Upload File

bitmingle reid bixler and carter hall. background unlinkability – input and output must be...

  • Home
  • Documents
  • BITMINGLE REID BIXLER AND CARTER HALL. BACKGROUND Unlinkability – Input and Output must be unlinkable Verifiability – Attacker must not be able to steal
14
BITMINGLE REID BIXLER AND CARTER HALL

Upload: avis-stevens

Post on 18-Jan-2018

220 views

Category:

Documents


0 download

Report

DESCRIPTION

COINSHUFFLE Protocol: Announcement Shuffling Transaction Verification

TRANSCRIPT

Page 1: BITMINGLE REID BIXLER AND CARTER HALL. BACKGROUND Unlinkability – Input and Output must be unlinkable Verifiability – Attacker must not be able to steal

BITMINGLEREID BIXLER AND CARTER HALL

Page 2: BITMINGLE REID BIXLER AND CARTER HALL. BACKGROUND Unlinkability – Input and Output must be unlinkable Verifiability – Attacker must not be able to steal

BACKGROUND

• Unlinkability – Input and Output must be unlinkable• Verifiability – Attacker must not be able to steal honest coins• Robustness – Protocol should succeed in presence of

malicious participants• Compatibility – Must work on top of Bitcoin network• Incentivized Fees – Introduce fees for incentivizing lenders to

join• Efficiency – Users with restricted resources should be able to

run it

Page 3: BITMINGLE REID BIXLER AND CARTER HALL. BACKGROUND Unlinkability – Input and Output must be unlinkable Verifiability – Attacker must not be able to steal

COINSHUFFLE

• Protocol:• Announcement• Shuffling• Transaction Verification

Page 4: BITMINGLE REID BIXLER AND CARTER HALL. BACKGROUND Unlinkability – Input and Output must be unlinkable Verifiability – Attacker must not be able to steal

BITMINGLE!10 BTC

10 BTC

10 BTC

10 BTC

10 BTC

9 BTC9 BTC9 BTC9 BTC9 BTC

1.25 BTC1.25 BTC

1.25 BTC1.25 BTC

IA

IE1

IE2

IE3

IE4

LALE1LE2LE3LE4

FE1FE2FE3FE4

MINGLE

TX

Page 5: BITMINGLE REID BIXLER AND CARTER HALL. BACKGROUND Unlinkability – Input and Output must be unlinkable Verifiability – Attacker must not be able to steal

HOW TO MINGLE

• Create a network available to all Bitcoin users• Become one of two ‘minglers’• Launderer (MA)• Lender (ME)

• Ability to broadcast intent/availability

Page 6: BITMINGLE REID BIXLER AND CARTER HALL. BACKGROUND Unlinkability – Input and Output must be unlinkable Verifiability – Attacker must not be able to steal

LAUNDERER (MA) CREATES A MINGLE• Set by Launderer• Mingle Size (S) – Required number of participants to start the mingle (includes MA)• Expiration (E) – Amount of time the launderer is willing to wait for S participants

• Will cancel broadcast if expiration is reached• Required Input (RI) – Specific amount of Bitcoin MA wants to launder• Fee (F) – Percentage of RI that MA is willing to pay to create the mingle• # Output Addresses (O) – Number of output addresses required per participant

• Broadcasts Mingle to network seeking Lenders to achieve Mingle Size• Once Mingle Size is reached, automatically create Mingle Transaction

Page 7: BITMINGLE REID BIXLER AND CARTER HALL. BACKGROUND Unlinkability – Input and Output must be unlinkable Verifiability – Attacker must not be able to steal

LENDERS (ME) SEARCH FOR MINGLES• Search across network for criteria• Required Input – How much the lender must have to join in the mingle• Lender Gain – How much the lender will get for participating in the mingle

• Equal to (The launderer will not gain and is included in MingleSize)• Current Mingle Size – How many participants are currently waiting for the

mingle• # Output Addresses – How many output addresses the lender must have

available• Must not be the same as input address

• If found appropriate Mingle, join until completion or expiration

Page 8: BITMINGLE REID BIXLER AND CARTER HALL. BACKGROUND Unlinkability – Input and Output must be unlinkable Verifiability – Attacker must not be able to steal

