Idea: Colored Coins on Monero

Published by:

While the main goal of Monero is obviously to be a fungible cryptocurrency, lots of cool things can be done with the technology. Recently I saw an article about “Confidential Assets” by a start-up called “Chain”.

The Confidential Assets that Chain is proposing are basically a form of issued tokens that can be transferred anonymously between parties on the same network. The issuance can be anonymous and the balances of the accounts are unknown to an observer. There is a downside however: the history of the assets/tokens can be tracked. This scheme can for example be used for creating virtual poker chips,  company shares or even cryptofiat backed by a reputable bank who holds the currency on balance.

While this is a cool idea, I don’t think it needs its own blockchain or other form of “decentralized” database with some weak consensus mechanism. If you want fungible assets however, then a different approach is certainly needed. Monero lends itself perfectly for this job because all transactions are untraceable, unlinkable and with RingCT the amount isn’t visible. In this small article I propose a system for building Colored Coins on the Monero network. These Colored Coins are fungible, the transactions use RingCT, the issuer can be anonymous and an observer who isn’t part of the CC-network doesn’t necessarily need to know the amount of Colored Coins in circulation.
Seems like a cool idea? :)

How does the Colored Coins on Monero looks like in general?

1) Monero is divisible into 1 trillion (10^12) atomic units (“etoj”). To create a specific Colored Coin, the Issuer needs to first define the amount of Coins he wants to issue. He also needs to take into account how much decimals the token can have. If a bank for example wants to issue 1 million USD on the blockchain with 2 decimals, then there are 100 million atomic units. To issue this particular Colored Coin, the Issuer will need 0.000100000000 XMR. Every eto will represent 0.01 USD.

2) Now that the Issuer defined the amount of atomic units, he can do the “Issuance Transaction”. The Issuer simply sends a transaction with the required output to an address he controls. There is no need for a paymentID. No special measures need to be taken. This transaction just looks like any other transaction on the blockchain.

3) The Issuer then needs to perform the Enabling Transaction: this is the first transaction which uses the full supply. Let x be the minimum Ring Size, then this Enabling Transaction needs to have at least x outputs.

4) From this point onwards, transactions which use this specific Colored Coin are required to only use txo’s that stem from the Issuance transaction in the ring sigantures. If any other txo’s are used in the ring signature, then all the outputs will lose their Color. These txo’s won’t be recognised anymore by the Colored Coin network.

5) There is one problem however with this scheme: monero transactions aren’t free. But to be able to pay for the fee, additional inputs in the transaction are needed and it will need to be possible to verify that all the additional real XMR is spent as a fee payment. This would require tweaks in the RingCT protocol, disclosing a lot of info about the transaction to the public, etc.
A more private solution is the following: when you spent a colored txo, you’ll usually have at least 3 outputs: the payment, the change and a 0-output. This 0-output will then be spent again in another transaction using a ‘Child Pays for Parent’ scheme. The result will be that this 0-output will lose its Color, but who cares? It was a 0-output anyway.
Note: currently CPFP is not yet possible on Monero. Maybe another solution for the fee problem is possible. But I suggest that this system would reveal as little data about the Colored Coin transaction as possible.

The result of this scheme is that someone is able to issue Colored Coins on the XMR blockchain. The transactions will use RingCT. The issuer can chose to disclose the amount of coins created, or not. The Colored Coins will be fungible. Downside: it will be pretty easy to spot colored coin transactions on the blockchain, even if an observer isn’t aware of the Issuance public key and/or or the Enabling transactionID. If regular Monero users use real XMR in a ring sig in combination with txo’s that are inside the Colored Coin system, an observer will be able to discard those Colored txo’s as real inputs of the transaction.

Assuming CPFP will be implemented, a practical implementation of this scheme seems pretty easy: what is needed?

A) a special wallet that is “Color Aware”. The user needs to be able plug the public key of the Issuance transaction (the key that contained the whole supply) and the txid of the Enabling Transaction into the wallet. By doing this, the wallet recognises that a certain transaction contains all issued tokens and that a specific transaction enabled the network. Note that the txid is needed, because nothing stops normal users of the Monero network to use the public key of the Issuance Transaction in a regular ring signature.

B) Optionally, the user can add more sets of public keys and txid’s later on. If the Issuer decides to create more tokens (for example new shares) then the user can decide to accept this new issuance.

C) The Color Aware wallet needs to be able to recognise incoming Colored transactions and check their validity.

D) The Color Aware wallet needs to be able to pick the txo’s from the approved list when creating Colored Coin transactions.

E) The Color Aware wallet needs to add a 0-output to every transaction and pay 0 fee when sending a Colored transacion

F) The Color Aware wallet needs to spend the 0-output with a “double fee” using CPFP to confirm the Colored transaction.

G) Optionally, a public database can be created that has the info of certain Colored Coins with the data needed to add it to the Color Aware wallet. The Issuer can decide to publish it or not. Optionally, he can also disclose the amount of tokens issued by disclosing the TX private key of the Issuance transaction and the originating address of the Enabling transaction.

ShapeShiftOpenAlias

Introduction to Monero

Published by:

1. Monero – a short history

Monero is a cryptocurrency, launched on april 18 2014 as a fork of Bytecoin. Bytecoin was the original coin that first implemented the Cryptonote protocol (more on that further down). Once it surfaced the Bitcointalk forums, people discovered all sorts of shady things, among it the fact that more than 80% of the coins were already mined. So the community decided to fork a new coin, starting with 0 coins in circulation. Monero was born.

In the first months, Monero was only usable with a “command line wallet”. Therefore, a lot of people kept asking the devs, who didn’t even completely understood the basics of the Monero code, to create a GUI (Graphical User Interface). They started working on it, but on september 4 2014 a sophisticated attack happened on the Monero Network, so the devs changed course and started prioritizing the underlying code, to make the Monero network more resilient (more details at lab.getmonero.org MRL-2)

At the end of 2014, a Monero webwallet was launched by Riccardo “Fluffypony” Spagni, called “MyMonero”. You can find it at mymonero.com. Meanwhile, nothing much seemed to be happening “on the surface” for most people looking from the outside. But a lot of important work was in progress, such as the creating of a database-system which enabled the wallet to operate with only a little bit of RAM in stead of Gigabytes of RAM. Other improvements were implementing mnemonics, for easy backup. A lot of new code and documentation was written to implement options for faster syncing, faster node operation, integration with I2P started, etc. And eventually the GUI project was picked up again at the start of 2016.

