehensive than anything I've ever heard of.
09:21 < waxwing> the problem with blockchain analysis speaking generally is not that there isn't a ton of data getting leaked, it's that almost all of it is deniable. so good for clues for a detective, terrible for proving anything.
09:21 < belcher> midnightmagic has he taken any measures to stop him fooling himself? usually this is called finding the ground truth
09:22 < belcher> so he can check whether his ideas work in reality
09:24 < belcher> so for example jonas nick studied clustering heuristics in his masters thesis, and then collected bip37 filters and used them to check whether his heuristics worked
09:24 < midnightmagic> waxwing: Yes!! Exactly. That's partly why I speak up about sites like walletexplorer at all. They assert things, and asserting things leads to problems like ..  can't find it now, but there was a user who reported police busted his door down thanks to a shitty geo-coordinate on blockchain.info in the bitcoin issues database.
09:25 < belcher> also you can get two different people using the same wallet software
09:26 < belcher> so a transaction between them wont show up using wallet fingerprinting analysis
09:26 < midnightmagic> belcher: I.. don't know actually. :-) He tries hard to be careful about being right about things. He verifies things a lot. I think the fee-based model for wallet behaviour was something he collected data on, then attempted to verify with a prediction model he developed.
09:26 < midnightmagic> belcher: Right, so in the case when two people use the same thing, then there's nothing to disambiguate based on the fees paid.
09:27 < belcher> well if he's interested in improving privacy tell him to come in this channel
09:27 < belcher> im in the process of writing a big literature review about everything related to privacy in bitcoin so a lot of this stuff is fresh in my mind
09:27 < midnightmagic> I think the idea is that the fees paid in different wallets -- versus the same wallet, or even in upgraded versions of the same wallet for example -- would suggest but not assert, two different people.
09:28 < midnightmagic> belcher: I would *love* to see a collection or meta-analysis of "what is currently known", myself.
09:28 < belcher> you can also do wallet fingerprinting with bip69, counting the number of inputs/outputs, nlocktime, low-R value signatures, (un)compressed keys, address formats, address types, scripts
09:28 < midnightmagic> Yes, exactly.
09:28 < midnightmagic> Well. I mean.. "vehement agreement."
09:29 < belcher> from my reading the most effective analysis is CIOH and address reuse used together
09:29 < midnightmagic> I'm really looking after my own interests when I point out the flaws in the clustering, because I would really hate to have to state that X tx are mine just because someone thinks my coins are part of QCX's cold wallet.
09:29 < waxwing> sequence as well as locktime. also version number. a bit here, a bit there.
09:29 < midnightmagic> That would annoy me to *no end.*
09:29 < belcher> ty waxwing i forgot about version number
09:29 < waxwing> bip 69 is an interesting one. i guess it's less than one bit per tx but it adds up :)
09:30 < belcher> one-input-two-output randomly-ordered transactions follow bip69 50% of the time just by chance
09:31 < waxwing> yeah, that's why i was saying < 1 , i remember having that explained to me
09:31 < belcher> im putting the finishing touches to it midnightmagic so it should be one of these days
09:31 < belcher> it will be on the bitcoin wiki
09:32 < belcher> trouble is its always easy to go on google scholar and find yet more papers
09:32 < belcher> yesterday i found a really great paper about tracking ransomware payments
09:32 < waxwing> coin selection e.g. UIH thing is conceivably a quite meaningful watermark too (i guess that's broader than your 'counting ins/outs')
09:33 < belcher> UIH isnt a way to wallet fingerprint, only to detect change addresses
09:33 < belcher> but coin selection in general might be, ill add it without elaborating much
09:34 < waxwing> why isn't it? if some wallets have code that categorically never violates it
09:34 < waxwing> and others don't
09:34 < belcher> UIH is that idea where one of the inputs is unnecessary
09:34 < waxwing> yes. i'm saying some wallets' selection code makes it so that that never happens.
09:35 < belcher> wallet fingerprinting is where you figure out which wallet made a transaction, and if you look at many chained-together transactions then its easy to see which the change output was
09:35 < belcher> all i mean is UIH doesnt go in the section called wallet fingerprinting :)
09:36 < waxwing> i still don't see what you mean. just like JM uses version 1 only, and that is useful for fingerprinting, so if a tx violates UIH2 say, it can be used as a bit of information telling you that it's not wallet X, which never violates UIH2.
