public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
* [bitcoin-dev] Tainting, CoinJoin, PayJoin, CoinSwap
@ 2020-06-10 12:32 nopara73
  2020-06-10 13:48 ` Greg Sanders
  2020-06-10 20:10 ` Chris Belcher
  0 siblings, 2 replies; 6+ messages in thread
From: nopara73 @ 2020-06-10 12:32 UTC (permalink / raw)
  To: Bitcoin Protocol Discussion

[-- Attachment #1: Type: text/plain, Size: 2366 bytes --]

The problem with CoinJoins is that desire for privacy is explicitly
signalled by them, so adversaries can consider them "suspicious." PayJoin
and CoinSwap solve this problem, because they are unnoticeable. I think
this logic doesn't stand for scrutiny.

From here on let's use the terminology of a typical adversary: there are 3
kinds of coin histories: "clean", "dirty" and "suspicious".
The aftermath of you using a "dirty" coin is knocks on your door. You using
a "suspicious" coin is uncomfortable questions and you using a "clean" coin
is seamless transfer.

In scenario 1, you start out with a "clean" history. By using CoinJoins you
make your new coin's history "suspicious" so you have no incentive to
CoinJoin. By using CoinSwap/PayJoin your new coin can be either "clean" or
"dirty". What would a "clean" coin owner prefer more? Take the risk of
knocking on the door or answering uncomfortable questions?

In scenario 2, you start out with a "dirty" history. By using CoinJoins you
make your new coin's history "suspicious" so you have an incentive to
CoinJoin. By using CoinSwap/PayJoin your new coin can either be "clean" or
"dirty". What would a "dirty" coin owner prefer more? And here's an
insight: you may get knocks on your door for a dirty coin that you have
nothing to do with. And you can prove this fact to the adversary, but by
doing so, you'll also expose that you started out with a "dirty" coin to
begin with and now the adversary becomes interested in you for a different
reason.

You can also examine things assuming full adoption of PJ/CS vs full
adoption of CJ, but you'll see that full adoption of any of these solves
the tainting issue.

So my current conclusion is that PJ/CS does not only not solve the taint
problem, it just alters it and ultimately very similar problems arise for
the users. Maybe the goal of unobservable privacy is a fallacy in this
context as it is based on the assumption that desiring privacy is
suspicious, so you want to hide the fact that you desire privacy. And the
solution to the taint issue is either protocol change or social change
(decent adoption.)

PS.: Please try to keep the conversation to the Taint Issue as this email
of mine isn't supposed to be discussing general pros and cons of various
privacy techniques.

Any thoughts?

-- 
Best,
Ádám

[-- Attachment #2: Type: text/html, Size: 2964 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [bitcoin-dev] Tainting, CoinJoin, PayJoin, CoinSwap
  2020-06-10 12:32 [bitcoin-dev] Tainting, CoinJoin, PayJoin, CoinSwap nopara73
@ 2020-06-10 13:48 ` Greg Sanders
  2020-06-10 20:10 ` Chris Belcher
  1 sibling, 0 replies; 6+ messages in thread
From: Greg Sanders @ 2020-06-10 13:48 UTC (permalink / raw)
  To: nopara73, Bitcoin Protocol Discussion

[-- Attachment #1: Type: text/plain, Size: 3068 bytes --]

A major point of defeating the common input heuristic and others is to make
"super-clusters". A small number of users that "don't care" about possibly
touching tainted coins can render many chain analysis techniques unworkable
in practice for enforcement. You don't need 100% coverage to defeat the
heuristic.