This all was done by crowdfunding which means that community members donated money regularly to the development team. There is no “premine” or “ICO”. Monero is launched in a very fair manner, it’s open source and clearly is a grassroots currency.

2. Fungibility

The purpose of Monero is creating a fungible currency network. What does fungibility mean and why is it important?
Fungibility is an important property of any functioning currency. It’s the property that makes one unit of a currency always 100% exchangeable for another unit of the same currency. There shouldn’t be differences. Every coin need to be worth the same as another coin.

In Bitcoin, every transaction is traceable. This can lead to problems when receiving coins from an unknown source and later spending them. You can be accused of crimes in which those coins were used. This effectively decreases the value of these “tainted coins”. Another problem with traceability is that people can try to figure out your account balance or know on what items you spend your money.

You can however try to hide the traces of your coins. These techniques are called “mixing” and can be done in different ways. Sometimes centralized, sometimes decentralized, but there is always a possibility to see that certain coins were mixed. This can still lead to problems though, because mixed coins are probably tainted as well. Optional privacy doesn’t solve the fungibility issue of a traceable currency. I suggest to read the first part of this article I wrote to understand more about this topic: http://weuse.cash/2016/06/09/btc-xmr-zcash/

You can try to hide the traces of your coins as much as you want, if you tried to mix your non-fungible coins using a mixer, coinjoin or another type of “anonymity enhancing feature”, these transactions can still be flagged as “possible suspicious activity on the blockchain” because they are mixed, even if you are anonymous. So don’t confuse fungibility with anonymity. This is why “mixing technology” only works if it’s “on by default”. If everybody is mixing all the transactions all the time, then you can’t say anything useful about the data in the blockchain.

3. Ring Signatures

Ring signatures are used for obfuscating the real input in a transaction so it’s impossible to tell what the history is of every output on the blockchain.

Definition by Wikipedia:
In cryptography, a ring signature is a type of digital signature that can be performed by any member of a group of users that each have keys. Therefore, a message signed with a ring signature is endorsed by someone in a particular group of people. One of the security properties of a ring signature is that it should be computationally infeasible to determine which of the group members’ keys was used to produce the signature. (…) Ring signatures were invented by Ron Rivest, Adi Shamir, and Yael Tauman, and introduced at ASIACRYPT in 2001.

Ring signatures are applied on every input in every transaction. The sender just randomly selects some other outputs with the same amount from the blockchain and signs it with his private spend key. He doesn’t need any approval from the owners of the other outputs. This can even be done offline, making it possible to do secure offline signing and broadcasting the signed transaction on an online computer.

Maybe you ask yourself by now how you can detect double spends when there is plausible deniability for every transaction output? The answer lies in the mathematics again. A “key image” is published alongside a transaction. The key image proves that one of the inputs in the ring signature is real and when sender tries to double spend the same input, the key image will be exactly the same. You can find out more about the cryptography behind the key image in the Cryptonote whitepaper.

Because ring signatures are enforced across the network, all coins are mixed all the time. This adds fungibility to the protocol level of Monero. If we compare this with privacy features implemented in Bictoin, ZCash or DASH, we can clearly see the difference: if traceable transactions are still possible on the network, regulation can force this traceability in certain circumstances so you can never have fungibility.

And last but not least, this is tested cryptography. It exists since 2001 so we can assume it’s pretty reliable. Unlike ZCash, which is new cryptography and still largely untested.

4. Stealth addresses

Monero implements ‘Stealth addresses’, which is one (public) address that you can share with anyone, without enabling spectators to know anything about the transaction history or balance of this address. The Monero addressing system uses 2 private keys: a private viewkey and a private spendkey.

The private spend key pretty much works the same as in Bitcoin: you sign transactions with it. The private viewkey however is needed to search the blockchain for incoming payments. Only if you have access to that key, you can know a certain transaction output is associated with you Monero address.

In bitcoin (and most of the other cryptocurrencies) address reuse is often happening, which greatly decreases the pseudonimity of the network. Stealth addresses provide an easy way to protect and enhance your privacy. The blockchain data will not show any links between multiple transactions.

Although this isn’t perfect: if you use your address in multiple locations, there can be “off blockchain linking”. If you withdraw coins from an exchange and use the same address to withdraw funds from your webshop where you are selling plants, law enforcement is able to link your accounts based on the usage of the same address. Therefore, it is suggested to use a special kind of “one time address” for every service. All funds will enter the same account, but off blockchain linking won’t be possible.

5. RingCT

RingCT, short for Ring Confidential Transactions, is a new signature system proposed by Shen Noether in the MRL-5 paper. You can find it in the first edition of Ledger at ledgerjournal.org. It is based on the research by Gregory Maxwell on Confidential Transactions, but adapted to be able to work with Ring Signatures.

This technology enables users to hide the transaction amounts of transactions. It is “the last piece of the puzzle” for complete anonymity on the Monero network. It also solves some edge cases that could compromise the untraceability of Monero. RingCT is went live on the Monero main net on January 9 2016. At first, RingCT will be optional, but in the next hard fork (september 2017), RingCT transactions will be enforced by the network, without any option to “opt out”.

6. Kovri – I2P

Blockchain data is only one attack vector for the privacy of cryptocurrency users. It’s known that the Chainalysis company tries to identify users/nodes in the P2P network based on their IP address. The Kovri project tries to develop an I2P router in C++ that will eventually enable Monero users to hide their IP addresses when sending transactions. Kovri is not yet integrated with Monero and is still in a pre-alpha stage.

7. Conclusion

Monero is very important and revolutionary technology. It hides the sender, receiver and history of transactions. Soon the amounts will be hidden as well. It is pretty easy to deploy, doesn’t need a trusted setup (unlike ZCash) and it’s being tested in the wild for almost 3 years. The privacy features are enforced by the network which results in a much bigger anonymity set than bitcoin mixers or cryptocurrency with optional privacy features. It enables users to transact privately with a fungible currency in a decentralized network and therefore can withstand regulation from governments. Monero is true digital cash.