09:36 < belcher> change output detection can be done in many ways, UIH is one way to do it, wallet fingerprinting is another way to do it
09:37 < belcher> theres also many ways to do wallet fingerprinting, one of them is studying the coin selection algorithm (which might also affect UIH)
09:38 < waxwing> ok it seems more of a tangle over exact definitions, so we agree that coin selection is one potential way of fingerprinting wallets.
09:38 < belcher> a tangle over which category something goes in id say
09:39 < belcher> avoiding creating change outputs is the best thing to do, if possible
09:39 < waxwing> so like the case of 2 ins: 10btc, 1 btc and outs 9btc, 2btc, here the wallet has selected (10,1) though it only needed the 10. that's coin selection, and it's a "violation" of one of the UIH things, and it's a fingerprint. no?
09:40 < waxwing> (damn my spacebar is screwed, a bit slow)
09:40 < belcher> waxwing i agree with you
09:40 < belcher> in that example we (maybe) get two pieces of information
09:40 < belcher> what may also have happened is the wallet decided miner fees were cheap and took the opportunity to consolidate utxos
09:41 < waxwing> unquestionably; i'm not making a claim about any particular wallet; but in discussions with harding he suggested, i think rightly, that there are wallets out there with ultra-simple coin selection which wouldn't do that.
09:41 < belcher> yep     
09:42 < belcher> wallet fingerprinting needs more than one transaction to find a change address.. so if you had a transaction with two outputs and both remain unspent then you cant use wallet fingerprinting to tell which was change
09:42 < belcher> but UIH might still work in that situation, even if both outputs are unspent
09:42 -!- siom_ [~siom@31.13.191.152] has quit [Remote host closed the connection]     
09:51 < belcher> maybe the "common input ownership heuristic" is better called the "multi input ownership heuristic" or MIOH ?
09:53 < waxwing> i tried to call it nakamoto/meiklejohn and 'heuristic 1' because that's what it was called in a fistful of bitcoins
09:53 < belcher> i dont like those name because they're not descriptive enough
09:53 < waxwing> i think it was pretty much CIOH not MIOH though
09:54 < belcher> yeah maybe its not worth changing it, idk
09:54 < waxwing> JM has MIO
09:54 < belcher> MIO?
09:54 < belcher> multi input ownership
09:55 < waxwing> i suppose it'd have to be "All Input Common Ownership" to be fully disambiguated.
09:55 < belcher> "common" means "shared" in that context, "multi" means more than one
09:55 < belcher> yes maybe "common" is better
09:55 < belcher> or even "shared" but i prefer "common"
09:56 < belcher> jonas nick in his master thesis calls it "multi input heuristic" and it has a bunch of other names so i dont think our decision will even have much effect on the rest of the community
09:56 < belcher> i wonder what name chainalysis uses
09:57  * midnightmagic grumbles about apparent attempts to revert privacy developments with XT
09:58 < belcher> BitcoinXT ? what year is it? :p
10:00 < waxwing> lol retarded https://twitter.com/BotFaketoshi/status/1095976040663400448
10:01 < belcher> hmm theres a typo in jonas nick's masters thesis
10:02 < belcher> whats his irc name, is he in here? i suppose he published it in 2015 so probably doesnt care now
10:02 < waxwing> nickler
10:02 < waxwing> not in this chan it seems
10:03 < d3spwn> i suppose he'll publish that along the fatal flaw in segwit
10:04 < undeath> but it's anyone can spend, can't you see it??? everyone will just steal your segwit coins!
10:05 < d3spwn> can everyone steal everyones coins at the same time even though
10:06 < belcher> you're talking about faketoshi rather than nickler xD
10:08 < belcher> hey remember when bip37 was really commonly used and we were all in despair at how terrible it was for privacy? im glad we've moved past that now.... (/me looks at bisq)
10:08 < belcher> PRs welcome i guess
10:47 < belcher> midnightmagic it says the name of the owner of walletexplorer.com down on the site's footer
11:13 < undeath> how useful are sweep cjs? It seems there is a high chance of finding a taker's inputs in a sweep cj by a simple subset sum.
11:32 < belcher> but also they dont have change outputs
11:32 < undeath> yes, that's exactly why finding the inputs of the taker is so easy
11:34 < undeath> you just need to find some set of inputs that's total value is close to and above the cj amount
11:37 < belcher> depending on your threat model, the taker's inputs might already be known
11:38 < belcher> for example if a user buys bitcoin from an exchange and sends it to joinmarket then does a sweep coinjoin, the takers inputs are known but the exchange already knew about them
11:38 < belcher> the outputs are hidden which is what matters
11:38 < belcher> but yes doing a sweep coinjoin in other situations might not make sense
11:39 < belcher> like if you're sending /to/ an exchange and you're concerned about it spying on you
11:39 < belcher> but then theres also the benefit of not having a change address, so idk
11:45 < undeath> well, just not having a change address can be achieved in a cheaper way than a cj :)
11:46 < belcher> but then you dont introduce unlinkable coinjoin outputs
11:46 < belcher> i.e. the takers inputs can all be linked together, but you dont know which coinjoin output they ended up in
11:47 < undeath> yes, that use case you state is of course valid
11:47 < undeath> but only for the sake of having no change left it's not
11:47 < undeath> ;)     
11:50 < undeath> has there been any research on how hard it is by trying to break the tumbler algorithm by trying to figure out the taker's outputs in a chain of cjs by looking at the fees paid?
11:50 < undeath> s/by //
11:50 < belcher> i think there hasnt
11:51 < belcher> the only research i know of is waxwing's, mine and malte moser's
11:51 < belcher> look up this paper called "join me on a market for anonymity", thought note it was written in 2016 or something
11:52 < undeath> will have a look at it, thanks
11:55 < undeath> ugh, i meant "by trying to figure out the taker's inputs", not outputs
12:59 < waxwing> belcher, it suddenly occurred to me yesterday what the answer to that thing we were discussing in the pub is: you need every point on the curve P to have a negative, so there needs to be a point such that the line between P and that point "intersects" a third time at "zero" i.e. the identity. that point is the point at infinity and the line is vertical. that's why you need the y to be squared.
13:00 < belcher> ooh nice
13:00 < belcher> so that provides the identity property of the group
13:00 < belcher> (it is called the identity property right?)
13:03 < waxwing> well yes and the inverse
13:03 < waxwing> iirc for a group it's identity, inverse, closure
13:03 < waxwing> it's always hard to remember those lists exactly :)
13:03 < waxwing> commutativity isn't required, but if  you have that it's called "abelian"
13:04 < waxwing> associativity may be required, i forget.
13:12 < belcher> wikipedia says associativity is required
13:14 < waxwing> yeah somehow i always skip over that one, it's boring:) (and iirc for elliptic curves it's a monstrously annoying piece of algebra)
13:14 < belcher> its A + B = B + A ?
13:14 < waxwing> no that's commutativity
13:14 < belcher> oh yes thats right
13:14 < waxwing> this is A+(B+C) = (A+B)+C
13:15 < belcher> group theory is studied in physics too, because its required in certain quantum mechanics topics, but i never studied it so
13:15 < belcher> famous last words, but it doesnt seem that hard :p
13:15 < waxwing> right i was just mulling that over. it's a pretty big thing in *some* areas of kinda advanced theoretical physics, i guess. but not others ofc
13:16 < waxwing> istr particle physics, whatever that means, or ... the really deep 'theory of everything' type theories, use groups right.
13:17 < belcher> you can supposedly derive results that are actually true in real life, like apparently theres a group-theory reason why quarks work the way they do
13:18 < waxwing> if you haven't really studied it (group theory), interesting (maybe easy i guess): come up with an example of a group that isn't abelian (i.e. doesn't obey commutativity)
13:18 < belcher> 2x2 matricies
13:19 < waxwing> yeah :) that's the only one i ever have in my head. although ... i think there are some geometric things too.
13:19 < belcher> also i think i remember circularly polarized light is an example of that
13:19 < waxwing> well i suppose square matrices are kind of geometric transformations
13:19 < belcher> polarizing filter A + polarizing filter B != B + A
13:20 < waxwing> yeah i think permutations can be like this? always confuses me to think about that.
13:20 < belcher> or maybe one filter has to be linearly polarized and the other circular, or maybe its three filters
13:23 -!- lnostdal [~lnostdal@77.70.119.51] has quit [Quit: ...time for reboot; brb/bbl'ish...]     
13:26 < waxwing> oh Lie groups, that was it. like infinite order or something. that's physics right :)
13:27 -!- lnostdal [~lnostdal@77.70.119.51] has joined #joinmarket     
13:35 < belcher> yes that name is used
13:35 < belcher> infinite order would make sense because the values arent integers
14:25 < midnightmagic> Tghe proofofresearch guy just threatened to "expose" me if I continued questioning his results.