On Wed, Jun 10, 2020 at 9:40 AM nopara73 via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:

> The problem with CoinJoins is that desire for privacy is explicitly
> signalled by them, so adversaries can consider them "suspicious." PayJoin
> and CoinSwap solve this problem, because they are unnoticeable. I think
> this logic doesn't stand for scrutiny.
>
> From here on let's use the terminology of a typical adversary: there are 3
> kinds of coin histories: "clean", "dirty" and "suspicious".
> The aftermath of you using a "dirty" coin is knocks on your door. You
> using a "suspicious" coin is uncomfortable questions and you using a
> "clean" coin is seamless transfer.
>
> In scenario 1, you start out with a "clean" history. By using CoinJoins
> you make your new coin's history "suspicious" so you have no incentive to
> CoinJoin. By using CoinSwap/PayJoin your new coin can be either "clean" or
> "dirty". What would a "clean" coin owner prefer more? Take the risk of
> knocking on the door or answering uncomfortable questions?
>
> In scenario 2, you start out with a "dirty" history. By using CoinJoins
> you make your new coin's history "suspicious" so you have an incentive to
> CoinJoin. By using CoinSwap/PayJoin your new coin can either be "clean" or
> "dirty". What would a "dirty" coin owner prefer more? And here's an
> insight: you may get knocks on your door for a dirty coin that you have
> nothing to do with. And you can prove this fact to the adversary, but by
> doing so, you'll also expose that you started out with a "dirty" coin to
> begin with and now the adversary becomes interested in you for a different
> reason.
>
> You can also examine things assuming full adoption of PJ/CS vs full
> adoption of CJ, but you'll see that full adoption of any of these solves
> the tainting issue.
>
> So my current conclusion is that PJ/CS does not only not solve the taint
> problem, it just alters it and ultimately very similar problems arise for
> the users. Maybe the goal of unobservable privacy is a fallacy in this
> context as it is based on the assumption that desiring privacy is
> suspicious, so you want to hide the fact that you desire privacy. And the
> solution to the taint issue is either protocol change or social change
> (decent adoption.)
>
> PS.: Please try to keep the conversation to the Taint Issue as this email
> of mine isn't supposed to be discussing general pros and cons of various
> privacy techniques.
>
> Any thoughts?
>
> --
> Best,
> Ádám
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

[-- Attachment #2: Type: text/html, Size: 4020 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [bitcoin-dev] Tainting, CoinJoin, PayJoin, CoinSwap
  2020-06-10 12:32 [bitcoin-dev] Tainting, CoinJoin, PayJoin, CoinSwap nopara73
  2020-06-10 13:48 ` Greg Sanders
@ 2020-06-10 20:10 ` Chris Belcher
  2020-06-10 23:01   ` ZmnSCPxj
  1 sibling, 1 reply; 6+ messages in thread
From: Chris Belcher @ 2020-06-10 20:10 UTC (permalink / raw)
  To: bitcoin-dev

Hello nopara73,

On 10/06/2020 13:32, nopara73 via bitcoin-dev wrote:
> The problem with CoinJoins is that desire for privacy is explicitly
> signalled by them, so adversaries can consider them "suspicious." PayJoin
> and CoinSwap solve this problem, because they are unnoticeable. I think
> this logic doesn't stand for scrutiny.
> 
>>From here on let's use the terminology of a typical adversary: there are 3
> kinds of coin histories: "clean", "dirty" and "suspicious".
> The aftermath of you using a "dirty" coin is knocks on your door. You using
> a "suspicious" coin is uncomfortable questions and you using a "clean" coin
> is seamless transfer.
> 
> In scenario 1, you start out with a "clean" history. By using CoinJoins you
> make your new coin's history "suspicious" so you have no incentive to
> CoinJoin. By using CoinSwap/PayJoin your new coin can be either "clean" or
> "dirty". What would a "clean" coin owner prefer more? Take the risk of
> knocking on the door or answering uncomfortable questions?
> 
> In scenario 2, you start out with a "dirty" history. By using CoinJoins you
> make your new coin's history "suspicious" so you have an incentive to
> CoinJoin. By using CoinSwap/PayJoin your new coin can either be "clean" or
> "dirty". What would a "dirty" coin owner prefer more? And here's an
> insight: you may get knocks on your door for a dirty coin that you have
> nothing to do with. And you can prove this fact to the adversary, but by
> doing so, you'll also expose that you started out with a "dirty" coin to
> begin with and now the adversary becomes interested in you for a different
> reason.
> 
> You can also examine things assuming full adoption of PJ/CS vs full
> adoption of CJ, but you'll see that full adoption of any of these solves
> the tainting issue.
> 
> So my current conclusion is that PJ/CS does not only not solve the taint
> problem, it just alters it and ultimately very similar problems arise for
> the users. Maybe the goal of unobservable privacy is a fallacy in this
> context as it is based on the assumption that desiring privacy is
> suspicious, so you want to hide the fact that you desire privacy. And the
> solution to the taint issue is either protocol change or social change
> (decent adoption.)
> 
> PS.: Please try to keep the conversation to the Taint Issue as this email
> of mine isn't supposed to be discussing general pros and cons of various
> privacy techniques.
> 
> Any thoughts?
> 
> 
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> 