ShapeShiftOpenAlias

The Untrusted Setup – Why you shouldn’t trust ZCash

Published by:

zcash2

Hidden inflation

ZCash will launch today. This is not a “normal launch” like any other altcoin, because ZCash required a so called “trusted setup”. During this setup, some secret (public) parameters were generated based on a “master private key”. These network parameters are needed to create the so called “zero-knowledge proofs”, which is the anonymizing mixer on the ZCash network. The “master private key”, referred to by Zooko as toxic waste, needed to be destroyed.  If this data is not destroyed, someone who has access to this key is able to generate an infinite amount of anonymous ZCash.

This is the so called “hidden inflation problem”; unlimited counterfeiting of coins while nobody is able to detect it. If this were to happen, it would undermine the value proposition of the ZCash cryptocurrency. ZCash would never be considered to be “sound money” where the emission scheme can be checked by all participants. The problem is that nobody can check if the setup actually did occur  in a correct manner. People who hold value in ZCash will need to trust the setup process from the genesis block onwards.

Setup of the setup

ZCash used a “multi party protocol” which means that, according to the team, as long as one of the participants in the generating process is honest and doesn’t keep a copy of his part of the “toxic waste”, nobody else will be able to get access to the full “master private key” that is needed to create counterfeit coins. Only 6 people participated in the setup. This is a very small group and thus creates a theoretical possibility that these people were conspiring or were being coerced by a TLA to keep a copy of the “master private key”. While this is a possibility (certainly considering possible involvement of the Israeli government), it doesn’t seem all that likely due to the involvement of Peter Todd, who isn’t a part of the ZCash team.

What’s more worrisome is the fact that the setup itself could have been compromised: think about hardware, network, software, operating system, binaries, etc. There are a lot of attack vectors. Governments had a very big incentive to compromise the setup of the setup. If successful, they are able to create free money without people noticing and meanwhile diluting the value of a potential powerful cryptocurrency. State sponsored attacks are known to be very sophisticated, like Stuxnet that sabotaged the Iranian nuclear power plants.  Is it therefore likely that governments were able to compromise this “trusted setup” as well? I my opinion it is. It’s impossible to prove that an unknown attack didn’t happen. You don’t know what you don’t know.

Sybil zk-proof attack

The ZCash team often repeats that even if the setup is compromised, the anonymity of the network isn’t at risk. However, I beg to differ. Due to the high RAM requirements to generate “jointsplits”, it’s unlikely that the anonymizing feature of the ZCash network will be used much in the first years of the existence of the coin. This leads to the possibility of “timestamp analysis attacks”. People tend to use new mixing technology as an “intermediate step” for obfuscating bitcoin transactions. But due to volatility risk, people tend to have their value for the shortest possible time in an altcoin. If people use the zk-mixer for obfuscating bitcoin transactions, it will be trivial to connect the transparent ZCash that enters the zk-mixer and the ZCash leaving the mixer again after only a few minutes or even hours. (Sidenote: this leads to fungibility problems within ZCash; you can read more about it here.)

Imagine an attacker counterfeiting a lot of fake zk-proofs. This could create the illusion of a liquid mixer. A lot of usage means that suddenly one can hide his transaction in this mixer with a lower (perceived) risk of being tracked. Timestamp analysis attacks become increasingly harder. But the attacker, who knows all the fake zk-proofs, can ignore his own counterfeited liquidity. He is still able to do the timestamp analysys based on the real (low) liquidity inside the zk-mixer. This leads to a very dangerous situation in which the user thinks he is transacting anonymously, but in which an attacker will still be able to track all transactions. Privacy theatre is a huge risk.

Chain rollbacks

There is a (drastic) option to solve this issue. Zooko proposed recently to periodically force everyone to reveal their balance as a solution for the hidden inflation problem. At a certain block height all “anonymous” coins would become invalid and an observer would be able to sum up all “transparent” coins. If the total amount is equal to or less than the emission should actually be, the  system can be considered “sound” until that point in time.

If however an anomaly is discovered, then the ZCash community will face a difficult decision: continue with the inflated emission or rollback to the previous checkpoint. The network would also come to a halt until the bug is found. Trust in the currency would be lost immediately. If the community decides to do a rollback, this means that all transactions between the previous checkpoint and the detection of the hidden inflation will become invalid. Some people won’t like this rollback and maybe a non-rollback ZCash fork would emerge.  When people use the “rollback ZCash” however, one can only consider transactions to be “fully confirmed” after such a successful “emission checkpoint” happened.  Exchanges, users, merchants and wallet services should be aware of this serious risk.

Inflation bugs

ZK-proofs are very difficult to understand. Recently, Zooko even admitted he doesn’t understand the math. The ZCash team has some smart people on board, but even they can not guarantee that the network is free of bugs. During the test phase, a bug was discovered that made it possible to counterfeit coins. This attack had nothing to do with the “trusted setup”, but would cause the exact same problems as described in this article. Due to the fact that the ZCash protocol is very complex code, it’s not at all guaranteed that similar bugs aren’t still present in the protocol.

Conclusion

You shouldn’t trust ZCash.

zcash2

ShapeShiftOpenAlias

Trezoro – Trezor for Monero – video tutorials

Published by:

trezoro1

I created two tutorial videos for installing, configuring and managing Monero on Trezor.

Trezoro: The Basics

The first one covers just the basics and aims to get you up and running as fast as possible:

trezoro1

This is the shortlink: http://bit.ly/trezoro

Trezoro: Tups & Tricks

I created a second tutorial video for Trezoro. It will show you how to use multiple currencies, how to set up password accounts, it will suggest a Monero account strategy, it shows some useful CLI command and shows you how to run your own node.

trezor2
Shortlink to the video: http://bit.ly/trezoro2
Links to the different segments of the video:
1) multiple currencies
2) password accounts
3) Monero account strategy
4) CLI commands
5) Running your own node
useful links:
– Article on Trezor for Monero: http://weuse.cash/2016/03/07/trezor-for-monero-first-impressions/
– You can buy a Trezor here using my affiliate link: https://buytrezor.com/?a=2c001ae7165c

ShapeShiftOpenAlias

Warning: DASH privacy is worse than Bitcoin

Published by:

dash1

This article analyses how DarkSend works and will explain why there’s absolutely no good  reason to use DASH for private transactions.

dash1

The cryptocurrency DASH (formerly known as Darkcoin, formerly known as XCoin) brands itself as a “Digital Cash”. When people promote DASH, they often claim that the PrivateSend (formerly know as DarkSend) feature makes DASH the “top contender in the realm of privacy coins”.

