sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
DougieBot5000_ has joined #bitcoin-wizards
DougieBot5000 has quit [Ping timeout: 244 seconds]
DougieBot5000_ is now known as DOugieBot5000
davec has quit [Read error: No route to host]
davec has joined #bitcoin-wizards
arubi has quit [Ping timeout: 244 seconds]
arubi has joined #bitcoin-wizards
belcher has quit [Quit: Leaving]
NewLiberty has joined #bitcoin-wizards
btcdrak has quit [Quit: Connection closed for inactivity]
Noldorin has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
Burrito has quit [Ping timeout: 260 seconds]
chestnutpie has quit [Quit: Leaving]
mappum has quit [Ping timeout: 260 seconds]
aspect_ has quit [Ping timeout: 250 seconds]
eragmus has quit [Ping timeout: 250 seconds]
CryptoAi has quit [Ping timeout: 260 seconds]
eragmus has joined #bitcoin-wizards
mappum has joined #bitcoin-wizards
CryptoAi has joined #bitcoin-wizards
aspect_ has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 244 seconds]
Alopex has quit [Remote host closed the connection]
Alopex has joined #bitcoin-wizards
Giszmo has quit [Quit: Leaving.]
chestnutpie has joined #bitcoin-wizards
davec has quit [Ping timeout: 265 seconds]
ThomasV has joined #bitcoin-wizards
chestnutpie has quit [Quit: Leaving]
NewLiberty has quit [Ping timeout: 264 seconds]
N0S4A2 has joined #bitcoin-wizards
rusty2 has joined #bitcoin-wizards
NewLiberty has joined #bitcoin-wizards
lvns has joined #bitcoin-wizards
davec has joined #bitcoin-wizards
Alopex has quit [Remote host closed the connection]
Alopex has joined #bitcoin-wizards
ryan-c has quit [Ping timeout: 240 seconds]
ryan-c has joined #bitcoin-wizards
ThomasV has quit [Ping timeout: 276 seconds]
chjj has quit [Ping timeout: 252 seconds]
laurentmt has joined #bitcoin-wizards
laurentmt has quit [Client Quit]
chjj has joined #bitcoin-wizards
btcdrak has joined #bitcoin-wizards
ThomasV has joined #bitcoin-wizards
BashCo has quit [Remote host closed the connection]
Alopex has quit [Remote host closed the connection]
Alopex has joined #bitcoin-wizards
jannes has joined #bitcoin-wizards
Guyver2 has joined #bitcoin-wizards
Alopex has quit [Remote host closed the connection]
Alopex has joined #bitcoin-wizards
BashCo has joined #bitcoin-wizards
BashCo has quit [Read error: Connection reset by peer]
BashCo has joined #bitcoin-wizards
rusty2 has quit [Ping timeout: 264 seconds]
edvorg has joined #bitcoin-wizards
lvns has quit [Remote host closed the connection]
edvorg has quit [Ping timeout: 264 seconds]
lvns has joined #bitcoin-wizards
edvorg has joined #bitcoin-wizards
rubensayshi has joined #bitcoin-wizards
edvorg has quit [Ping timeout: 252 seconds]
NewLiberty has quit [Ping timeout: 255 seconds]
chjj has quit [Ping timeout: 240 seconds]
pro has joined #bitcoin-wizards
tripleslash has quit [Read error: Connection reset by peer]
tripleslash has joined #bitcoin-wizards
chjj has joined #bitcoin-wizards
ThomasV has quit [Ping timeout: 244 seconds]
belcher has joined #bitcoin-wizards
Ylbam has joined #bitcoin-wizards
daddinuz has joined #bitcoin-wizards
rusty2 has joined #bitcoin-wizards
daddinuz has quit [Quit: Leaving]
<JackH>
any plans for BIP's that would allow for special wallets that can function as credit cards so that funds can also be "pulled" ?
<JackH>
is very useful for recurring payments and for monthly payments
<JackH>
something we dont have with Bitcoin
<belcher>
how would that work JackH ?