There are two concepts here: Taint analysis and the detectableness of
privacy protocols.

Taint analysis is quite an old technique, I remember seeing the
blockchain.info explorer having a tool for calculating a value for taint
back in 2013, long before any widely-used CoinJoin implementations were
created. I think taint was first created to attack the privacy technique
of simply sending coins to yourself multiple times. If those coins were
for example stolen from an exchange's hot wallet then the taint between
the exchange addresses and the later addresses would still be 100% even
if the thief sent the coins to himself multiple times.

A very important point is that it's difficult to reason about taint
analysis algorithms because they are often hypothetical, likely
closed-source, not available to the public for review and changing all
the time. OP talks about the three categories "clean", "dirty" and
"suspicious" which is one possibility. I've read about other taint
analysis algorithms which result in a numerical score out of 100.
Blockchain.info's algorithm calculated taint as a number expressing the
relation between any two addresses, so it wouldn't make sense to say "an
address" is tainted, instead you have to talk about a pair of addresses
being tainted with each other. So even though it's hard to reason about
the exact algorithm we can still talk about likely situations, and
imagine what an adversary could do in the worst case or best case.

One way to resist a likely taint analysis attack is to involve other
parts of the bitcoin economy in your transactions. For example our
exchange thief could deposit and then withdraw his stolen coins through
a Bitcoin Casino or other bitcoin service hot wallet. His coins might no
longer be 100% tainted from the exchange hack but perhaps have 5%
exchange hack, 5% bitcoin ATM, 5% mined coins, etc etc. The numbers are
made up and they depend on the exact algorithm but the main point is
that involving the rest of the bitcoin economy in your transaction is
one practical way to stop taint analysis being a useful attack against
on you.

Another important point is that taint isn't part of bitcoin's code
anywhere. It is an external reality that surveillance companies impose
on users. The only reason taint has any influence is because of
censorship, for example an exchange which uses the services of a
surveillance company has the power to freeze funds (i.e. censor a
transaction) if they believe the user's deposit transaction is tainted.

Therefore a way to resist the taint analysis attack is to actually use
bitcoin as money, I.E. earn bitcoin, spend it with merchants, who then
spend it with other merchants or pay their employees, where most
entities along those links actually dont use a taint analysis algorithm.
This is a general principle of bitcoin privacy by the way, if every
entry- and exit-point requires giving up personal information then
privacy is dead, regardless of whether we use
CoinJoin/PayJoin/CoinSwap/whatever in between.
This is a good place to again shill this list of peer-to-peer exchanges:
https://github.com/cointastical/P2P-Trading-Exchanges/

So that's taint.

Now for privacy protocols like CoinJoin. They also involve the rest of
the bitcoin economy, because many different users link their coins
together when using CoinJoin/PayJoin/CoinSwap/etc, so such protocols can
be a way to resist taint analysis too just like the Bitcoin Casino
mentioned earlier.

However, what I think OP is talking about is the case where taint
algorithms are reprogrammed to not just track exchange hack addresses,
but also track privacy protocol transactions. So for example if the
hypothetical taint algorithm comes across an Equal-Output CoinJoin it
will assign it a different taint score even if its not linked to an
exchange hack or anything like that.