This recent steemit article by bravenewcoin is a perfect illustration of what I mean. There is zero critical thinking. Nobody seems to ask questions and do research. If there is no proof that these claims are correct, then it’s dangerous to use DASH in the first place. People who are not technically literate will use DASH while presuming that they are doing private transactions. They are exposed to some risky attack vectors, but think they are safe.

dash2

Let’s first look at how DASH describes the “Darksend” feature on their website:

Darksend is the feature that gives Dash users full privacy when they use it. It is an improved and extended version of the CoinJoin. In addition to the core concept of CoinJoin, we employ a series of improvements such as decentralization, strong anonymity by using a chaining approach , denominations and passive ahead­of­time mixing.

So DarkSend basically is a fork of CoinJoin. DASH added some things and claim these features are improving the privacy of the DarkSend user. We examine them one by one

 

1) Coinjoin basics

Darksend uses the fact that a transaction can be formed by multiple parties and made out to multiple parties to merge funds together in a way where they can’t be uncoupled thereafter. Given that all Darksend transactions are setup for users to pay themselves, the system is highly secure against theft and users coins always remain safe.

dash3

Coinjoin, as implemented in Joinmaket on Bitcoin, is a system that enables users to mix their coins in a decentralized way. As shown in the image above, users basically transact together in the same coinjoin transaction. By doing this, an outsider can’t really know which output belongs to which input.

Joinmarket is currently the only viable decentralized implementation of Coinjoin on Bitcoin. DarkSend is a different implementation of Coinjoin on the DASH network. We’ll compare these 2 implementations in this article.

 

2) Decentralized mixing

In Joinmarket, there is no central server to find counterparties to mix with. You just announce to the network that you want to mix and someone else can join your mixing proposal. Other implementations of Coinjoin, such as Sharedcoin by blockchain.info uses a central server to generate the coinjoin-transactions. It is possible that these servers log the different inputs and outputs so they can potentially deanonymize the coinjoin-users.

In DASH, the DarkSend-users connect to a masternode for mixing. This masternode enables the mixing proces in a similar way as the sharedcoin system. These masternodes can log the inputs and outputs and therefore deanonymize the users.

Note that you don’t need to be the owner of a masternode to see these logs. Most of the masternodes are hosted on cloudhosting services. If a government demands access to these logs, they will probably get it. It’s entirely possible that right now the NSA is spying on the majority of masternodes without the owners even knowing their masternodes are being spied upon.

The DASH website ignores this risk and tries to reassure us that by using “chained mixing”, you’ll be safe:

 At set intervals, a user’s client will request to join with other clients via a Masternode. (…) Each Darksend session can be thought of as an independent event increasing the anonymity of user’s funds. (…) To increase the quality of anonymity provided, a chaining approach is employed, which funds are sent through multiple Masternodes, one after another.

Stating that chaining mixings is more secure is just false: suppose an adversary has access to a large number of masternode logs. When someone does one mixing and then waits a day to do a second one, he’ll be more private than someone doing 6 mixings in a row. Why? If the adversary owns 2 of the 6 masternodes used in the mixing process, it will be easy to undo the mixing that happened in between due to the low liquidity in the DASH system (see next point).

DASH mixing is far from decentralized and it’s even worse than Sharedcoin: when using Sharedcoin, the user is aware that he’s using a centralized system. When using DASH, everybody pretends it’s a private decentralized system, but in reality, it isn’t.

 

3) Mixing liquidity

The advantage of DarkSend compared to JoinMarket, is that it’s implemented in the official DASH GUI, so it’s easily accessible. I assume the idea behind that was to encourage the use of DarkSend which would improve the liquidity in the DarkSend mixing system.

Liquidity is very important for any mixing system to function well. If only a few people are mixing, these systems are easily Sybil attacked: if some adversaries just try to mix with as much people as possible, they will be able to get a lot of info from their own mixings because they are in most cases the only counterparty of the people who want to mix.

So let’s compare the liquidity between DarkSend and JoinMarket:

Currently, according to JoinMarket.me, this bitcoin mixing system has 86 counterparties to mix with. This means that at any time, someone who wants to mix can choose one of those 86 people to mix with. He can even do multiple mixings (“chained mixing”) to improve his privacy: it’s possible that some of his mixing partners were adversaries, but chances are smal that all of the counterparties were.

A Sybil attack is more difficult to successfully execute when the number of counterparties grows. Bitcoin has the advantage that there is a lot of liquidity in the Bitcoin network. The market cap of Bitcoin is more than 10 billion and I estimate that the number of active bitcoin users is in the millions. If only a small percentage of those people started using CoinJoin, the liquidity in the mixing system would grow and Sybil attacks would be very hard to pull off.

It’s not possible to get exact data on how many counterparties are available in DASH DarkSend, but we know a few things: the DASH market cap is 50 million USD and I estimate the number of active users to be in the thousands. So by using DASH you already reduce the anonymity set you’re in by multiple orders of magnitude.
Due to the low liquidity on the DASH blockchain, it’s possible to attribute “chained mixings” to the same individual solely based on blockchain analysis.

But what’s even more telling is the fact that a lot of DarkSend users seem to experience a very slow mixing process. Check this subforum for their stories: http://dash.org/forum/topic/privatesend-questions-and-help.77/ 

DASH developers tried to improve the number of mixing participants compared to JoinMarket. Joinmarket usually only has 2 participants, DASH has t least 3 people mixing together:

Currently to mix using DarkSend requires at least 3 participants.(…)However each session is limited to three clients, so an observer has a one in three chance of being able to follow a transaction.

The DASH developers also noticed that mixing is slow, so they decided to pay 5 “liquidity providers” to constantly mix their coins. This probably increased the speed of the mixing a bit since this system was implemented, but it is also a very big risk: if these 5 people collude (or are being spied upon), it will be trivial to deanonymize every DarkSend transaction that happened on the DASH blockchain. This is a very unsecure system to depend upon for your private transactions!

 

4) Denominations

DASH added a denomination system to the coinjoin-implementation of DarkSend:

To improve the privacy of the system as a whole we propose using common denominations of 0.1DASH, 1DASH, 10DASH AND 100DASH. In each mixing session, all users should submit the same denominations as inputs and outputs.