<sipa>
JackH: that's already possible with a 1-of-2 muktisig
<belcher>
fwiw you could also do recurring payment as a standing order, where the user configures their wallet to send an amount of coins every month(or whatever)
ThomasV has joined #bitcoin-wizards
<sipa>
but in general that seems like a function a payment processor should handle, not the currency
<JackH>
yes but how can we do that if the wallets themselves are not supported on a protocol level? We cant pull funds, unless we integrate with each and every wallet that is out there and gets build in the future
<JackH>
that is a monumental task and wont happen
<JackH>
if it was down to each user to add funds to a credit account for recurring payments it would be a different story
<JackH>
I also paid for my phone yesterday over the phone, via a robot, that asked me to enter card details. After I was done I realized this would not be possible with Bitcoin either
<JackH>
and now that card is registered, and next time it either pulls or I call back and press some number to get the funds pulled from the same card
<JackH>
With Bitcoin this would require I go online....well you know
<buZz>
imho, 'voice card details' are practically the most insecure method
<buZz>
anyone listening in gets all details for future transactions
<sipa>
the largest problem is that you can't do this onchain without leaking the details of who is allowed to pull funds
<JackH>
yes yes, we all know, but consumers just want to pay
<sipa>
well bitfoin is a currency
<JackH>
hmm
<sipa>
it's a tertible payment system
<sipa>
*bitcoin
<buZz>
creditcards arent a currency, indeed
<JackH>
so how would we build on top of it as an example?
<buZz>
JackH: what about, just using a btc backed creditcards
<JackH>
lets for the sake of conversation say we even have lightning, would that help?
<buZz>
those things are practically free nowadays
<JackH>
yeah but isnt the point that we build our own payment rails eventually?
<JackH>
without interfacing with legacy product
laurentmt has joined #bitcoin-wizards
<sipa>
i think we should each piece of technology where it is appropriate
<buZz>
JackH: that doesnt work with the payment methods you describe
<sipa>
bitcoin is better at being a currency IMHo than current systems
<buZz>
JackH: which have been shaped by having the most leaky shit standard ever
<sipa>
for most use casez, it is not currently better than other digital payment methods (it think credit cards are pretty horrible, though)
<buZz>
JackH: nations where creditcards arent common (like netherlands) dont use similar systems
<JackH>
Yep I know they all use iDeal there
<buZz>
-no- payment possible over the phone by voice
<buZz>
as in literally zero methods
<sipa>
in the uk i can pay by tapping my card against a terminal
<JackH>
but iDeal allows for recurring payments
<buZz>
no it doesnt
<buZz>
iDeal is 1time only
<JackH>
I can setup a pull order, no?
<buZz>
no
<buZz>
not with iDeal
<JackH>
so how do people pay their bills+
<buZz>
with banking interfaces
<JackH>
manually every month, for every bill?
<buZz>
you can setup a withdrawl with a company (machtiging, NOT through iDeal)
<JackH>
ok
<buZz>
so company can just charge you whatever and you autopay
<buZz>
but, cant do that over the phone (legally)
<JackH>
still, my point in general is that the current payment system is heavily depending on recurring payments
<buZz>
ah, you made it sound like the phone part was part of your question
<belcher>
JackH much of it is done with standing orders in banks, i.e. instruct your bank to transfer X amount to another account on a regular basis, rent payments often work like this
<belcher>
and it would be trivial to add this feature to a bitcoin wallet
<buZz>
JackH: bitcoin-cli + crontab
<buZz>
boom, recurring payment
<JackH>
hmm
<JackH>
so what would I have done yesterday when I was waiting outside of my home, decided to call and pay my phone, over the phone, as an alternative?
<buZz>
stop using phones
<buZz>
they arent secure and only exist as 'option' to allow voluntary tracking of masses
<belcher>
pay over the web with a smartphone
<JackH>
ok so, you wont get ALL people to do that, can we please agree to that we cant change EVERY single thing as we want adoption?
<buZz>
;)
<buZz>
i dont want to change all people
<JackH>
you need to serve people, not change everything about them, because its naive to think it will happen
<belcher>
id say we focus first on the areas bitcoin has a clear advantage over legacy systems
<JackH>
in any case, we dont have this option, which bothers me
<buZz>
i'm still kinda vague on what option you are talking about
<buZz>
a) paying over phone
<JackH>
a pull functionality
<buZz>
b) consumer initiated recurring payments
<buZz>
ah so c)
<buZz>
c) business initiated payments
<buZz>
i will be very happy to never ever see that happen
<JackH>
if you can pull from a special Bitcoin address for example, you can build a layer on top of it to give it a 10 digit code for example, that you can give out to vendors, over the phone, or where ever else
<belcher>
JackH what about 1-of-2 multisig ?