Such a reprogramming wouldn't be possible in undetectable privacy
protocols like PayJoin and CoinSwap. They will have the economy-mixing
effect of reducing taint (just like the Bitcoin Casino example above),
but as OP writes that can just lead to the wrong person being under
suspicion. And so such protocols on their own cant resist taint analysis
forever, which is the point is OP making as well.

The only permanent solution to taint analysis as I've mentioned is to
use bitcoin as money, away from centralized choke points that can censor
transactions and demand personal information. It's worth pointing out
that using bitcoin as money wont help our exchange hacker much, this
hacker will never be able to buy mansions or sports cars with their
stolen bitcoin, because the authorities already require proof of the
origin of funds before, for example, buying a big mansion.

Nonetheless, unobservable privacy is also useful for other reasons than
resisting taint analysis:

* It improves the privacy of people who do not use it.
* It helps stops censorship of privacy protocols (I.E. miners could one
day refuse to mine equal-output CoinJoin transactions but still mine
regular transactions)
* It typically uses less block space, because information is removed
from the blockchain rather than adding to the blockchain.


Regards

Chris Belcher


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [bitcoin-dev] Tainting, CoinJoin, PayJoin, CoinSwap
  2020-06-10 20:10 ` Chris Belcher
@ 2020-06-10 23:01   ` ZmnSCPxj
  2020-06-11  2:01     ` Mr. Lee Chiffre
  0 siblings, 1 reply; 6+ messages in thread
From: ZmnSCPxj @ 2020-06-10 23:01 UTC (permalink / raw)
  To: Chris Belcher, Bitcoin Protocol Discussion

Good morning nopara73 and Chris,


> One way to resist a likely taint analysis attack is to involve other
> parts of the bitcoin economy in your transactions. For example our
> exchange thief could deposit and then withdraw his stolen coins through
> a Bitcoin Casino or other bitcoin service hot wallet. His coins might no
> longer be 100% tainted from the exchange hack but perhaps have 5%
> exchange hack, 5% bitcoin ATM, 5% mined coins, etc etc. The numbers are
> made up and they depend on the exact algorithm but the main point is
> that involving the rest of the bitcoin economy in your transaction is
> one practical way to stop taint analysis being a useful attack against
> on you.
>
> Another important point is that taint isn't part of bitcoin's code
> anywhere. It is an external reality that surveillance companies impose
> on users. The only reason taint has any influence is because of
> censorship, for example an exchange which uses the services of a
> surveillance company has the power to freeze funds (i.e. censor a
> transaction) if they believe the user's deposit transaction is tainted.

Adding on to this, we can consider the *economics* of taint.

Tainted coins are less valuable than untainted coins.

However, as pointed out as well, taint is not a consensus among all Bitcoin users.
There are no cryptographic underpinnings that would allow all nodes to agree on their individual taint analysis.

The people knocking on doors often have limited amounts of reach: there are real economic barriers to the knock-on-doors people being shipped to the other side of the Earth (fuel costs, ammunition costs, sociopolitical knock-on effects....).

Thus, suppose I am a miner with N coins.
As the coins have no history, they are "completely clean", as it were.

As a miner, I exist somewhere in the universe.
It is possible that I exist in some location on Earth (we cannot know; please ignore scurrilous slander that I am somehow existent outside of time and space).

Now suppose you have some tainted coins.
As noted, those coins are tainted only within some jurisdiction.
Outside that jurisdiction, however, they have no taint (taint is not a global consensus).

If I happen to live outside the jurisdiction where your coins are tainted, and I have some clean freshly-mined coins, I can offer this deal to you:

* Give me N+1 tainted coins for my N clean coins.

Now, again, the premise here is that there exists no global knock-on-doors people who can come to my datacenter and start asking questions to the sysads administering my computational substrate.

In that case, you might very well take the deal:

* You have not lost economic power, because the tainted coins, in your jurisdiction, are of lower value than N+1 anyway, and might even have value below that of N clean coins.
* I have gained economic power, because the tainted coins, in my jurisdiction, are not tainted and have the same cleanliness as my fresh mined coins.