Statistical research is needed to confirm the claim that denominations are actually better for privacy. If it were better, then joinmarket could easily implement it. But I think there are also some risks associated with using denominations: if you want to mix 987.6 DASH, you’ll end up with 30 outputs. When you want to spend 375 DASH, you’ll regroup at least 15 of those outputs. This could potentially lead to making your previous DarkSend privacy weaker. A better approach would be to conceal the amounts in the transactions by using Confidential Transactions combined with coinjoin.

 

5) Passive mode

With joinmarket, you have an incentive as a market maker to propose mixings to the bitcoin network. Joinmarket has an incentive to provide liquidity. Tis makes it easier for people who want a fast mixing to just ping the network and accept a mixing by one of the market makers.

The DASH developers correctly identified that timing attacks are an issue with mixing. But the fact that they promote the “passive mode” of  DarkSend as a feature is very telling: it’s turning a bug into a feature.

Darksend is limited to 1000 DASH per session and requires multiple sessions to thoroughly anonymize significant amounts of money. To make the user experience easy and make timing attacks very difficult, Darksend runs in a passive mode.

In DASH this “passive mode” is just your node waiting for other people to show up to mix with you through a masternode. There is no incentive at all to do this. It’s a necessity. It shows (again) that the DarkSend liquidity is painfully low.
Conclusion

DarkSend (now called PrivateSend) has some serious privacy issues. It’s risky to rely on this system and the liquidity is very low which makes it not really usable. If you need to choose between Bitcoin and DASH, it’s safer to rely on Bitcoin mixing systems and more specifically on JoinMarket.
PS: fungibility claims

dash4

DASH also claims to be a “truly fungible” coin:

By having a decentralized mixing service within the currency we gain the ability to keep the currency itself perfectly fungible. At the same time, any user is able to act as an auditor to guarantee the financial integrity of the public ledger without compromising others privacy.

There is a lot to say about this, but I’ll refer to a previous article of mine about fungibility. Basically bitcoin and DASH have the same fungibility issues. Coinjoin can’t “fix fungibility”. You can read that article here: http://weuse.cash/2016/06/09/btc-xmr-zcash/
PPS: Instamine scam

By the way, if after reading this article you somehow still regard DASH as a legit project, there is still the instamine you can look into

Teaser: this chart shows the first 72 hours of DASH. At the moment there are about 6.5 million DASH in circulation. In the first 2 days 2 million coins were created. In the first hour more than 500000 coins were created.

dash5

 

ShapeShiftOpenAlias

On Fungibility, Bitcoin, Monero and why ZCash is a bad idea.

Published by:

toxic

Screenshot from 2016-06-09 03:02:30

(This article was republished on steemit.com on 2016-07-12)

When bitcoin launched, a lot of people thought they finally had decentralised digital cash. We saw people using bitcoins for ideological reasons, but also for the presumed anonymous properties. You didn’t need to provide any identity information to create a wallet or send a transaction. Anonymous magic internet money. Cool, right?

Over the years, it became more clear that bitcoin isn’t anonymous at all. All transactions can be traced on the blockchain. If you transact with a stranger at a bitcoin meetup, he could start guessing your total bitcoin balance in your wallet. When you interact with regulated bitcoin businesses, you are required to provide ID information. And you can be sure that this company will couple your customer data to your blockchain fingerprint. This data can be handed over to law enforcement upon request, and be used to analyse the blockchain and associate more activity with you, or reveal connections with certain people, markets or online services.

A lot of bitcoin tracking companies started to deanonymize users by using this data and are actively trying to map the whole bitcoin blockchain.

Screenshot from 2016-06-09 03:09:12

So how can we avoid this bitcoin tracing?

Some people started to offer mixing services. These are centralised platforms where you send your coins to and you (hopefully) get coins back which aren’t related to your coins. The problem with this is that these platforms can be honeypots operated by law enforcement, or can just go offline and run with your money.

Another option is a form of coinjoin/joinmarket. This is a system where people let other people know they want to mix their coins. People eventually sign one big transaction with all the inputs of the people who wanted to mix at that certain point in time and get outputs from that transaction to a new address.
This somewhat breaks the link, but there is still a degree of traceability: once you get coins back in different outputs and you start transacting again, these outputs will probably be joined again and it’s possible some of the outputs can be linked to the inputs.
A sybil attack is also possible: when you mix with coinjoin, you assume these people are random, but these people could in fact all be law enforcement just waiting for the mixing transactions to happen. If you only “mix” with one party, that party knows your inputs and outputs, while you assume that you now own anonymous bitcoins. This is a very dangerous situation!

But the biggest issue isn’t even the centralized mixers running with your money, honeypots, or traceable coinjoins. It’s something that is -in my opinion- a very underestimated issue:
Enter fungibility.

digital-cash-702x336 (1)

Fungibility is a property of money that makes every unit if this money interchangeable: you can pay someone with a paper note and the receiver won’t care where it came from. As long as this note isn’t counterfeited, he will accept it and exchange goods or services for that paper note. This is how physical cash works.

But how do we enforce fungibility on a transparent blockchain where every transaction is visible?

All forms of mixing on transparent chains are active forms of mixing: if you want to mix coins, you need to find other people who want to mix as well. This makes the system vulnerable to sybil attacks/honeypots and, more importantly, people can see on the blockchain you tried to mix your coins. This act in itself could already be considered a crime: you are actively money laundering your coins.

Even if using a mixing service isn’t viewed as a crime, there are still a lot of fungibility risks associated with mixing. First and foremost, there is the possibility of blacklisting coins.
Even if you succeed in anonymizing your coins, there is still a trail. It’s pretty easy to know by analysing the blockchain that certain coins were sent to a darknet market for example. So if you try to mix your coins, you do that with coins from an unknown source (that’s the whole point, remember?).

Suppose that after mixing, you get coins back which were used in a drug transaction. Suppose the DEA busts a house of a drug dealer and follows the trail of the bitcoins that guy earned. The DEA may eventually find your wallet as the destination of the drug money. If you then spend these coins at a website that uses a payment processor, your customer data is connected with this drug money and you may get a knock on your door by law enforcement. If you try to sell these coins at an exchange, it’s possible your account will be blocked and your coins will be confiscated and sent to the government wallet. Certainly in the USA this is a risk because Civil Asset Forfeiture laws are broadly applied.