REQUIREMENTS OF A MINGLE TRANSACTION• Inputs must all be equal in size (N total)• Outputs per participant will be broken into 2 categories• Launder Outputs – Equal to (N × #OutputAddr total)• Fee Outputs – Equal to (N-1 total)

Page 9: BITMINGLE REID BIXLER AND CARTER HALL. BACKGROUND Unlinkability – Input and Output must be unlinkable Verifiability – Attacker must not be able to steal

MINGLE TRANSACTION VISUALIZATIONRequired Input = 10 BTCFee = 10%Mingle Size = 5# Output Address = 1

10 BTC

10 BTC

10 BTC

10 BTC

10 BTC

9 BTC9 BTC9 BTC9 BTC9 BTC

1.25 BTC1.25 BTC

1.25 BTC1.25 BTC

Launder Outputs = Fee Outputs =

#LO = MingleSIze * #OutputAddr = 5#FO = MingleSize – 1 = 4

IA

IE1

IE2

IE3

IE4

LALE1LE2LE3LE4

FE1FE2FE3FE4

MINGLE

TXIX = Input Address of XLX = Launder Address of XFX = Fee Address of XA = LaundererE1-4 = Lenders 1-4

Page 10: BITMINGLE REID BIXLER AND CARTER HALL. BACKGROUND Unlinkability – Input and Output must be unlinkable Verifiability – Attacker must not be able to steal

LAUNDERER INCENTIVES• In charge of mingle characteristics

• Sets size, fee, expiration, output addresses

• Decentralized• No central authority controlling the details of the mixing

• Maximized anonymity• Increased size = More inputs/outputs• Variable fee = Difficult to compare• Increase output addresses = More outputs, difficult to track• No trackable lender fee

• Speed of Transaction• Small Required Input = Many Lenders• Small Mingle Size = Minimize Wait Time• Increased Fee = Quicker Accepts

Page 11: BITMINGLE REID BIXLER AND CARTER HALL. BACKGROUND Unlinkability – Input and Output must be unlinkable Verifiability – Attacker must not be able to steal

LENDER INCENTIVES

• $$$ MAKIN DAT MONAY $$$• Also mixes most of your Bitcoin• Lender addresses are ‘easier’ to track because always will be

least/smallest outputs

• Quick transactions -> More Mingles -> More Money

Page 12: BITMINGLE REID BIXLER AND CARTER HALL. BACKGROUND Unlinkability – Input and Output must be unlinkable Verifiability – Attacker must not be able to steal

RESTRICTIONS/REQUIREMENTS• All inputs must be the same (Anonymity)• All related outputs must be the same (including if multiple outputs)

(Anonymity)• E.G. If RI = 10BTC and MA wants 3 OA each getting 2, 3, and 4BTC, then all

participants must also get exactly 2, 3, and 4BTC in their Launder Addresses (including fee outputs)

• Minimum Lender Gain (To prevent attacks)• (where # Lenders = Mingle Size – 1)• At the moment, 0.001 or 0.1% Lender Gain• Could change to maximize usage of BitMingle

• (i.e. too low = not enough lenders, too high = not enough launderers)

• Minimum Fee/Required Input (To prevent attacks)• Must be larger than transaction fee

Page 13: BITMINGLE REID BIXLER AND CARTER HALL. BACKGROUND Unlinkability – Input and Output must be unlinkable Verifiability – Attacker must not be able to steal

THINGS TO WORK ON BEFORE REPORT

• Calculate better values for Minimum Lender Gain• Formalize into a paper• Prove keeps to wanted traits• Prove anonymity• Compare to current protocols

• Create a working implementation???• (Sell to Google for 1,000,000BTC)

Page 14: BITMINGLE REID BIXLER AND CARTER HALL. BACKGROUND Unlinkability – Input and Output must be unlinkable Verifiability – Attacker must not be able to steal

QUESTIONS?