14:26 < midnightmagic> belcher: he also threatened you and laurent: "Don't make me start really exposing you all."
14:27 < midnightmagic> And now he's blocked me.
14:37 < belcher> im going to ignore him, im doing other stuff and clearly his passions are running high from all the money he lost
14:38 < belcher> btw midnightmagic your friend who has a full copy of mtgox should release it
14:38 < waxwing> midnightmagic, did you see this article today? looks interesting. seems the wife was heavily involved or something https://bitcoinmagazine.com/articles/quadrigacx-sent-deposits-allegedly-linked-to-ceos-widow-mailed-withdrawals-in-cash/
14:39 < midnightmagic> waxwing: Yes; it's a bit of a red herring. It's been said multiple times before that she operated as one of QCX's payment processors through her real estate company.
14:41 < waxwing> right. more interesting to people who don't know much about it i guess, like me. the stuff about cash is interesting too.
14:41 < midnightmagic> belcher: sorry to have encouraged him. Occasionally I try to appeal to people to be careful about chain analysis to ensure they don't create more victims, but in this case it appears I might have just made things worse.
14:42 < midnightmagic> waxwing: Cash withdrawals were a welcome relief valve that people tried to take advantage of. They were insured deliveries via (iirc) Brinks deliverymen.
14:42 < belcher> probably he interpreted our warnings as somehow saying that QCX was right to steal his money or something
14:42 < midnightmagic> The evil banks not working with QCX were always the prooblem for slow withdrawals.
14:43 < midnightmagic> belcher: Correct. He now says he thinks I'm a paid plant sent to dismantle or otherwise impugne his research, even though I told him like six times that I and everyone are grateful for the legwork he's doing and that his research is critically important.
14:44 < waxwing> if his research consists of trying to half-ass the nearly impossible job of deducing stuff from the blockchain, then it's more harmful than important (but i haven't followed all details, perhaps he's doing other useful things).
14:45 < waxwing> anyway attitude on twatter is both rude and dumb.
14:45 < waxwing> (his)
14:45 < belcher> the best thing he did was post a thread asking people to post their deposit addresses, and then put those addresses into walletexplorer
14:45 < belcher> and found they all matched up with the same cluster, which is good evidence that its (part of) the hot wallet
14:46 < belcher> then he found the MtGoxAndOthers closure and decided that QCX has something to do with mtgox
14:46 < belcher> and didnt find a cold storage wallet closure so decided it doesnt exist
14:51 < midnightmagic> I apologize for unintentionally triggering his threats.
14:51 -!- puddinpop [~puddinpop@unaffiliated/puddinpop] has joined #joinmarket     
14:51 < belcher> just another day on the internet :p
14:52 < belcher> idiots online, again
14:52 < belcher> im sure he'll calm down in a while, and if not doesnt matter
14:53 < midnightmagic> Well. It would suck if he follows through on his threat and creates additional victims, and feeds the reddit murder-threat people.
14:54 < belcher> you're anonymous online arent you?
14:56 < midnightmagic> Who knows. Did I make a mistake somewhere in 10 years?
14:57 < midnightmagic> Or, worse, did those manual coinjoins I did with people early on expose the contents of my wallet to being accused of sitting on Quadriga's cold wallet when the coins are actually just mine?
14:57 < midnightmagic> I *think* I may have participated in one of the first coinjoins ever mined.
14:58 < belcher> dox     
15:51 -!- undeath [~undeath@hashcat/team/undeath] has quit [Quit: WeeChat 2.3]     
17:26 -!- AgoraRelay [~jmrelayfn@p5DE4AD64.dip0.t-ipconnect.de] has quit [Ping timeout: 258 seconds]     
17:38 -!- AgoraRelay [~jmrelayfn@p5DE4AC90.dip0.t-ipconnect.de] has joined #joinmarket     
19:22 -!- adlai [~adlai@unaffiliated/adlai] has quit [Ping timeout: 250 seconds]     
19:27 -!- adlai [~adlai@unaffiliated/adlai] has joined #joinmarket     
20:05 -!- v_unimportant_pe [~user@45.74.60.132] has quit [Read error: Connection reset by peer]     
20:05 -!- v_unimportant_pe [~user@45.74.60.131] has joined #joinmarket     
21:48 -!- viasil [~viasil@185.107.94.165] has quit [Read error: Connection reset by peer]     
21:53 -!- viasil [~viasil@185.107.94.165] has joined #joinmarket