Another problem is mining censorship: miners confirm transactions. Up until now they seem to confirm any valid transaction. But what if law enforcement goes to the biggest miners in the world (representing at least 51% of the hashpower) and tells them that if they continue to confirm easily identifiable mixing transactions, they will be accused of money laundering. What if they aren’t even allowed to build new blocks on blocks containing such illegal transactions? It’s all possible in theory. Regulatory compliance by miners is -in my opinion- just a matter of time.

This is the fungibility problem that a transparent blockchain faces. Note that 99% of all cryptocoins are using a transparent blockchain, even the (in-)famous cryptocoin DASH, which just offers a form of CoinJoin that is built in the GUI wallet and mixes the coins on centralised “masternode servers” that can log every input and output.

monero

Enter Monero.
What makes Monero different from all other cryptocurrencies? Well, unlike Bitcoin, it uses a passive form of mixing.

How does this “passive mixing” work?
Monero uses ring signatures to obfuscate transactions. When you create a transaction, your Monero client randomly selects some transactions from the monero blockchain and signs a “ring signature”. Along with this ring signature, some kind of “fingerprint” is published, called the key image. This results in a transaction where an observer can’t know who is the real signer, but has cryptographic proof that it’s a valid transaction and no double spend happened.

Because your client picked the other transaction outputs randomly, those outputs are obfuscated even more. And this happens without them signing anything. Their coins can even be stored on a paper wallet and still be included in your transaction! So when sending a transaction, you not only immediately have plausible deniability about your own transaction history, but also obfuscate the blockchain even more. You generate positive externalities when you transact. The more people are using monero, the better its privacy will become.

In Monero, ring signatures are combined with stealth addresses to also make it impossible to identify the receiver of the coins. A transaction is sent to a “one time address”. The receiver needs to constantly scan the blockchain with his private viewkey to know which transactions are meant for him. With his private spend key he can then create a ring signature and spend his coins. Soon Confidential Transactions will be added to Monero with the goal of also making the transaction amount invisible. This will also solve some small issues with Monero privacy that now still exist.

But what has this fancy mixing system to do with fungibility? It’s still possible to track coins and see that certain coins are mixed, right?
Well, no: the use of ring signatures is enforced by the Monero protocol. Unmixed transactions aren’t allowed on the Monero blockchain. This results in every transaction being in a ring signature and obfuscating the chain even more. This guarantees fungibility on 2 levels: it’s impossible to track coins due to the default mixing and nobody can prove that you initiated the mixing thanks to the plausible deniability features of ring signatures.

The only exception to this are the newly minted coins: these coins don’t have inputs, so they can’t be signed with a ring signature. But this is actually an advantage, as it makes it possible to verify that the amount of newly minted coins is according the the emission scheme. However, other transactions can include these minting transactions in a ring signature. So when that happened at least once, the miner has plausible deniability on whether he spent his freshly minted coins or not.

This means that accepting or spending Monero doesn’t have any risks of being tracked, blacklisted or censored. You simply don’t know what is happening but you can verify that no double spends are happening and that the supply scheme is honoured. Some issues still exist, but these are minor and are actively being researched by the Monero Research Lab. See their research papers for more info. Monero is an (almost) perfect form of digital cash.

Note that Monero will only give you the full benefits of its technology as long as you stay inside the system. Once you start using Monero as some kind of mixer by buying XMR with BTC and spending your XMR immediately after that, some timing analysis can happen based on the bitcoin and monero blockchain. You shouldn’t enter and exit the Monero system every time you want to transact anonymously. This would diminish the privacy and fungibility aspects of your transaction. In stead, you should just use the funds you already have stored in the network. Monero as a sidechain to Bitcoin is therefore not a good idea. People who actually store a part of their wealth in Monero, will benefit from the obfuscation created by other people transacting. Monero is therefore only useful as a separate fungible network.

Screenshot from 2016-06-09 04:26:19So what’s all that buzz around ZCash?
Isn’t that coin claiming to be completely anonymous and better than every other anonymous cryptocurrency out there?

ZCash is a cryptocurrency project that originated from the Zerocoin/Zerocash idea, proposed back in 2013. Almost every “old time” bitcoiner knows about it. It was proposed to be integrated in the bitcoin codebase so that you would have the option to send a zerocoin-transaction using the bitcoin blockchain. You would need to “pour” your bitcoins in the Zerocoin mixer and from that point onwards, you could transact anonymously using the Zerocoin-protocol. When it became clear that Zerocoin wouldn’t be implemented in the bitcoin codebase any time soon, they worked for a while on implementing it as a sidechain.

But at some point the Zerocoin-team pivoted and decided to launch the altcoin ZCash. There is nothing wrong with trying to launch an altcoin, but, in my opinion, an altcoin can only survive long term if it actually offers something that is unique and probably can’t be adopted by bitcoin. The fact that it’s possible to add ZCash as a sidechain to bitcoin, should already raise some red flags.

The ZCash team decided to launch ZCash as an altcoin so they were able to fund the development: ZCash has a US-based company behind it and will tax 20% of the mining revenue during the first 4 years to pay off private investors. If ZCash were to succeed, the private investors will benefit greatly from the launch of this cryptocurrency. Although I don’t like ICO’s, a public coinsale (a form of crowdfunding) would have been a more fair and open way to fund development than seeking money from private investors.
This is in great contrast with the launch of Bitcoin and Monero, which were fairly launched, without “premine”, “mining tax” or some kind of company behind it. In my opinion, a successful large cryptocoin will probably be grass-roots, but it’s possible I’m mistaken here. Maybe some people actually prefer a corporate coin like ZCash. Time will tell.

But let’s dive into the tech a bit to compare its features with Bitcoin and Monero. The first thing that strikes me is the fact that ZCash allows transparent transactions: mined coins are bitcoin-like transparent “base coins”. When you want to spend them, you have the option to do an anonymous “pour” to enter them into the ZCash mixer. It’s basically the same idea as using Zerocoin as a sidechain.

This ZCash mixer functionsScreenshot from 2016-06-09 01:54:03 as a “black box”: you can see what is entering and what is exiting, but you can’t see what is happening inside the ZCash-mixer. This fact alone doesn’t magically make ZCash fungible: transparent transactions are still possible, so the mixing isn’t default.

It’s also an active form of mixing, not a passive form like on the Monero network. Because you need more than 8GB of RAM to do an anonymous ZCash transaction, it’s very likely that the mixing won’t be enforced any time soon and, what’s even more concerning, the large majority of transactions will probably just be transparent bitcoin-like transactions.  Another concern is “timing analysis”: if the ZCash mixer isn’t used much, you can try to connect coins entering the mixer with coins exiting the mixer. Certainly for larger transactions this is a real possibility.