This is a simple example of gains from trade, this time from jurisdictional arbitrage, thus such deals will exist.

--

But that is specious, as it assumes that there exists no global knock-on-doors people.
Obviously, there could exist one or more entities who are able to ship knocks-on-doors people all over the globe, taking advantage of economies of scale and reinvestment (more knock-on-doors people to knock on doors of people they can extract more economic power from to hire more knock-on-doors people) to achieve practically global coverage.

Against this, we must remember that ultimately censorship resistance of the coin is what can protect against such an attacker, which can impose its own non-consensual-but-pretty-damn-important view of taint practically globally.

Censorship resistance requires that owners of coins have control of the keys (your keys your coins) and that they can offer bribes to miners to get their transactions committed (mining fees).
Custodiality makes it easier for fewer knock-on-doors people to need to be shipped to stop certain activities.

Now, the Bitcoin Casino example is of course an example of not your keys not your coins i.e. custodiality.

For the purpose of mixing, the "Bitcoin Casino" here is simply aggregating multiple UTXOs and then sending them back out to many other new UTXOs.

This is in fact the same operation that CoinJoin does, it aggregates multiple UTXOs and creates many new UTXOs to different clients with shared taint.
The advantage is that CoinJoin is still your keys your coins, you still own the keys with which to sign the CoinJoin transaction, and thus improve censorship resistance of your mixing operation.

For CoinSwap as well, we can consider that a CoinSwap server could make multiple CoinSwaps with various clients.
This leads to the CoinSwap server owning many small UTXOs, which it at some point aggregates into a large UTXO that it then uses to service more clients (for example, it serves many small clients, then has to serve a single large client that wants a single large UTXO for its own purposes).
This aggregation again leads to spreading of taint.
CoinSwap, in this regard, is something like the cofunctor of CoinJoin.
Again, the advantage here is that CoinSwap is still your keys your coins, compared to the situation with Bitcoin Casino which is custodial.

(@Chris: I think it would be a good design for SwapMarket makers to avoid spending-together its owned coins when swapping, but if it *does* need to do so (i.e. its coins are all too split up and it becomes unable to serve a client without spending more than one coin in a tx), to spend-together *all* its UTXOs and try to serve as many takers as possible in a single tx, to simulate precisely the batching operations that custodial services use, thus appearing as some new custodial service, without actually *being* custodial.)

Thus, we should consider that CoinJoin and CoinSwap improve the censorship resistance, and thus improve our global resistance to a potential global attacker using taint analysis.

Regards,
ZmnSCPxj


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [bitcoin-dev] Tainting, CoinJoin, PayJoin, CoinSwap
  2020-06-10 23:01   ` ZmnSCPxj
@ 2020-06-11  2:01     ` Mr. Lee Chiffre
  2020-06-11 11:20       ` nopara73
  0 siblings, 1 reply; 6+ messages in thread
From: Mr. Lee Chiffre @ 2020-06-11  2:01 UTC (permalink / raw)
  To: ZmnSCPxj, Bitcoin Protocol Discussion

Thought provoking. In my opinion bitcoin should be designed in a way to
where there is no distinction between "clean" bitcoins and "dirty"
bitcoins. If one bitcoin is considered dirty then all bitcoins should be
considered dirty. Fungibility is important. And bitcoin or its users
should not be concerned with pleasing governments. Bitcoin should be or
remain neutral. The term "clean" or "dirty" is defined by whatever
government is in power. Bitcoin is not to please government but to be
independent of government control and reliance on government or any other
centralized systems. To act as censorship resistant money to give people
freedom from tyranny. I'm just saying that if anyone can determine if a
bitcoin is clean or dirty then I think we are doing something wrong. What
is great with certain protocols like coinjoin coinswap and payjoin there
is that plausible deniability that hopefully would spread the entire
"taint" of bitcoin collectively either for real or just as a possibility 
to any blockchain analysis entities (with no real way to tell or interpret
with accuracy).