Basic Rules - projects.dma.ucla.eduprojects.dma.ucla.edu/...a-thon/...Lesson-Plan2017.pdf · Verifiability – Material challenged or likely to be challenged, and all quotations,

O -line Digital Cash Schemes Providing Unlinkability ... · O -line Digital Cash Schemes Providing Unlinkability, Anonymity and Change Lynn Batten1and Xun Yi2 1School of Information

Provable Protocols for Unlinkability

Anonymity, Unlinkability, Unobservability, Pseudonymity

Anonymity, Unlinkability, Undetectability, Unobservability ...dud.inf.tu-dresden.de/literatur/Anon_Terminology_v0.31.pdf · Anonymity, Unlinkability, Undetectability, Unobservability,

Civitas Verifiability and Coercion Resistance for Remote Voting Virginia Tech NCR September 14, 2012 Michael Clarkson George Washington University with

AnonRep: Towards Tracking-Resistant Anonymous Reputation · forded by fully anonymous, unlinkable messaging? Can we build an anonymous reputation system? In an anonymous reputation

DATA DYNAMICS AND PUBLIC VERIFIABILITY CHECKING WITHOUT THIRD PARTY AUDITOR

A Defense of Computational Physics (Popper’s Non-Verifiability vs. Computational Validation)

2016-10-08 Scaling Bitcoin Milano Unlinkable Thaddeus ... - 8 - Tadge Dryja.pdfUnlinkable Outsourced Channel Monitoring Thaddeus Dryja Scaling Bitcoin Milano

An Unlinkable Communication Protocol for WLAN

The Effect of Offer Verifiability on the Relationship ... · The Effect of Offer Verifiability on the Relationship Between Auctions and Multilateral Negotiations* Charles J. Thomas

Unlinkable and irreversible biometric template protection

Physical Layer Attacks on Unlinkability in Wireless LANs

A Defense of Computational Physics (Popper’s Non-Verifiability vs. Computational Validation) Patrick J. Roache [email protected] ASME Verification and Validation

Adaptive Isolation for Securitymaterials.dagstuhl.de/files/16/16441/16441.PatrickSchaumont.Slides… · MedicApp Yahoo Finance Facebook Isolated Data Stream (~confidentiality) Unlinkable

Anonymous and Unlinkable Membership Authentication …file.scirp.org/pdf/IJCNS_2018020611121198.pdf · signature under the group secret key. ... with membership revocation are typically

End-to-End Verifiability for Optical Scan Voting Systems Emily Shen

A terminology for talking about privacy by data ... · A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity,

Anonymity, Unlinkability, Unobservability, Pseudonymity ... · PDF fileAnonymity, Unlinkability, Unobservability, Pseudonymity, and Identity Management – A Consolidated Proposal

Unlinkability: A+DataScience+Perspec5ve+ · given+side+info++answers+

Effects of Procedure Frame, Procedure Verifiability, and ... · PDF fileEffects of Procedure Frame, Procedure Verifiability, ... Procedure Verifiability, and Audit Efficiency ... what

The fiction of verifiability in economic scienceThe fiction of verifiability in economic “science ... capable of empirical verification and accurate prediction. 3 I will make many

Provable Protocols for Unlinkability Ron Berman, Amos Fiat, Amnon Ta-Shma Tel Aviv University

governance, sound management, transparency and verifiability

Efficient Unlinkable Sanitizable Signatures from Signatures with Re

Anonymity, Unlinkability, Undetectability, Unobservability

On the Verifiability of Evolutionary Psychological …hs.umt.edu/.../conway_schaller_2002_verifiability.pdffalsifiability against evolutionary thinking in the bio-logical sciences

Provable Unlinkability Against Traffic Analysis

P2P Mixing and Unlinkable Transactions

Unlinkable Attribute-Based Credentials with Practical ...cardis.iaik.tugraz.at/proceedings/cardis_2012/CARDIS2012_5.pdf · license. In contrast to classical authentication, the identity

Individual Verifiability Metric in e-Voting System

OOSE UNIT 2. REQUIREMENT ELICITATION CONCEPTS FUNCTIONAL REQUIREMENTS NONFUNCTIONAL REQUIREMENTS COMPLETENESS,CONSISTENCY,CLARITY AND CORRECTNESS REALISM,VERIFIABILITY

Anonymity, Unlinkability, Unobservability, Pseudonymity ... · Anonymity, Unlinkability, Unobservability, Pseudonymity, and Identity Management – A Consolidated Proposal for Terminology

Anonymity, Unlinkability, Unobservability, Pseudonymity ...dud.inf.tu-dresden.de/literatur/Anon_Terminology_v0.27.pdf · Anonymity, Unlinkability, Unobservability, Pseudonymity, and