The fact that transparent transactions are still possible, also makes your OpSec dependant on others: even if you try to anonymize your coins as much as possible, you can still be deanonymized if the people you transact with aren’t using the same standards. It’s even possible you’ll be forced to use transparent transactions if you want to use some kind of (regulated) service. This will result in the same issues as described on a transparent blockchain. Identities will be attached to addresses and this can eventually lead to blacklisting or even miner censorship. The fact that mixing isn’t enforced on ZCash is bad for fungibility and anonymity.

Another problem with ZCash is the fact that it’s brand new cryptography. Nobody can really guarantee that there aren’t some bugs in the system that will make it possible to deanonymize transactions or create coins out of thin air. What’s more, if coins are being created, it will not even be detectable because, unlike Monero, you can’t verify the total amount of coins in the ZCash blockchain. During the alpha test phase, they already found such a bug. Nobody can guarantee that similar bugs won’t exist when ZCash launches. It doesn’t seem a great idea to base a monetary system on brand new crypto. Accidents can happen, and when they happen, the value will plummet.

Related to this issue of brand new cryptography is that some features like multisig are not that hard to implement on Monero, while for ZCash this will require a lot of research. Meanwhile, ZCash will probably use the bitcoin-styled multisig on the transparent part of the network.

The ZCash extended paper also mentions a theoretical “poison pill attack” (section 6.4). This attack makes it possible to target a single user with the goal of deanonymizing him. It seems this attack is easier to perform when the targeted user uses an anonymous network like Tor. Monero, in contrast, is integrating with I2P.

toxicAnother problem ZCash faces is the “trusted setup”, the so called cryptographic “toxic waste” problem. This is some data that is needed when the initial parameters of ZCash are created, but needs to be deleted afterwards. If somehow someone gains access to this “toxic waste”, this entity can create coins out of thin air without anyone noticing. This is a serious problem because this makes a malicious backdoor in ZCash a real possibility.

The fact that ZCash is a US-based company, doesn’t really help with building confidence in this cryptocurrency. It’s not unthinkable some agency will require the ZCash team to make a copy of this “toxic waste” and hand it over to them. Just google what the US government did to the owners of e-gold, Liberty Reserve and the Liberty Dollar, and you’ll understand what kind of pressure they can exert on the owners of the ZCash company. If coins can be created at will, the inflation will diminish the value of the coin.

There is a clear trade-off between using Monero or Zcash: Monero is a usable and default fungible cryptocurrency based on solid cryptography without “trusted setup” by a company. The whole Monero blockchain becomes more and more obfuscated over time when people are transacting, which mitigates the “imperfect” anonymity. Meanwhile, the anonymity of Monero is also being improved on a technical level by the Monero Research Lab.

ZCash on the other hand has a different approach. They offer a completely anonymous mixer, but not by default, resulting in fungibility and anonymity problems. It has some serious issues related to the “toxic waste” during the “trusted setup” and has a lot of additional risks due to the brand new cryptography that is being applied.
Is it an interesting research project? For sure. Should it be applied in a cryptocurrency? No.

Sidenote: it’s perfectly possible to add a ZCash mixer to the Monero blockchain. In that case the “base coins” are the normal Monero-tokens that already are in circulation and people can choose to send their coins to a ZCash sidechain. The Monero network will need to check if the total number of XMR that goes into the sidechain is always larger than the total number of XMR that is exiting the sidechain.
Even if a hacker finds an exploit to create XMR out of thin air inside the ZCash mixer, he will only be able to drain the sidechain, not the mainchain. Use of the ZCash sidechain is then at your own risk. No additional Monero can be created on the mainchain, which is still perfectly fungible.

EDIT: Zooko reached out to me to point out he didn’t start the zerocoin/zerocash project. He became involved at a later point in time. Article changed accordingly.
EDIT2: Zooko asked me to be less speculative about the motives surrounding the launch. I linked to the article he provided.

 

ShapeShiftOpenAlias

Trezor firmware for Monero – First impressions!

Published by:

2016-03-08-134148

The Monero core team member NoodleDoodle recently released Firmware for Monero integration with a Trezor hardware wallet. It  still a beta so it’s not recommended to store large amounts of moneroj on it. I decided to give it a try so I could help to test this awesome piece of software :)

First some background on what a Bitcoin Trezor is and why it is useful:

What a Trezor does is making it safe to use cryptocurrencies.

A lot of bitcoins are lost because people are hacked. When a hacker gets access to you private keys, he can steal your money. Some people don’t want to take the risk to store their crypto themselves, so they leave it on the exchange. But that is also a big risk (do I need to remind you about Mt. Gox?)

This is the reason why in 2014 the guys from Satoshi Labs started selling the first ever Bitcoin hardware wallets. A Trezor locks your private keys inside the device. After initialization, it’s impossible to extract the private keys from the Trezor, so your bitcoins are stored securely.  They designed a protocol that makes it possible to communicate with your Trezor device securely.

Screenshot from 2016-03-07 19:54:37

When you create a bitcoin transaction in your Trezor compatible Bitcoin client (for example Electrum or MyTrezor.com) you send an unsigned (“raw”) transaction to your Trezor device. The Trezor will show the transaction details on his screen and you need to manually approve your transaction by pressing a button on your Trezor. When you confirmed the transaction by pressing the button, your transaction is signed by the private key in locked away in your Trezor and then send back to you client. The client then broadcasts your signed transaction to the Bitcoin network.

The Trezor protocol doesn’t allow extraction of the private keys from the device, so you can always spend your coins safely. By this time, you probably ask yourself what happens in case you loose your Trezor or in case it is broken. The answer is easy: during the initialisation of your Trezor, a 24 word seed is shown on the screen of the device. You need to write these words down. This is the backup in case something goes wrong. It’s a BIP32 seed, so you can import your backup in a lot of different wallets (blockchain.info, mycelium, electrum, …) or in a new Trezor device. Your Trezor is also protected by a PIN code, so in case someone steals your device, he can’t get his hands on your coins. Optionally, you can even set multiple passwords on your Trezor device. Every password crates a new account on your Trezor and provides plausible deniability: you can never see how much accounts are stored on the Trezor.

