It is a very common misconception that the upcoming Taproot upgrade helps CoinJoin.
TLDR: The upcoming Taproot upgrade does not help equal-valued CoinJoin at all
, though it potentially increases the privacy of other protocols, such as the Lightning Network, and escrow contract schemes.
If you want to learn more, read on!
Let's start with equal-valued CoinJoins, the type JoinMarket and Wasabi use. What happens is that some number of participants agree on some common value all of them use. With JoinMarket the taker defines this value and pays the makers to agree to it, with Wasabi the server defines a value approximately 0.1 BTC.
Then, each participant provides inputs that they unilaterally control, totaling equal or greater than the common value. Typically since each input is unilaterally controlled, each input just requires a singlesig. Each participant also provides up to two addresses they control: one of these will be paid with the common value, while the other will be used for any extra value in the inputs they provided (i.e. the change output).
The participants then make a single transaction that spends all the provided inputs and pays out to the appropriate outputs. The inputs and outputs are shuffled in some secure manner. Then the unsigned transaction is distributed back to all participants.
Finally, each participant checks that the transaction spends the inputs it provided (and more importantly does not
spend any other coins it might own that it did not
provide for this CoinJoin!) and that the transaction pays out to the appropriate address(es) it controls. Once they have validated the transaction, they ratify it by signing for each of the inputs it provided.
Once every participant has provided signatures for all inputs it registered, the transaction is now completely signed and the CoinJoin transaction is now validly confirmable.
CoinJoin is a very simple and direct privacy boost, it requires no SCRIPTs, needs only singlesig, etc.
Let's say we have two participants who have agreed on a common amount of 0.1 BTC. One provides a 0.105 coin as input, the other provides a 0.114 coin as input. This results in a CoinJoin with a 0.105 coin and a 0.114 coin as input, and outputs with 0.1, 0.005, 0.014, and 0.1 BTC.
Now obviously the 0.005 output came from the 0.105 input, and the 0.014 output came from the 0.114 input.
But the two 0.1 BTC outputs cannot be correlated with either input! There is no correlating information, since either output could have come from either input. That is how common CoinJoin implementations like Wasabi and JoinMarket gain privacy.
Unfortunately, large-scale CoinJoins like that made by Wasabi and JoinMarket are very obvious.
All you have to do is look for a transactions where, say, more than 3 outputs are the same equal value, and the number of inputs is equal or larger than the number of equal-valued outputs. Thus, it is trivial to identify equal-valued CoinJoins made by Wasabi and JoinMarket. You can even trivially differentiate them: Wasabi equal-valued CoinJoins are going to have a hundred or more inputs, with outputs that are in units of approximately 0.1 BTC, while JoinMarket CoinJoins have equal-valued outputs of less than a dozen (between 4 to 6 usually) and with the common value varying wildly from as low as 0.001 BTC to as high as a dozen BTC or more.
This has led to a number of anti-privacy exchanges to refuse to credit custodially-held accounts if the incoming deposit is within a few hops of an equal-valued CoinJoin, usually citing concerns about regulations. Crucially, the exchange continues to hold private keys for those "banned" deposits, and can still spend them, thus this is effectively a theft. If your exchange does this to you, you should
report that exchange as stealing money from its customers. Not your keys not your coins.
Thus, CoinJoins represent a privacy tradeoff:
- It's very hard for everyone else to determine which output belongs to which input.
- It's obvious to everyone else that the output was involved in a mixing operation.
Let's now briefly discuss that nice new shiny thing called Taproot.
Taproot includes two components:
- The use of Schnorr-based signature scheme, with multisignature support. Spending from a Schnorr pubkey is called a "keypath spend".
- The ability to secretly commit to a set of scripts, one of which can be revealed later and its inputs provided correctly in order to spend the coin. Spending via a hidden script is called a "scriptpath spend".
This has some nice properties:
- Direct multisignature support means all multisignature uses look the same. In current Bitcoin, a 2-of-2 "multisignature" is really a script which demands that two signatures be provided, from 2 different pre-specified public keys. To a cryptographer, the strict definition of multisignature is that this is a single signature that is cooperatively created by multiple parties.
- A typical minimal "multisig" setup would be a 2-of-3, because that lets you lose one signing device while still being able to keep access to your money, and still providing an increase in security relative to a singlesig, since a 2-of-3 requires that potential thieves abscond with at least two signing devices. In current Bitcoin, a 2-of-3 is a SCRIPT containing 3 public keys, requiring that two signatures from those three public keys be provided.
- But a Lightning Network channel has exactly two participants. Thus, it uses a 2-of-2, and is a SCRIPT containing 2 public keys, requiring that two signatures from those public keys be provided. If you look for 2-of-2 spends on the blockchain after Lightning became cool, the chances are very good that a random 2-of-2 spend is a Lightning Network channel being closed, because there are hardly ever any other uses of 2-of-2.
- Just from there, you can easily differentiate the most common HODLer multisig of 2-of-3 (SCRIPT contains 3 pubkeys) from the Lightning channel 2-of-2 (SCRIPT contains 2 pubkeys).
- Fortunately, with Taproot, 2-of-3 and 2-of-2 (and any arbitrary k-of-n) can look exactly the same, because Schnorr allows for the cryptographer's strict definition of "multisignature": a single signature cooperatively created by multiple parties.
- Complex SCRIPTs, like HTLCs, can be hidden in a Taproot output.
- For example, the output can have a keyspend branch that is a n-of-n of all participants, with hidden SCRIPTs that encode the conditions under which the output can be spent
- The hidden SCRIPTs ensure that the protocol is followed. If one of the participants drops from the protocol, the rest can reveal the hidden SCRIPTs and follow their conditions.
- If everyone follows the protocol correctly, and agrees to the result, they can all cooperatively sign with the keyspend n-of-n. They can just all agree on what the result of the SCRIPTs would be, and sign a transaction that performs that, without revealing any SCRIPTs. Since all of them agreed on the result, nobody should complain (if one of them believes the result is not correct, they can just refuse to sign and force everyone else to publish the SCRIPTs onchain).
- If everyone agrees, they get privacy: none of the SCRIPTs they were following ever get published onchain, and it looks like every other multisignature spend.
Taproot DOES NOT HELP CoinJoin
So let's review!
- CoinJoin inputs are singlesig
- There are no SCRIPTs involved in CoinJoin.
- Improves multisig privacy.
- Improves SCRIPT privacy.
There is absolutely no overlap. Taproot helps things that CoinJoin does not use
. CoinJoin uses things that Taproot does not improve
B-but They Said!!
A lot of early reporting on Taproot claimed that Taproot benefits CoinJoin.
What they are confusing is that earlier drafts of Taproot included a feature called cross-input signature aggregation
In current Bitcoin, every input, to be spent, has to be signed individually. With cross-input signature aggregation, all inputs that support this feature are signed with a single signature that covers all those inputs. So for example if you would spend two inputs, current Bitcoin requires a signature for each input, but with cross-input signature aggregation you can sign both of them with a single signature. This works even if the inputs have different public keys: two inputs with cross-input signature aggregation effectively define a 2-of-2 public key, and you can only sign for that input if you know the private keys for both inputs, or if you are cooperatively signing with somebody who knows the private key of the other input.
This helps CoinJoin costs. Since CoinJoins will have lots of inputs (each participant will provide at least one, and probably will provide more, and larger participant sets are better for more privacy in CoinJoin), if all of them enabled cross-input signature aggregation, such large CoinJoins can have only a single signature.
This complicates the signing process for CoinJoins (the signers now have to sign cooperatively) but it can be well worth it for the reduced signature size and onchain cost.
But note that the while cross-input signature aggregation improves the cost
of CoinJoins, it does not improve the privacy! Equal-valued CoinJoins are still obvious and still readily bannable by privacy-hating exchanges. It does not improve the privacy of CoinJoin. Instead, see https://old.reddit.com/Bitcoin/comments/gqb3udesign_for_a_coinswap_implementation_fo
Why isn't cross-input signature aggregation in?
There's some fairly complex technical reasons why cross-input signature aggregation isn't in right now in the current Taproot proposal.
The primary reason was to reduce the technical complexity of Taproot, in the hope that it would be easier to convince users to activate (while support for Taproot is quite high, developers have become wary of being hopeful that new proposals will ever activate, given the previous difficulties with SegWit).
The main technical complexity here is that it interacts with future ways to extend Bitcoin.
The rest of this writeup assumes you already know about how Bitcoin SCRIPT works. If you don't understand how Bitcoin SCRIPT works at the low-level, then the TLDR is that cross-input signature aggregation complicates how to extend Bitcoin in the future, so it was deferred to let the develoeprs think more about it.
(this is how I understand it; perhaps pwuille
can give a better summary.)
In detail, Taproot also introduces OP_SUCCESS opcodes. If you know about the OP_NOP opcodes already defined in current Bitcoin, well, OP_SUCCESS is basically "OP_NOP done right".
Now, OP_NOP is a do-nothing operation. It can be replaced in future versions of Bitcoin by having that operation check some condition, and then fail if the condition is not satisfied. For example, both OP_CHECKLOCKTIMEVERIFY and OP_CHECKSEQUENCEVERIFY were previously OP_NOP opcodes. Older nodes will see an OP_CHECKLOCKTIMEVERIFY and think it does nothing, but newer nodes will check if the nLockTime field has a correct specified value, and fail if the condition is not satisfied. Since most of the nodes on the network are using much newer versions of the node software, older nodes are protected from miners who try to misspend any OP_CHECKLOCKTIMEVERIFY/OP_CHECKSEQUENCEVERIFY, and those older nodes will still remain capable of synching with the rest of the network: a dedication to strict backward-compatibility necessary for a consensus system.
Softforks basically mean that a script that passes in the latest version must also be passing in all older versions. A script cannot be passing in newer versions but failing in older versions, because that would kick older nodes off the network (i.e. it would be a hardfork).
But OP_NOP is a very restricted way of adding opcodes. Opcodes that replace OP_NOP can only do one thing: check if some condition is true. They can't push new data on the stack, they can't pop items off the stack. For example, suppose instead of OP_CHECKLOCKTIMEVERIFY, we had added a OP_GETBLOCKHEIGHT opcode. This opcode would push the height of the blockchain on the stack. If this command replaced an older OP_NOP opcode, then a script like OP_GETBLOCKHEIGHT 650000 OP_EQUAL might pass in some future Bitcoin version, but older versions would see OP_NOP 650000 OP_EQUAL, which would fail because OP_EQUAL expects two items on the stack. So older versions will fail a SCRIPT that newer versions will pass, which is a hardfork and thus a backwards incompatibility.
OP_SUCCESS is different. Instead, old nodes, when parsing
the SCRIPT, will see OP_SUCCESS, and, without executing
the body, will consider the SCRIPT as passing. So, the OP_GETBLOCKHEIGHT 650000 OP_EQUAL example will now work: a future version of Bitcoin might pass it, and existing nodes that don't understand OP_GETBLOCKHEIGHT will se OP_SUCCESS 650000 OP_EQUAL, and will not execute the SCRIPT at all, instead passing it immediately. So a SCRIPT that might pass in newer versions will pass for older versions, which keeps the back-compatibility consensus that a softfork needs.
So how does OP_SUCCESS make things difficult for cross-input signatur aggregation? Well, one of the ways to ask for a signature to be verified is via the opcodes OP_CHECKSIGVERIFY. With cross-input signature aggregation, if a public key indicates it can be used for cross-input signature aggregation, instead of OP_CHECKSIGVERIFY actually requiring the signature on the stack, the stack will contain a dummy 0 value for the signature, and the public key is instead added to a "sum" public key (i.e. an n-of-n that is dynamically extended by one more pubkey for each OP_CHECKSIGVERIFY operation that executes) for the single signature that is verified later by the cross-input signature aggregation validation algorithm00.
The important part here is that the OP_CHECKSIGVERIFY has to
execute, in order to add its public key to the set of public keys to be checked in the single signature.
But remember that an OP_SUCCESS prevents execution! As soon as the SCRIPT is parsed, if any opcode is OP_SUCCESS, that is considered as passing, without actually executing the SCRIPT, because the OP_SUCCESS could mean something completely different in newer versions and current versions should assume nothing about what it means. If the SCRIPT contains some OP_CHECKSIGVERIFY command in addition to
an OP_SUCCESS, that command is not
executed by current versions, and thus they cannot add any public keys given by OP_CHECKSIGVERIFY. Future versions also have to accept that: if they parsed an OP_SUCCESS command that has a new meaning in the future, and then execute an OP_CHECKSIGVERIFY in that SCRIPT, they cannot add the public key into the same "sum" public key that older nodes use, because older nodes cannot see them. This means that you might need more than one signature in the future, in the presence of an opcode that replaces some OP_SUCCESS.
Thus, because of the complexity of making cross-input signature aggregation work compatibly with future extensions to the protocol, cross-input signature aggregation was deferred.
| || |By Ignat Shestakov Photo: Global Look Press/Monika Skolimowska submitted by YuriMosha to u/YuriMosha [link] [comments]
Fake news technologies are becoming more sophisticated, partly owing to the support of Hollywood. Furthermore, the simplest methods of disinformation are getting more and more efficient. Izvestia has figured out why the oldest heads of this monster can never be chopped off.
“The oldest heads” are the websites containing compromising material, which make money from customers wishing to ruin lives of their competitors, and from these competitors willing to pay to remove from the Internet publications about themselves having different degrees of reliability.
And we are not even talking about such veterans of information warfare like the site compromat.ru, that was created in 1999, blocked in 2017 although still perfectly working, but rather short-living web pages that get created as quickly as then become deleted. Their editorial staff sometimes publishes damaging information not even at the request, but simply to keep up with other teams. Kompromat as a business
Entrepreneur Yuri Mosha had to deal with compromising materials published on the Internet several times. According to him, back in the early 2010s, such things were done by single websites, unrelated to one another. Some of them positioned themselves as official mass media having editorial staff and real legal addresses. “At that time, we could fight it. We contacted that sites and threatened them with filing court claims. In most cases, it helped, because they were afraid of responsibility”, Mosha told Izvestia.
A new wave of compromising material against the entrepreneur who makes money by helping those wishing to move to the United States from the former Soviet Union countries, emerged two years ago. He tried to make a deal with the sites or to make pressure on them through lawyers. But this time it was all pointless: “Now this is big business, and there are groups that have hundreds of websites with dummy registrations”. Photo: Screenshot
Mosha contacted several owners of websites containing compromising materials by mail. Some of them were ready to delete publications for $ 7,000, others — for $ 20,000. Ordering publication of material damaging a competitor is cheaper — from $ 50,000 to $ 5,000. “You send an e-mail. They answer: “No problem, here’s a bitcoin wallet, transfer the money and I’ll delete the post.” At the same time each group attaches a list of their sites to an email,” the entrepreneur said. He did not pay anything. Photo: Screenshot
I found a dark PR man, whom I paid at the end, however, not for removing materials, but for his advice. First advise was: you should not pay anyone. As soon as you pay, they will understand that you are ready to do it, and you will keep paying for the rest of your life. And even if they play fair and delete you from one site, they will post you on 50 others. He told me: “You see, we all know each other, and we are retyping all publications. As soon as information appears on one resource, the robot transfers it to others. And if a person pays [an owner of one website containing compromising material], he will start to pay everyone”.
His second hint was that suing them is useless. Because when there is a court decision, if Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) blocks it (only) on the territory of the Russian Federation, they will see that you are fighting with them, and will publish even more information about you.
Third, he said that the target must be not the sites, but Google and Yandex. As he said, they exist due to the support from Google and Yandex. Those two are just like salesmen in a gun shop who sell rifles to buyers who say they will shoot people in the street. They [search engines] do not fight against this [compromising material] at all. Before the lawsuit [with the search engines] I myself sent them information [about compromising material]. I attached a police clearance certificate, a residence permit, confirmation of citizenship. After that I had to go to court.
Now Yuri Mosha is negotiating a settlement with Yandex and is suing Google. Read about the difficulties faced by the entrepreneur and other people trying to remove information about themselves from the Internet (especially not from the Internet segment of one country) through court action here
. Making business on a kompromat business
In recent years, several companies have emerged in the Russian Internet segment that earn money by helping people remove information about themselves from search engines, social networks and mass media. They would not be able to make money if the laws on the right to be forgotten worked well.
Here it should be mentioned, that these laws in different forms exist in many countries. And Russia stays behind its neighbors, as there the law only entered into force in 2016. In 2014, the Court of Justice of the European Union adopted the decision according to which the users, in some cases, have the right to request the search engine to remove their personal data from the search results. And the preconditions for this right were already established in the Convention on Human Rights, which entered into force in 1953. In the United States, such cases typically cite Section 230 of the Communications Decency Act of 1996.
So, it is difficult and time-consuming to seek a decision to get the data removed from search engines through courts. According to Yandex statistics, the company satisfied 27% of processed requests within three months from the date when the law on the right to be forgotten entered into force (that is, from January to March 2016). Google has more representative statistics, which, moreover, has been collected since 2014. Photo: Depositphotos
That is why there are companies that resolve such issues avoiding judicial proceedings. They do not remove links to negative publications from search engines, but instead ensure that first pages of the search contain links to positive publications. They negotiate with social networks, contact websites and sometimes pay them.
The founder of one of such companies, Maxim Zlobin, told VC.RU
that he first worked with company leaders, government officials and parliamentarians. But over time, he also started to work with individuals.
Maxim Zlobin, the ISN founder:
Once, a woman from Makhachkala contacted us. Hardly speaking Russian, she asked us to delete information about her sole proprietorship. At first, we could not understand why she needed this because search engines only showed records about the liquidation of the sole proprietorship. But then it appeared that her sole proprietorship had a code of the Russian National Classifier of Economic Activities (OKVED) referring to “Activities of massage parlors”. And although the woman did not provide any massage services to men (for religious reasons), if it became known to her relatives, she would be “forever covered with shame.” To remove this information, we partially used passages of the law on insulting the feelings of believers on the verge of the right to be forgotten.
Now half of Zlobin’s clients are businessmen, 30% are politicians, and 20% are public figures or individuals. If you can’t delete it, take the lead
There are three methods the businessman uses in his work. The first one is negotiations, including offering money to web-platforms for removing negative publications. But, as noted by Yuri Mosha, this method is associated with high risks, including, first of all, the risk of the Streisand effect when the fact of an appeal may become a reason for new material. Second, there is a risk of getting into bondage when the payments to the web platform would become regular.
Prices for publication of the compromising material with which the founder of ISN works are lower than for those Mosha faced. Publishing information with a link to a foreign (containing the compromising information) site, costs €600–800. This allows the Russian kompromat-trash hole to avoid any responsibility for the publication. At the same time, deleting one publication costs from 5,000 to 600,000 rubles. That is, from $100 to about $ 10,000. Photo: ТАСС/Ведомости/Максим Стулов
Therefore, the businessman considers the second method — work with search results — to be the most effective. Whitewashing articles about the client get posted and promoted in search engines. Thanks to this, the tarnishing publications move down to other pages of search results.
And the third way is a legal battle. When it comes to search engines, the right to be forgotten is used for this, but the common idea is that even if “there is some success in the court, in order to remove the information, you will have to go straight to the Constitutional Court”. Zlobin’s experts also use the law on personal data, which, in particular, states that no information about citizens of the Russian Federation can be stored and processed on the servers of foreign companies without the consent of these people. With social networks, according to Zlobin’s experience, it is often possible to reach an agreement provided that there is a reasonable proof that the compromising material is fabricated. Kompromat on a business on a kompromat business
However, all this is useless, as Yuri Mosha noted with regret. Faced with the problem of kompromat, he contacted several companies of this kind. He did not mention ISN among those in his interview with Izvestia’s correspondent, however. And those he had contacted left him disappointed.
Yuri Mosha, an entrepreneur:
They cannot do anything. Some of them need a court decision. Others say, “We’re going to overlay [the negative content] with a positive one.” But I create such content myself, I have 5 thousand videos uploaded on YouTube, and it still doesn’t work.
All these companies are just scammers. They can’t do anything. I contacted one site [containing compromising material]. They said: half bitcoin [for deleting publications]. Then I contacted a company. They told me they would call back. They did call back and promised to solve the problem for one bitcoin.
Short-living website publishing compromising material of a different degree of truthfulness represent an ultimate expression of the fake news industry. Unlike the Hollywood-sponsored fake video technology, which (so far) takes resources and time, a site with catchy headlines can be created in several hours. And just as easily it can be removed from the Internet, as, for example, it happened with ostorozhno.ru.
The Site on Dangerous Connections, as was introduced by its authors, appeared in 2008. It published a standard set of material compromising politicians, including those of the Ural region, wrote URA.RU
. Now the website link leads to a Riga travel guide with text stolen from a real travel site and ridiculous low-resolution photographs. It is quite obvious that when the money for the removal of the compromising material arrived, the creators simply covered it with a previously prepared dummy. And when a new order arrives, they will again remove it and continue to earn on lies.
Because it is so easy to create, remove, and reproduce such sites, they cannot be defeated. The University of Oxford recently published a report on the fight against fake news in various, primarily European, countries. The term \"fake news\" addressed during the talk \"Between facts, fakes and manipulations - how do we defend democracy on the Internet?\" at the Ministry of Justice in Berlin, Germany. Photo: Global Look Press/dpa/Jörg Carstensen
The governments of all these countries do not make any attempts to counteract the sites posting compromising material. Because they just cannot. Most are trying to shift the responsibility onto social media. For example, in Germany, Facebook is threatened with a fine of up to €50 million if "obviously illegal" content is not removed within 24 hours. In some other countries, like Turkey or Bulgaria, according to the authors, the fight against fake news simply justifies the pressure on the opposition. And only two European countries, Sweden and Holland, came to an idea of teaching people to distinguish between rumors and the truth. Other countries, in contrast, just keep prohibiting things without obtaining any reasonable effect of this.
Hello, I was having trouble understanding how to calculate bitcoin profit/loss. Can someone help a dummy like me? submitted by
I own about 308$ of bitcoin right now (.03556581 BTC)
I originally bought it for 500$ in the past.
Anyway if my 308$ worth of bitcoin when bitcoing is at $8627.29, what is my bitcoin worth if it went up to let's say somehow a million!
Bitcoin is called virtual currency, but a better term is cryptocurrency. Unlike physical money, there are no coins or paper money officially produced. No government entity decides how much and when to release it into the world. Bitcoins are created digitally by people as they solve complex math problems with their computers. In many senses, it is truly decentralized. One of the interesting ... What is Bitcoin Summary. Bitcoin is the first decentralized digital currency. All Bitcoin transactions are documented on a virtual ledger called the blockchain, which is accessible for everyone to see.Bitcoin gives you complete control over your money, unlike other assets you own which are regulated by banks and governments. If you want a simple and easy to follow bitcoin for dummies explanation, how you can get bitcoins and how it bitcoins can help you, without floundering into technical details, this bitcoin for dummies guide is for you. 10 years ago if someone told you about digital money, you would look at them so confused. Imagine a new currency where you can only use it online, store it online and it was ... Bitcoin 101: Understanding the Basics. by Natasha Stokes on March 21, 2018 in Tech 101, Tips & How-Tos, Shopping:: 1 comment. Techlicious editors independently review products. To help support our ... A Beginner’s Guide to Understanding Bitcoin. Don’t use or invest in bitcoin until you’ve read this first. A lot of guides have been written to describe the basics of bitcoin. They usually start with an analogy around gold and mining, and something called the blockchain. These guides are great, but they often get into the technical weeds and don’t explain why people are investing in ...
Bitcoin has been all over the news in recent days, reaching all-time highs then dropping thousands in minutes. So what is the hype all about? --~-- This is a bitcoin for beginners video! We will discuss cryptocurrencies for beginners so you know the basics! Enjoy! * My Stock Market Investing Strate... In simple terms, Bitcoin miners use powerful computers to track and compile pending Bitcoin transactions every 10 minutes into a new block. These miners then set to work doing the intensive number ... Baffled by bitcoin? Confused by the concept of crypto-currencies? Well, fear no more. In 190 seconds we explain what bitcoin actually is, where the idea came... Bitcoin For Dummies. Loading... Unsubscribe from Bitcoin For Dummies? ... Now if you have a friend that doesn't understand bitcoin, just send him this video and let ME do the work :) Comment ...