<JackH>
explain more belcher
<belcher>
1of2 multisig can be used to implement pull functionality
<JackH>
how would you do it?
riclas has joined #bitcoin-wizards
<belcher>
1 key is held by the business you're allowing to pull from you (amazon.com for example), the other key is held by you
<belcher>
when you click "buy now" on amazon it takes money from you
ratoder has joined #bitcoin-wizards
<belcher>
and its all done by bip32 keys to stop address reuse
<sipa>
when you click 'buy now' you don't need a pull
<sipa>
as you're are the side initiating the payment
<sipa>
you can just send
<belcher>
i was thinking of the patented one-click-ordering button :p
Yogh has joined #bitcoin-wizards
<buZz>
belcher: consumer initiated payments work fine
<buZz>
this is the 'company decides you owe them money so they just grab it'
<JackH>
can multisig be made as 2 out of 3 and make a rule that 2 out of 3 is required to pull, any amount any time?
<buZz>
which is 'normal' but imho not desirable in any way
<JackH>
and third key is to block everything
<JackH>
that consumer holds
<JackH>
or block "everything" for a specific merchant
<Yogh>
JackH: The functionality you are looking for can be found in a custodian. ie. a bank
<JackH>
yes but question is if the bank of the future can do this via Bitcoin, without having to make a deal with every wallet provider
<Eliel_>
JackH: Payment channels sounds like a perfect match for this use case.
<sipa>
payment channels still don't let you pull money from someone else
<sipa>
that's generally not a functionality you want without some party enforcing a policy; whether it's you or a custodian
<sipa>
nobody should ever be allowed to just take all my money
<JackH>
could a pull function also be build to have the chargeback mechanism build in?
<JackH>
so if someone takes all your money, someone else can go in and retake them
<sipa>
so you're basically saying that you want exactly the properties of the existing banking system, but not banks?
<JackH>
from a feature point of view, and from a customer service point of view, it works and is widely used, and I think a superior system, should do some extend have the capabilities
<sipa>
somehow if it's on top of bitcoin, it's all fine, even if it has all the flaws of what already exists? :)
<sipa>
i think most of that is just warped perspective by the lack of alternatives
<sipa>
i don't understnad why creditcards are still a thing in this century, for example
<Yogh>
"[...] so preoccupied with whether or not they could that they didn't stop to think if they should."
<buZz>
sipa: agreed
<sipa>
they were created because there was no means of instantaneously communicate with a bank to authorize a payment
<buZz>
Yogh: and agreed :D
<sipa>
and now through monoculture and reward programs, we've somehow created an entire ecosystem that is dependent on them
<sipa>
even though they're incredibly inconvenient (especially in the US... i have to f*cking sign a piece of paper, wtf?)
<JackH>
I wont be the last person to ask for this
<JackH>
heck, I been asked many times myself
<JackH>
it should be seen as a feature, rather than: Viva la resistance, we will change everything, credit cards suck, we do everything different
<sipa>
i don't think "we" plan to do everything dfferently, or at least, we should not do things differently because they're different
<waxwing>
the concept of "pull" payments like direct debits works on a higher level, where there is a trusted third party. you can build layers like that above bitcoin. current pull payments are predicated on TTP, they would not work with bearer instruments ("exit scam" and so on)
<sipa>
we should use technology where it is appropriate
<sipa>
and i think that for the use case you describe, the existing technology is more appropriate than what we know how to do differently
<JackH>
what I am trying to say is that, it should be possible, somehow (I dont know, you guys are the experts), without relying on that layers on top do it, and are not compatible out of the box with every wallet
<sipa>
you're describing features that make sense in a world where money is held by custodians with reversible transactions
<sipa>
so use a custodian
<sipa>
don't hack a custodian into a system that is designed for control over your own money
<JackH>
I think we can imagine a number of people will rely on having their money stored with a custodian, and if I am not wrong a lot of people already do that
<Yogh>
JackH: I think you're confusing a feature with a bug
<sipa>
JackH: and that's perfectly fine
<JackH>
yes sipa
<sipa>
so wait until there are credit cards denominated in btc
<sipa>
and you'll have every feature you're asking for
<JackH>
but that still requires everyone that wants to pull to integrate with the card provider
<sipa>
they already do
<JackH>
redoing the whole planet can take quite some time unless Visa/MC picks up the technology
<sipa>
the alternative is that i let everyone just steal my money
<JackH>
or everyone that ascribes to X, Y, Z, whatever that might be?
<sipa>
?
<JackH>
what I am saying is that it would be great if I from Bitcoin-QT had a "credit" account
<JackH>
instead of creating a wallet with Visa Blockchain wallet, heh
<sipa>
well, i'm sorry, we don't know how to do that
<sipa>
not without both losing your privacy and letting people steal my money
chjj has quit [Quit: null]
<JackH>
maybe payment channels? that would work too
BashCo_ has joined #bitcoin-wizards
<sipa>
they'll still need one side with keys to act in your behalf and automatically accept certain payment requests
BashCo has quit [Ping timeout: 260 seconds]
rusty2 has quit [Ping timeout: 244 seconds]
laurentmt1 has joined #bitcoin-wizards
laurentmt has quit [Ping timeout: 244 seconds]
laurentmt1 is now known as laurentmt
tromp_ has quit [Read error: Connection reset by peer]
gielbier has quit [Quit: Leaving]
obs has joined #bitcoin-wizards
dnaleor has quit [Quit: Leaving]
obs has quit [Remote host closed the connection]
Chris_Stewart_5 has joined #bitcoin-wizards
obs has joined #bitcoin-wizards
Burrito has joined #bitcoin-wizards
othe has quit [Ping timeout: 264 seconds]
fluffypony has quit [Ping timeout: 276 seconds]
dnaleor has joined #bitcoin-wizards
Giszmo has joined #bitcoin-wizards
ThomasV has quit [Quit: Quitte]
Chris_Stewart_5 has quit [Quit: WeeChat 0.4.2]
grubles has joined #bitcoin-wizards
daddinuz has joined #bitcoin-wizards
musalbas has quit [Ping timeout: 250 seconds]
musalbas has joined #bitcoin-wizards
Chris_Stewart_5 has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
NewLiberty has joined #bitcoin-wizards
ThomasV has joined #bitcoin-wizards
superkuh has quit [Read error: Connection reset by peer]
shesek has quit [Ping timeout: 244 seconds]
laurentmt has quit [Read error: Connection reset by peer]
laurentmt has joined #bitcoin-wizards
daddinuz has quit [Quit: Leaving]
jgarzik has quit [Read error: Connection reset by peer]
jgarzik has joined #bitcoin-wizards
tom3 has joined #bitcoin-wizards
GAit has joined #bitcoin-wizards
mdavid613 has joined #bitcoin-wizards
ThomasV has quit [Ping timeout: 244 seconds]
laurentmt has quit [Read error: Connection reset by peer]
superkuh has joined #bitcoin-wizards
laurentmt has joined #bitcoin-wizards
tripleslash has quit [Read error: Connection reset by peer]
mdavid613 has quit [Quit: Leaving.]
tripleslash has joined #bitcoin-wizards
<e0_>
New version of TumbelBit out. Paper completely rewritten to be easier to read and focus on anonymizing payment channels in Bitcoin: https://eprint.iacr.org/2016/575
<e0_>
While not identified in the paper as such, TumbleBit introduces a new primative unlinkable/anonymous HTLCs which can pulled into micropayment channels to increase anonymity.
[\\\] has joined #bitcoin-wizards
tripleslash has quit [Ping timeout: 244 seconds]
lvns has quit [Remote host closed the connection]
superkuh has quit [Remote host closed the connection]
Giszmo has quit [Ping timeout: 265 seconds]
rubensayshi has quit [Ping timeout: 255 seconds]
ThomasV has joined #bitcoin-wizards
mdavid613 has joined #bitcoin-wizards
Giszmo has joined #bitcoin-wizards
Noldorin has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 265 seconds]
hashtag has joined #bitcoin-wizards
murch has joined #bitcoin-wizards
fluffypony has joined #bitcoin-wizards
othe has joined #bitcoin-wizards
svdb64 has joined #bitcoin-wizards
GAit has quit [Quit: Leaving.]
<andytoshi>
e0_: do you know tumblebit well enough to say how it might interact with mimblewimble?/
MRL-Relay has joined #bitcoin-wizards
<andytoshi>
oh, are you one of the authors?
<e0_>
andytoshi: I am one of the authors of tumblebit.
<andytoshi>
oh, ok, sorry :) i don't have any real person associated to your nick in my head. can you say (i'm reading now..) what script features of bitcoin this uses?
<e0_>
We use OP_HASH160
<e0_>
and then standard multisig
<andytoshi>
oh damn .. hash160 is hard for MW
<e0_>
we performed a mix of 800 addresses on mainnet blockchain
<andytoshi>
that's really slick. you mention you had a server in NY and you were using it from boston -- is this server something that could be usable in production?
<andytoshi>
like could you setup a joinmarket-like community today?
<e0_>
My understand of MW is that is requires major protocol changes to Bitcoin. TumbleBits whole design is to be compatiable today's Bitcoin. If we could make changes like MW, we do much more.
c0rw1n_ has quit [Ping timeout: 260 seconds]
fluffypony has quit [Quit: peace out, A town]
othe has quit [Quit: kthxbye]
<e0_>
Yes, it could be usable in protection, we have proof of concept code on github and we are currently writting a production quality TumbleBit server (but it will take time).
<andytoshi>
e0_: well MW does its magic (which is primarily scaling) by making everything way more fragile. it's tricky to do much of anything beyond multisig with it (similar to monero, script interacts badly with the privacy tech)
<andytoshi>
awesome! i'll read this paper asap
fluffypony has joined #bitcoin-wizards
othe has joined #bitcoin-wizards
<e0_>
I think one of the benefits is that we can now build HTLCs that are unlinkable even if everyone but the sender and receiver collude and these HTLCs work in Bitcoin today. It could provide lightning network privacy benefits. I believe current lightning network privacy schemes require at least one honest intermediary.
lextt has quit [Quit: Leaving]
<e0_>
andytoshi: interesting, I had not realized that MW had that drawback but thinking about how MW works, it makes sense.
svdb64 has quit [Quit: WeeChat 1.5]
<andytoshi>
this is also very interesting to me because it's much less ambitious than LN on the scaling front -- like this makes sense in a model where there's a bunch of scattered hubs that are more-or-less advertised as providing anonymity, and the scaling is bonus
<andytoshi>
whereas LN is designed to be run with a bunch of interconnected payment channels, which from an engineering perspective will take a lot longer to get off the ground
mirko has joined #bitcoin-wizards
mirko is now known as Guest15999
dgenr8 has joined #bitcoin-wizards
Guest15999 is now known as fcracker79
<fcracker79>
/msg NickServ identify sys64738
<fcracker79>
Hi all
laurentmt has quit [Quit: laurentmt]
<fcracker79>
Is there any colored coin-specific channel or I can ask questions related to it here?
<waxwing>
fcracker79: may want to change that password
<belcher>
i just tried it and its the wrong password
<e0_>
right, one big payment hub running tumblebit provided the greatest anonymity, engineering simplicity and scalability. Centralization isn't as big of a risk if hubs do not need to be trusted and unlinkability can be maintained even against a malicious hub.
c0rw1n_ has joined #bitcoin-wizards
c0rw1n_ is now known as c0rw1n
Oizopower has joined #bitcoin-wizards
<fcracker79>
waxwing: thank you, password changed
<fcracker79>
I am having some troubles with colored coins
<fcracker79>
How can info hash transfer transaction work, since the hash may end up in a redeem script and it is not known beforehand?
fcracker79 has quit [Quit: Leaving]
c0rw1n has quit [Ping timeout: 265 seconds]
<e0_>
I should amend my statement "in tumblebit, one big payment hub provides the greatest anonymity", I'm not saying that there is no system which provides more anonymity than tumblebit.
BashCo_ has quit [Remote host closed the connection]
fcracker79 has joined #bitcoin-wizards
cyphase has quit [Ping timeout: 258 seconds]
<JackH>
this sounds really amazing e0_
<JackH>
I just read all that
<JackH>
are you saying it solves the route and hub finding?
laurentmt has joined #bitcoin-wizards
GAit1 has joined #bitcoin-wizards
cyphase has joined #bitcoin-wizards
<e0_>
JackH We don't solve hub finding, but since our scheme proposes a simple hub, so routing is easy (one hop to hub, one hop to dest).
<JackH>
e0_, how would 3 hubs connect in case two of them did not know of each other?
brg444 has joined #bitcoin-wizards
<e0_>
Like Bolt the scheme in the paper only assumes one hub which are parties are escrowed with. Interhub payments are probably possible but we wanted to lockdown and solve the simplist case first.
MoALTz has joined #bitcoin-wizards
<JackH>
sounds resoable! Is it based on the same type of deferral layer as Lightning/Thunder would be working? ie. HTLC's?
<waxwing>
JackH: it's principally a protocol for mixing payments trustlessly, rather than just general payments, from what i can see. but i'll let the author answer :)
<e0_>
We use blinded HTLCs so it could be plugged into the lightning network but unlike most HTLCs anonymity schemes TumbleBits blinded HTLCs are unlinkable even the intermediary colludes.
paveljanik has quit [Read error: Connection reset by peer]
pavel_ has joined #bitcoin-wizards
<JackH>
wait, now you confuse me a bit. You make it sounds like its not a payment hub on its own, and yet it is, but it can also be used as a plugin to Lightning, the other payment hub?
<e0_>
Within a payment hub where A's pay B's all the hub learns is when A paid someone, but no who A paided and the hub only learns the aggregative payments B received when B closes the channel.
<waxwing>
would the interactivity of the protocol not be a substantial performance hit at scale though?
fcracker79 has quit [Ping timeout: 255 seconds]
<e0_>
In the paper we build a complete system and for analysis purposes we focus on that system, but our components can be reused in other systems such as LN.
<e0_>
waxwing the performance costs of roughly 0.5 seconds of CPU time per payment are low enough that they can be used for most payments.
<e0_>
there is actually less interactivity between the hub and B than in a standard payment channel
<brg444>
to what extent could the RSA-puzzle protocol be implemented natively in Lightning?
<JackH>
can the system run without the anonymity portion to it, but yet do the A to B payments?
<e0_>
B can actually accept many payments without talking to the hub once the channel is created
<waxwing>
e0_: by less interactivity you mean less rounds right? but these are RSA operations, so there's that too i guess.
<e0_>
JackH why would you run it without anonymity?
<Taek>
e0_: there are lots of applications where that's undesirable. For example on Sia we will be making multiple payments per second to 20+ hosts concurrently, 0.5 seconds of CPU time each payment would not be fast enough for us
<Taek>
not to say that there aren't plenty of great use cases which can tolerate 0.5 seconds of CPU time
<JackH>
e0_, same problem as Taek, its about speed more than anonymity in most cases
<JackH>
anonymity is good for certain things, but for mass consumption speed takes priority
<andytoshi>
JackH: lightning's main innovation is routing and interconnectedness .. the mechanism by which peers are connected (payment channels) are almost an implementation detail. they could be replaced with other sorts of payment channels (like e0_'s which provide anonymity)
<waxwing>
JackH: this is a protocol for unlinkable payments, that's it's purpose. it is called "tumblebit" after all :)
<andytoshi>
if you want speed without anonymity you just use the bog-standard payment channels
<e0_>
Taek Certainly, it would be better if it used 0.001 seconds than 0.5 seconds of CPU time. It does handle most current bitcoin usecases and we think we have ways of making it more efficent.
<andytoshi>
but the routing and stuff is not the point of this proposal, and it'd be redundant if it spent a lot of time developing that
GAit1 has quit [Quit: Leaving.]
<e0_>
brg444 What do you mean natively in LN?
<brg444>
well the way I see it LN nodes could leverage the protocol to reinforce the anonymity of their payments, no?
<e0_>
yes, especially when going through a chokepoke that is likely to be an privacy risk
<e0_>
TumbleBit can used as a tumbler to move Bitcoins to addresses which are hard to link to a users long term bitcoin identity. We do a mix of 800 input addresses on mainnet. TB as classic tumbler doesn't have the hard scalability limits as coinjoin based protocols allowing much larger anonymity sets.
<waxwing>
it occurs to me that what was previously considered not really relevant (NP completeness of subset sum problem in say coinjoin) might actually be relevant here; becaues you're not limited to 1 tx, you can create > 500 outputs such that it might be computationally infeasible to link inputs to outputs that way. am i right?
<waxwing>
i suspect in practice, not, but, not sure
<andytoshi>
waxwing: this isn't true of coinjoin even with huge mix sets because you can "peel off" individual transactions, which will be very small, as you infer them
<waxwing>
andytoshi: interesting; wouldn't that apply to any subset-sum solving though?
<brg444>
e0_ have you considered presenting your idea at Scaling Bitcoin Milan :) ?
pavel_ has quit [Quit: Leaving]
paveljanik has joined #bitcoin-wizards
<andytoshi>
e0_: i second brg444's suggestion
<andytoshi>
waxwing: i think so ... i think that subset-sum is actually not that hard unless you really have uniformly random data
<waxwing>
i'm just musing that, with much larger sets, maybe there is some middle ground between "all must be equal for unlinkability" and "not controlled sizes leads to trivial linkability".
<waxwing>
because equal denominations is a bit of a limitation. but maybe, there is nothing there, not sure.
<e0_>
Coinjoin is limited to an anonymity set of roughly ~500 due to max transaction size, but even beyond that getting 200+ users to perform a coinshuffle requires quite a bit of communication (communication costs scale x^2 for the user and x^3 for the coordination mechanism).
<waxwing>
yes, this scales better with the blinding and central counterparty
<e0_>
our analysis assumes same donomination
<waxwing>
e0_: sure, understood, that's what i'm musing about, it adds some practical difficulties, albeit i completely understand that it's natural to consider it a requirement.
<andytoshi>
..lol, i think this is another anonymous paper, i'd forgotten about this one..
<e0_>
Its less of a problem in the payment hub, since you can aggregate single denomiation payments .
<e0_>
andytoshi thanks for sending. This looks really interesting. So much good work on bitcoin-talk.
<andytoshi>
yeah, this one seemed like a big deal to me. at the time there was no working coinjoin implementation (i think joinmarket was still several months away) and i think it got sorta buried..
<waxwing>
i love the analogy with block cipher modes, i remember thinking about that a while ago too :)
<andytoshi>
basically what BCM does is gives a round-efficient way for people to basically reshuffle transactions into pairs of equal-denomination ones, which can then be coinjoined (or tumblebitted, or cross-chain swapped, or ...)
<andytoshi>
if you page through the words to the pictures you'll get a good high-level idea of it
<andytoshi>
oh oops, it does more than just pairs
<e0_>
oh neat! TumbleBit is good for unlinkable atomic cross-chain swaps as well.
<andytoshi>
:D
<e0_>
I'm going to start using the phase tumblebitted thanks to you
<andytoshi>
:D
<waxwing>
tumblewumble?
<gmaxwell>
<> e0_> Coinjoin is limited to an anonymity set of roughly ~500 due to max transaction size, < no it isn't-- you can scale coinjoin to any size by building a switching network.
<e0_>
ha! Good next for the version.
<e0_>
are you talking about combining coinjoins?
<gmaxwell>
I described this in the CJ post,
<gmaxwell>
"In particular, if you have can build transactions with m participants per transaction you can create a sequence of m*3 transactions which form a three-stage switching network that permits any of m^2 final outputs to have come from any of m^2 original inputs (e.g. using three stages of 32 transactions with 32 inputs each 1024 users can be joined with a total of 96 transactions). This allows the
<gmaxwell>
anonymity set to be any size, limited only by participation."
<e0_>
I would call that a system built on top of coinjoin.
<gmaxwell>
I would call that semantics. If it's "on top" or just a native construction would depend on your particular CJ implementation.
<e0_>
It gets confusing if we use coinjoin both to mean the core primitive of a single transaction and a more complicated switching network or other mode of operation which uses that core primitive.
<gmaxwell>
I would call the core primitivate a joint transaction.
gielbier has joined #bitcoin-wizards
<gmaxwell>
from the very first message about coinjoin, at least, I was using it to describe the 'end effect' of joint transactions for privacy.
<gmaxwell>
and from the perspective of end users, they don't care if their coinjoin is taking the form of some switching network of transactions.
giel___ has quit [Ping timeout: 244 seconds]
<e0_>
A switching network has different benefits and limitations to a joint transaction. To communicate these differences I use the term coinjoin as I typical and see it being used. Do you object to the refering to it as a "single transaction coinjoin"?
<fcracker79>
Is there a channel where I can ask about colored coins?
<e0_>
Thanks for pointing that out by the way, I will fix it in the next update to the paper.
<fcracker79>
This one does not seem to be the right one
<fcracker79>
Thanks
<gmaxwell>
e0_: just to be clear, it's not switching network vs joint transaction, it's a switching nework of joint transactions vs a single joint transaction.
laurentmt has quit [Quit: laurentmt]
<gmaxwell>
e0_: The only disadvantages I'm aware of is that coordinating multiple joint transactions may not be possible in some coinjoin negoiation schemes, and that if a participant drops out early in a switching network, it may force an abort and not achieve perfect anonymity... and the modest increase in transaction data, of course.
alfas has joined #bitcoin-wizards
<alfas>
killerstorm on reddit might be able ot help you fcracker79
<fcracker79>
alfas: thank you so much!
gielbier has quit [Changing host]
gielbier has joined #bitcoin-wizards
alfas has quit [Client Quit]
BashCo has joined #bitcoin-wizards
pero has joined #bitcoin-wizards
<e0_>
gmaxwell I'd be very interested in seeing coinshuffle++ use a switching network. I played around with the idea.
ThomasV has quit [Ping timeout: 265 seconds]
<e0_>
brg444 thanks for the reddit post and summary.
ThomasV has joined #bitcoin-wizards
<gmaxwell>
re the 'TumbleBit' name, thats an unfortunate connection with money laundering-- which is unfortunate, because these basic privacy tools are basically the opposite of what someone performing money laundering needs. (the purpose of money laundering is to give an apparently lawful origin for unlawful gains)
ThomasV has quit [Ping timeout: 244 seconds]
<e0_>
Do you object to refering to Bitcoin tumblers as tumblers? Is because washing machines have a tumble dry setting? Bitcoin tumblers are sometimes called mix services but there is movement away from calling them that do a name collision with Chaumian mixers. What name do you prefer?
<JackH>
Le Mix
<Taek>
maybe joining?
<Taek>
or merging if we don't want conflict with coinjoin, but I think 'join' is a pretty unloaded word
<kanzure>
(naming things is one of those hard problems)
<instagibbs>
any good harry potter terms we could use here
<e0_>
Muffliato
<kanzure>
i fear for what has been unleashed here :)
brg444 has quit [Ping timeout: 264 seconds]
fcracker79 has quit [Quit: Ex-Chat]
paveljanik has quit [Read error: Connection reset by peer]
paveljanik has joined #bitcoin-wizards
paveljanik has joined #bitcoin-wizards
paveljanik has quit [Changing host]
paveljanik has quit [Client Quit]
rusty2 has joined #bitcoin-wizards
<fluffypony>
e0_: can't be worse than "ShufflePuff"
<fluffypony>
it's really hard to force people to think of it as "privacy" and not "anonymity for buying drugs"
<fluffypony>
but I agree with gmaxwell, the subtle implication is important
andytoshi has quit [Read error: Connection reset by peer]
andytoshi has joined #bitcoin-wizards
<Eliel_>
haha, ShufflePuff would actually work as a name for that :D
<andytoshi>
is that used for something already? it actually does have the connotations you want, hufflepuff was the house of hardworking people who were not interested in doing reckless or evil things
<e0_>
=)
<fluffypony>
andytoshi: yes
<fluffypony>
it's used for Mycellium's CoinShuffle implementation
<fluffypony>
why they needed to give it a name besides "CoinShuffle" is beyond me
<andytoshi>
damn, it's good
<e0_>
Really excited for shufflepuff, might try running it over the weekend.