Back to Monero. What NoodleDoodle did was writing a piece of software that makes Trezor compatible with Monero. This makes it possible to securely store your moneroj on the Trezor hardware wallet. I tested this software, and the it functions in a similar way as the Bitcoin version of the software. You can’t send transactions unless your Trezor is plugged into your computer. Transactions are broadcasted after you confirmed it by pressing a button. You still need to perform all actions from the command line wallet. For usability, I hope the Trezor will be integrated in the “official” Monero GUI.

One minor catch: your private viewkey is sent to your Monero client. By default this information is deleted when you close your client (note that with the Bitcoin version of the software, your “master public key” is also shared with your client). I asked NoodleDoodle and it will optionally be possible to have a watch-only type of wallet in the future, so you can watch incoming transactions while your Trezor isn’t connected to your PC.

When you want to give this Monero firmware version a try, you can download it here. The download also includes a small manual on how to update your Trezor and on how to use it. It is possible NoodleDoodle will still change some features and user experience, so when the software considered “stable”, I’ll write a small manual with some printscreens to help you get started using Monero securely.

If you don’t yet own a Trezor, you can buy one here. Note that this is my personal affiliate link. If you buy a Trezor through that link, I get a % of the revenue (but you just pay the regular price!).

If you buy through this link, I pledge to donate 5 USD per Trezor to NoodleDoodle for his awesome work. You can also donate to him directly by sending XMR to his address:

47AYtJeNKJjYNZLj71nBW938mbFSFwq1x4qVcNhBmdfUjhaqiGN7wqpVjH419eLYPzHFeF3TgzY2fDivz5EyGBYUSbAXwed

If you are waiting for the delivery of your Trezor device, you can enjoy these 3 pictures in the meantime :)

2016-03-08-134148monerotrezor2monerotrezor1

 

 

 

 

FFFFFF-1

Bitcoiners, why not hedge your position?

Published by:

Bitcoin is stagnating. There seems to be no consensus on how to scale bitcoin. Bitcoin blocks are almost full. Transactions are slow. On the regulation front, it’s possible that the traceability will be used to enforce blacklisting or whitelistingMining is centralized, this can lead to governments forcing mining pools or big mining farms to filter certain suspicious transactions.
Will bitcoin lose its monetary characteristics due to these issues in the long run?

If you answered this question with a “definitely not”, you are in denial. This is a threat to the future of bitcoin as money. There is always a chance that Bitcoin becomes obsolete. We saw Digicash, e-gold and Liberty Reserve also ceased to be money. So, my advice would be to find a good hedge for your BTC position.

What characteristics are needed for a good crypto hedge?

1. No Bitcoin copy

Most of the altcoins are forks of bitcoin with a minor tweak. Litecoin was popular in the past because the mining algorithm was GPU-friendly, and thus decentralized. Since scrypt ASICs exists, this unique selling proposition is gone. LTC is a very bad hedge against BTC because most of the code is identical.
LTC is exposed to the same issues as BTC: problems with scaling, a possible error in the BTC codebase, traceability of transactions, etc.

2. Unique features

The hedge should have some use case. If the only demand for the coin is to function as a hedge, then it probably won’t succeed because there is no market demand, unless BTC is in trouble. Once the issues are resolved, the value of the hedge would drop dramatically. There are some coins with a decent market cap who fit rule 1 and rule 2:

Ether: decentralized smart contracts
Ripple: different consensus model  (note: almost dead because no use case and considered a scam by many because not really decentralized)
Maidsafe: decentralized cloud storage
Peercoin: first Pow/PoS hybrid
Factom: notarizing on the bitcoin blockchain
NXT: decentralized asset exchange

3. No apptoken

However, most of these coins, with the exception of Peercoin, aren’t “coin-like coins”. They are apptokens and it is very likely that all features can be implemented with bitcoin as currency in the future (on a sidechain, or maybe just on top of bitcoin itself). There is a chance some of them (maybe Ether?) will survive on their own if the development is strong and the userbase is solid.
But even if an appcoin can stand on his own legs, this isn’t a guarantee that it will be valuable because there will only be demand for using the apptoken when using the application. There won’t be monetary demand., incentivizing to store a portion of your net worth in it. This gives these coins a very questionable long term value proposition, again with the exception of Peercoin (maybe).

Monero

I intentionally left out Monero. Currently it has a market cap above 10 million USD and I think this is the perfect hedge for your bitcoin position.

Why, you ask?

  • Monero has a different codebase: it is based on the “cryptonote protocol” and is building a lot of additional functionality, like RingCT (Ring Signature Confidential Transactions)
    resulting in default untraceable and unlinkable transactions. This makes monero real fungible and anonymous eCash. Browse this website for more information on this subject.
  • Monero uses a different elliptic curve. If the BTC curve is broken, the XMR curve could still be solid (and vice versa).
  • Monero also has a scaling solution baked in the protocol: it has a dynamic block size limit. If the demand for transactions goes up, the block size limit will scale. For this to work, it is necessary to have a “tail emission”. When the initial emission of 18.4 million moneroj runs out, a minimum block reward of 0.6 XMR / 2 minutes will  be given to the miners. This ensures long term incentives for the miners, even if a fee market doesn’t develop.
  • The mining algorithm is a different hashing function that is written to be CPU-friendly. The performance gap between CPU and GPU mining is small. A features called “smart mining” will probably generate more decentralized mining.
  • Last but not least, Monero isn’t an apptoken: it’s highly unlikely that the properties of Monero will be implemented in Bitcoin. Bitcoin is transparent by default, monero is private and fungible by default. Implementing ring signatures as a sidechain for example, isn’t sufficient:  the sidechain would function as a mixer, but transparent bitcoin transactions are still possible. Regulation could force services to only accept traceable bitcoin transactions, miners could be forced to not process anonymous bitcoin transactions, blacklisting of coins would still be possible, etc. If raising the bitcoin block size limit is creating a consensus problem, then  changing the core functionality of bitcoin transactions will not happen. It’s highly unlikely that bitcoin ever will be private and fungible by default.

So if you are looking to hedge your bitcoin position, maybe research Monero. The number of BTC and XMR in existence are comparable, so if you decide to buy a similar amount of XMR as you currently own BTC, you are hedged. Why not take a small insurance policy for you precious bitcoins? You can start researching here.

 

ShapeShiftOpenAlias