Bitcoin should be designed in a way where the only way to stop "dirty"
bitcoins is to reject all bitcoins.

If "dirty" bitcoins is actually a real thing then I guess I could have fun
by polluting random peoples bitcoin addresses with "dirty" coins right? No
way to prove if it is a self transfer or an unsolicited "donation".  I
just do not see how any bitcoin UTXO censorship could work because of
plausible deniability.

If any company actually used UTXO censorship then customers can just use
services that are respecting of freedom and do not use censorship.



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [bitcoin-dev] Tainting, CoinJoin, PayJoin, CoinSwap
  2020-06-11  2:01     ` Mr. Lee Chiffre
@ 2020-06-11 11:20       ` nopara73
  0 siblings, 0 replies; 6+ messages in thread
From: nopara73 @ 2020-06-11 11:20 UTC (permalink / raw)
  To: Mr. Lee Chiffre, Bitcoin Protocol Discussion

[-- Attachment #1: Type: text/plain, Size: 2990 bytes --]

Thank you all for your replies, I think everyone agrees here how it "should
be" and indeed I risked my post and my used terminology to further
legitimize the thinking of adversaries.
I'd have one clarification to my original post. It may not be clear why I
put PJ/CS to the same box. One way of thinking of CoinSwap is to swap coin
histories and PayJoin is to share coin histories. For the purposes of this
attack the consequences are roughly the same so that's why I think it's ok
to put them under the same umbrella in this discussion, but I wouldn't die
for it :)

And indeed I perhaps wrongly called this the "Taint Issue", maybe it should
be called "Coin Discrimination Issue" or something like that, not sure if
we have a term for this, but I'm sure we should have a term for this as
unlike some other, so far theoretical attacks on Bitcoin's fungibility, it
is currently being applied in practice.


On Thu, Jun 11, 2020 at 7:24 AM Mr. Lee Chiffre via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:

> Thought provoking. In my opinion bitcoin should be designed in a way to
> where there is no distinction between "clean" bitcoins and "dirty"
> bitcoins. If one bitcoin is considered dirty then all bitcoins should be
> considered dirty. Fungibility is important. And bitcoin or its users
> should not be concerned with pleasing governments. Bitcoin should be or
> remain neutral. The term "clean" or "dirty" is defined by whatever
> government is in power. Bitcoin is not to please government but to be
> independent of government control and reliance on government or any other
> centralized systems. To act as censorship resistant money to give people
> freedom from tyranny. I'm just saying that if anyone can determine if a
> bitcoin is clean or dirty then I think we are doing something wrong. What
> is great with certain protocols like coinjoin coinswap and payjoin there
> is that plausible deniability that hopefully would spread the entire
> "taint" of bitcoin collectively either for real or just as a possibility
> to any blockchain analysis entities (with no real way to tell or interpret
> with accuracy).
>
> Bitcoin should be designed in a way where the only way to stop "dirty"
> bitcoins is to reject all bitcoins.
>
> If "dirty" bitcoins is actually a real thing then I guess I could have fun
> by polluting random peoples bitcoin addresses with "dirty" coins right? No
> way to prove if it is a self transfer or an unsolicited "donation".  I
> just do not see how any bitcoin UTXO censorship could work because of
> plausible deniability.
>
> If any company actually used UTXO censorship then customers can just use
> services that are respecting of freedom and do not use censorship.
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>


-- 
Best,
Ádám

[-- Attachment #2: Type: text/html, Size: 3909 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2020-06-11 11:21 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-10 12:32 [bitcoin-dev] Tainting, CoinJoin, PayJoin, CoinSwap nopara73
2020-06-10 13:48 ` Greg Sanders
2020-06-10 20:10 ` Chris Belcher
2020-06-10 23:01   ` ZmnSCPxj
2020-06-11  2:01     ` Mr. Lee Chiffre
2020-06-11 11:20       ` nopara73

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox