Samourai Wallet Releases Privacy-Enhancing CoinJoin Feature (#GotBitcoin?)
Samourai Wallet has unveiled a beta version of Whirlpool, a CoinJoin service that enhances transaction privacy. The company previously said that Whirlpool would be released to operate on Dojo, a much awaited bitcoin node built to work with the wallet. Samourai Wallet Releases Privacy-Enhancing CoinJoin Feature (#GotBitcoin?)
This added feature disassociates crypto senders and their recipients, and makes it difficult to track the financial exchange. Samourai, a leading wallet service, is providing an easy-to-adopt layer of financial privacy for mainstream bitcoin users – and is emerging as one of the first companies to provide this technology.
CoinJoin is a process of anonymization that utilizes various privacy-enhancing software tools. First proposed by Gregory Maxwell in 2013, a “Chaumian CoinJoin” integrates Chaum blind signatures that allow the entry and exit of a transaction to be hidden by grouping and scrambling it with a collection of concurrent transactions.
The Whirlpool framework is a fully modular CoinJoin implementation that has been developed through a “heavily modified” fork of the ZeroLink theory, according to the company.
As noted in previous CoinJoin experiments, the challenge in garnering a mass of participants necessary to conduct blind transactions quickly can be difficult. It took several hours for 100 users of the privacy-centric bitcoin app Wasabi Wallet to gather and collectively execute a CoinJoin. To be sure, this transaction may have been the biggest of its kind.
Apart from the human challenge of organizing a CoinJoin, there are also built-in restrictions on the bitcoin network – such as the limit on the amount of data that can be included in a single transaction block – that limit the viability of CoinJoin. Additionally, some bitcoin enthusiasts believe that some forms of privacy and bitcoin’s built-in transparency are mutually exclusive. To which Samourai has responded:
Bitcoin Magazine also noted that CoinJoins may also increase the overall fungibility – a crucial attribute of money that ensures all units are identical – of the bitcoin network, by removing the tainted history of bitcoins previously used in illicit trades. By making bitcoin untraceable, CoinJoin diminishes the possibility of merchants refusing to accept “dirty money. This, as they say, may or may not be good for bitcoin.
Zcash’s Halo Breakthrough Is a Big Deal – Not Just For Cryptocurrencies
An under-appreciated, sideline payoff from cryptocurrency R&D is that it also generates advances within the sector’s component technologies.
The most important are occurring within the field from which the term “cryptocurrency” derives. Cryptography – essentially, the study of mathematical secrets – is as old as the exploration of ciphers in ancient times. But in the past 10 years, thanks largely to the invention of bitcoin and censorship-resistant money, it’s seen an explosion of activity.
That’s especially in the sub-field of zero-knowledge proofs, which enable the verification of facts that are derived from a secret the verifier cannot access. These advances matter because zero-knowledge proofs offer the tantalizing prospect of people transacting in confidence without accessing potentially compromising information about each other. Its potential goes beyond the narrow realm of cryptocurrencies to face the ultimate challenge of the Internet age: achieving security with privacy.
This is why a breakthrough by the Electric Coin Company, the startup behind zcash, is rich with potential. ECC had already been an engine of progress for cryptography by advancing the use of zk-SNARKS, another cryptocurrency-inspired addition to the zero-knowledge proof toolkit, with which zcash produces a provably auditable blockchain without revealing users’ addresses (a disclosure note: Digital Currency Group, CoinDesk’s parent company, is an ECC investor).
But the company’s recent announcement of Halo, a “trustless recursive” version of zero-knowledge proofs that provides a massively scalable solution to the field’s unwieldy reliance on “trusted setups,” is arguably bigger. If the discovery by ECC researcher Sean Bowe holds up to scientific scrutiny, it could one day unleash a host of powerful, real-world applications for the digital age that go far beyond cryptocurrency.
Might it even achieve the impossible: lowering the heat that zcash CEO Zooko Wilcox and his cofounders relentlessly receive for the 20% founder fee built into the cryptocurrency’s protocol, a deal that has delivered them millions of dollars’ worth of tokens since the launch in 2016? The founders justify the fee on the grounds that it both pays for maintenance and rewards research and development to strengthen the protocol. For now at least, this looks like a discovery that ECC can flag as money well spent – not just for zcash, but for the entire crypto ecosystem.
A Proof Of Proofs
Halo allows a user to both prove that no one involved in the initial establishment of a large-scale zero-knowledge proof system has created a secret backdoor with which to later amend the code and that that secure state has existed over the course of ongoing updates and changes to the system. Until now the risk of fraud at setup meant that zero knowledge proofs often required elaborate, costly procedures at the outset to instill confidence in users. (A prime example was the zcash genesis “ceremony” – recorded live on YouTube and documented in an entertaining episode for NPR’s Radiolab – when various founders and outside particiapants based in multiple locations went to extraordinary lengths to jointly and securely create the initial key pair and then demonstrate that none of them would ever have access to the private key.)
As such, zero-knowledge proofs were too cumbersome for anything other than privately proving small one-off facts. Repeating the inefficient, time-consuming trusted setup over and over again was costly. To be sure, one-off trustless solutions known as “bulletproofs” have been around since 2017, but they lack the recursive quality needed to verify the ever-accumulating information within a large, growing changing database.
Halo gets around this problem by establishing an accumulated “proof of proofs,” such that the latest mathematical output contains within it a proof that all prior claims to the relevant secret knowledge have themselves been sufficiently proven through a similar process. In a dramatic compression in computational requirements, all that’s now needed to verify the veracity of the entire database’s current state is a single mathematical proof. (The way Wilcox explained it to me, the process sounded similar to the efficiency gains of Merkle tree structures, which aggregate previously hashed information into a single root hash output.)
Cheap Full Nodes
The scaling benefits of this lightweight proofing system were illustrated with a mid-September demonstration by the EEC team using the bitcoin blockchain. They generated a proof of the current block’s proof-of-work integrity that also contained proofs of the integrity of every preceding block, all the way down the chain to Satoshi Nakamoto’s genesis block of January 3, 2009.
In light of the fraught debates in the bitcoin community over full nodes, decentralization and block sizes, this sounds like game-changer material. While there will still need to be nodes that read the full blockchain to identify transactions, the overall task of verifying the integrity of a blockchain could become a much less costly problem for the network as a whole. Ordinary users could achieve the ease-of-use and efficiency they need but do so with their own full verification nodes. It would thus negate the need for so-called SPV wallets, which rely on others to verify on the user’s behalf and so create a trust problem. For the network, the result could be greater decentralization at a lower cost.
The ECC is planning to integrate Halo into the zcash blockchain as a Layer 1 scaling solution. If it works, the zcash network might much more cheaply handle significantly larger amounts of on-chain data. This is a markedly different approach to the scaling problem from the Layer 2 model favored by bitcoin supporters of the Lightning Network, where scale is achieved by taking transactions off chain. If it works for zcash, one wonders whether bitcoin cash developers will be tempted to integrate it into their protocol to lower the cost of maintaining the larger blocks they adopted in the contentious 2017 fork from Bitcoin Core.
But it’s the potential for non-cryptocurrency solutions that makes Halo an especially exciting prospect. Wilcox even claims Halo “may turn out to be a building block for the next generation of the Internet and other such social infrastructure.”
In a conversation, he pointed to the vulnerabilities of large, ever-changing centralized databases such as that of the famously hacked credit scorer Equifax, as well as those of different states’ DMV outlets and of siloed medical record custodians. All must share information with other parties but struggle with the risks of doing so. “Now instead of them spitting out copies of a full report of the data, they keep the only copy but spit out zero knowledge proofs,” Wilcox said.
The ideal, however, would be to dispense with the centralized record-keeper entirely. Wilcox thinks Halo-like zero-knowledge proofs will pave the way. Taking the prior example one step further, he said, “What if instead of me saying ‘here is a proof that Equifax says I haven’t had any defaults over the last 10 years,’ I can say ‘here is a proof from all the 100 people that have lent to me over the past 10 years and each of them attests to me not having defaulted?”
Getting to such a utopia won’t happen quickly. Regulation, corporate incumbency and behavioral inertia will continue to pose resistance. And, to be clear, Bowe’s mathematical proof still needs to be subject to rigorous peer review.
But even if holes are found in the current iteration, they will be patched. Better versions will emerge.
The process of follow-on research that this discovery will unleash in all areas of the digital economy is undeniable. And if the world isn’t ready for such a radical reorganization of how we manage sensitive information, it will eventually be moved to adopt such changes by the relentless buildup of vulnerable databases and the ongoing attacks against them by increasingly sophisticated hackers. That’s a trend that led Juniper Research to recently assert that cybercrime will cost the global economy a stunning $5 trillion a year by 2024.
The world badly needs fixes for these giant challenges. Cryptocurrency developers are doing as much as anybody to find them.
Bitcoin Privacy Is The Only ‘Big Question’ For Devs, Says Poolin CEO
Bitcoin (BTC) needs to become more resistant to governments as a priority, the CEO of one of its biggest mining pools has said.
Pan: Privacy is Bitcoin’s “real problem”
In an interview with cryptocurrency media outlet Bitcoin Magazine quoted by Forbes on Oct. 17, Poolin’s Kevin Pan suggested privacy should form an essential focus for Bitcoin development.
“The real problem with Bitcoin may be privacy. There is no other big question if the privacy issue is solved,” he summarized.
Pan was commenting as cryptocurrency-related transaction privacy returns to the spotlight as international regulators dissect Facebook’s Libra digital currency.
As Cointelegraph reported, concerns over user data have formed the basis for rejection of the project from multiple sources, including finance ministers and United States senators.
In the future, Pan continued, Bitcoin will need to provide users with a way to avoid governments targeting them and their wallets.
“What is more troublesome now is if government or law enforcement departments begin to create a blacklist of transaction addresses, it will make certain transactions unable to be packaged. In fact, these can be done,” he explained.
“But if there is privacy, you can’t know who the address belongs to, and you can’t determine how much the amount is, and there is no way to control the currency system.”
Improving transaction privacy is already a central occupation of developers, both for Bitcoin Core and off-chain solutions such as the Lightning Network.
Certain user wallets claim to offer enhanced privacy for users already, but standards differ as developers attempt to seal technical loopholes.
Researcher Breaks Grin’s ‘Privacy’ Spending Just $60 Per Week
Mimblewimble, a privacy-focused blockchain protocol, is allegedly not private at all. According to an expert at blockchain research firm Dragonfly Research, Mimblewimble’s privacy is fundamentally flawed, which he reportedly proved by discovering the exact addresses of senders and recipients for 96% transactions of Mimblewimble’s privacy-centric coin Grin (GRIN).
Ivan Bogatyy, a researcher at United States-based Dragonfly Capital Partners, published a Medium post on Nov. 18 in which he claimed that he was able to break Grin’s purported privacy while spending just $60 per week on Amazon Web Services (AWS).
Mimblewimble Should No Longer Be Treated As An Alternative To Zcash Or Monero
According to the researcher, the problem is inherent to Mimblewimble, and there is no way to fix it. Based on new findings, Mimblewimble should no longer be considered as a “viable alternative to Zcash or Monero when it comes to privacy,” Bogatyy declared.
The expert added that Mimblewimble developers have been aware of the technical feasibility of such an attack since he posted a Reddit thread on the issue a year ago.
Bogatyy Lists Three Approaches To Privacy In Crypto
In the analysis, Bogatyy referred to anonymity sets, which are patterns that aggregate multiple transactions into a set, such that they can no longer be distinguished. Based on anonymity sets, Bogatyy pointed out three major approaches to privacy in cryptocurrencies such as Zcash, Monero and Mimblewimble.
According to the researcher, Zcash purportedly provides the maximum possible anonymity as its anonymity set includes all the shielded transactions. In Monero, users should pick their own anonymity set of size 10-25 for any existing on-chain unspent output from Bitcoin transactions (UTXO). In Mimblewimble, all transactions in a block are aggregated into one big CoinJoin, purportedly ensuring that an anonymity set is all the transactions that ended up in the same block.
However, Bogatyy says he has managed to catch 96% transactions before they could be aggregated with others for anonymity. “So in reality, there is no one in their anonymity set,” the expert claimed, adding that he was not able to hack all 100% transactions because there was a small minority of transactions that merged before most nodes could see them.
Following Bogatyy’s tweet, Ethereum co-founder Vitalik Buterin replied to emphasize that Zero-Knowledge Succinct Non-Interactive Argument of Knowledge (zk-SNARK) is an example of the only global anonymity sets that are secure. He tweeted:
“If your privacy model has a medium anonymity set, it really has a small anonymity set. If your privacy model has a small anonymity set, it has an anonymity set of 1. Only global anonymity sets (eg. as done with ZK-SNARKs) are truly robustly secure.”
Zcash is reportedly the first widespread application of zk-SNARKs, according to the firm.
Amid the news, Grin token has seen a sharp drop of price. With a market share of 12.7 million, the token is down more than 11% over the past 24 hours at press time and trades at $1.34, according to Coin360.
Grin Devs Respond: Mimblewimble Privacy Isn’t ‘Fundamentally Flawed’
The developers of privacy-centric cryptocurrency Grin (GRIN) have hit back at the fundamental claims of an article purporting to have “broken” the coin’s privacy model.
In a Medium blog post published on Nov. 19, Grin core dev Daniel Lehnberg argued that the so-called breakage did not go beyond the already-acknowledged privacy limitations of the coin’s protocol and relied on a passive attack vector that would be insufficient to glean actionable data.
Some Basics of Grin’s Protocol
Lehnberg’s post does not consist of a point-by-point takedown of the original article, which was published yesterday by Ivan Bogatyy, a researcher at United States-based Dragonfly Capital Partners.
Instead, it targets what it deems to be the purportedly unsubstantiated logical leaps and factual inaccuracies used by Bogatyy to corroborate his claim.
As previously reported, Grin’s protocol “Mimblewimble” is a variant of the cryptographic protocol known as Confidential Transactions, which uses cryptographic primitives known as “Pedersen commitments.”
These obfuscate sensitive transaction data rather than showing plaintext transaction values and can, therefore, prevent double-spending while improving privacy. They allow for the use of basic arithmetic using public parameters to validate transactions, while the correspondent transaction input and output values remain unknown variables.
The protocol notably does not use wallet addresses or public keys, only inputs and outputs. Because of this, each sender must contact a receiver via a private channel in order to construct a transaction.
Supplemental Privacy Features
As outlined in Cointelegraph’s coverage yesterday, Bogatyy had focused on the use of a default, supplemental feature to MimbleWimble called CoinJoin, which creates small “anonymity sets” by combining encrypted inputs into a single large transaction in such a way as to make it is difficult to distinguish which inputs are paying which outputs.
Bogatyy also claimed to have conducted a successful “attack” on a supplemental feature called “Dandelion” that is used by Grin to reduce the chance of so-called “spy nodes” recording transactions before cut-through, while they are still in an unconfirmed transaction pool (or “mempool”).
While the limitations of Grin’s overall privacy model — which is significantly more complex than space permits to outline here — are known, Lehnberg’s critique of Bogatyy’s research rests on what he judges to be key “inconsistencies.”
These include the implication that it would be possible for law enforcement to link intercepted data to a user address — when, as Lehnberg states, addresses do not exist within Grin’s privacy model at all. He adds:
“We have to assume that the author conveniently confused transaction outputs (TXOs) with addresses, but these are not the same. And, as we’ve already detailed, the fact that TXOs can be linked is hardly news.”
Lehnberg’s critique of Bogatyy’s claims continues to address several further points, with his central line of argument — details aside — resting on the statement that:
“The Grin team has consistently acknowledged that Grin’s privacy is far from perfect. While transaction linkability is a limitation that we’re looking to mitigate as part of our goal of ever-improving privacy, it does not ‘break’ Mimblewimble nor is it anywhere close to being so fundamental as to render it or Grin’s privacy features useless.”
As reported, Grin underwent its first network hard-fork this summer to introduce tweaks to its consensus algorithm in order to achieve greater resistance to ASIC miners.
In October, the Litecoin Foundation published two new draft proposals that pave the way toward integrating MimbleWimble in order to establish privacy features for the Litecoin (LTC) network.
Earlier this month, Grin received an anonymous 50 Bitcoin (BTC) donation to its General Fund, sparking a bizarre rumor that the generous soul behind it was Satoshi.
Grin’s Mimblewimble Privacy Model Under Threat After Alleged Break-In
On Nov. 18, crypto researcher Ivan Bogatyy published an article on Medium claiming that he had found an extremely easy way of bypassing Grin’s Mimblewimble privacy protocol. As part of his efforts, Bogatyy stated that he was able to trace over 96% of all Grin-related transactions in real time, including the addresses of the senders as well as recipients associated with these sets of transactions.
What’s more striking is the fact that Bogatyy claims he was able to achieve all this by spending just $60 a week on Amazon Web Services computational power, which helped connect him to Grin’s native blockchain nodes.
Not only that, but the Google AI research alum also claims that he could have quite easily exposed the addresses of “almost all” Grin users if he had decided to connect to all 3,000 of the system’s nodes. In this regard, Bogatyy wrote the following:
“Grin still affords a stronger privacy model than Bitcoin or other non-privacy coins, since amounts are safely encrypted. But Mimblewimble provides a strictly weaker privacy model than Zcash or Monero. This makes it insufficient for many real-world privacy use cases.”
As expected, as soon as these developments came to light, the future of Mimblewimble was immediately called into question by people around the globe, who began saying that the privacy protocol could no longer be trusted, since it was clearly not secure enough.
However, a few days after the initial report, Daniel Lehnberg, a member of Grin’s core developers team, published a blog arguing that the “alleged” break-in was confined largely to the protocol’s already-acknowledged privacy limitations. He also added that the attack was facilitated through the use of a passive vector that did not have the capacity to acquire any actionable data.
Lastly, Grin makes use of a technology called “Patient Dandelion,” which is basically a modified version of Bitcoin’s Dandelion++ proposal that was outlined in BIP0156. The protocol is commonly used to mask the IP addresses linked with any given transaction because it adds additional stem hops as well as other delays at each node junction. However, since Grin’s latest privacy scandal came to light, many experts are now calling into question the overall operational efficacy of Dandelion as well.
A closer look at Grin and its privacy framework
In its most basic sense, Grin can be thought of as an implementation of the Mimblewimble, or MW, protocol, whose privacy is derived from two key aspects:
The protocol employs confidential transactions to obfuscate transaction amounts.
The protocol makes use of aggregated transactions to prevent the linking of native transaction inputs and outputs.
Additionally, the MW transaction format is substantially different from Bitcoin-like cryptocurrencies, as it allows multiple transactions to be aggregated into a single larger transaction.
This aggregation process is “lossy,” which essentially means that the protocol hides the size of asset transfers taking place between the involved parties, thus improving the overall scalability of the network. The process of mining blocks with Mimblewimble aggregates all of the associated transactions into a single block, thereby making it difficult for bad actors or any third-party entities to link inputs and outputs when viewing the chain on a historical basis.
Are Bogatyy’s Assertions Valid?
With so many conflicting details currently floating around on the internet regarding the recent Mimblewimble security lapse, Cointelegraph reached out to Jake Yocom-Piatt, co-founder and project lead for Decred, a community-driven digital currency that uses a hybrid proof-of-work and proof-of-stake consensus model. When asked to comment on Bogatyy’s claims and whether he was right or not with his assertions, Yocom-Piatt pointed out:
“Despite an aggressive response from Daniel Lehnberg from Grin, I am of the opinion that Ivan’s attack is valid. The attack links inputs and outputs to most MW transactions, and it achieves this by monitoring the Grin network, where it can log transactions prior to their being aggregated either over Dandelion or in a block.”
He then added that a few months back, he had published an article in which he too had highlighted the exact same weakness that Bogatyy was able to exploit — that is, once Grin’s native blocks have been mined, participating miners and affiliated nodes have the ability to monitor individual transactions that have been published before they are aggregated.
This basically allows a third-party entity (who may be closely monitoring the transactions being published on the network) to potentially make use of the data in order to link transactions that would otherwise not be possible by looking at the information related to other mined blocks. Yocom-Piatt then added:
“Ivan executes exactly the attack I described. While Daniel takes exception to Ivan’s post for various technical reasons related to terminology, the linking of inputs and outputs is hard to argue against.”
Is Lehnberg’s Recent Blog Post Just Damage Control?
Many crypto enthusiasts firmly believe that Lehnberg’s recent post is a defense tactic. With enough technical know-how, hackers or other third-party entities could easily retrieve a huge volume of the input/output data about the majority of the involved entities, as long as MW-based native transactions can be reliably surveyed before they are aggregated.
With that being said, Ethan Fast — a co-founder of security-oriented crypto exchange Nash — is of the opinion that Bogatyy’s findings are incorrect because of his flawed understanding of how the Mimblewimble protocol works. On the subject, Fast told Cointelegraph:
“He [Bogatyy] is able to demonstrate that an adversary can construct a transaction graph on the network, in the sense that input A became output B. But because of how the protocol works, this is not like identifying an output address on Bitcoin. Just knowing A=>B does not imply you know who received the funds in any useful sense. So my interpretation is that what Ivan found was already publicly known and he mischaracterized its implications in the article he published.”
Fast then pointed out that a big part of the misunderstanding seems to have stemmed from the confusion surrounding what an “address” within the Grin ecosystem actually represents. To further solidify his stance, Fast highlighted to Cointelegraph a number of other instances where similar issues over Grin’s native operational framework came to light. He further added:
“Grin does not have anything like Bitcoin addresses. In fact, every time you want to send someone an asset, you need to interact with them in a live computation, working together to create a transaction. Given this fact, my understanding is that being able to construct a transaction graph on Grin is not a major security issue, as transactions don’t have anything like public addresses that tie them together.”
The Conversation Continues
Despite Grin’s reputation being called into question after the allegations put forth by Bogatyy started to gain widespread attention on the internet over the last week, the platform’s core backers (as well as community members) have continued to claim that the assertions put forth by Bogatyy are inherently wrong and that there are many factual inaccuracies — six, to be exact — in his findings.
Also, it is quite obvious that due to this entire episode, Grin’s financial value has taken quite a beating. The currency has dropped from $1.52 to just under $1 over the space of the past seven days.
New Bitcoin Wallet Hides Addresses To Solve ‘Terrible’ User Experience
A new wallet aims to broaden the adoption of Bitcoin (BTC) and cryptocurrencies but making their addresses easier to remember.
The service, dubbed Easypaysy, is the product of Spanish developer José Femenías Cañuelo and launched on Dec. 1.
Dev: BTC Addresses “Not For Humans”
Cañuelo was irked by the complex nature of Bitcoin addresses, which are random collections of letters and numbers that are all but impossible to memorize.
In the official introduction to Easypaysy, he described Bitcoin’s user experience, or UX, as “terrible.”
“Bitcoin addresses are really not meant for humans. Nobody should be forced to make or receive payments to a crypto-address, much as nobody expects you to navigate the world wide web just by using IP addresses,” the description reads.
The wallet service works by offering three formats of so-called Bitcoin “accounts” for users. These are designed to be more user-friendly identifiers, to which others can send cryptocurrency funds instead of using actual BTC addresses.
Behind the mask, funds are delivered to BTC addresses as in a regular transaction, Cañuelo promising that no address is used more than once.
Security Trumps Familiarity
Various services have offered similar solutions over the years, including BitcoinWallet.com in 2014 and Ethereum Name Service for Ether (ETH) payments last year.
Nonetheless, commentators appeared taken by Easypaysy with well-known Bitcoin educator and developer Jimmy Song describing the concept as “interesting.”
“I haven’t thought through the downsides, but allows for much easier-to-remember IDs than addresses that we use today. From a UI perspective, big win as it’s easy to remember and print on business cards,” he summarized in a tweet following the launch.
As Cointelegraph reported, wallet security currently forms something of a thornier issue than ease of address sharing. With large numbers of Bitcoin users still trusting third parties to store their funds, a dedicated effort is underway to highlight the risk of not controlling one’s own private keys.
Samourai Wallet Releases Privacy-Enhancing, Samourai Wallet Releases Privacy-Enhancing,Samourai Wallet Releases Privacy-Enhancing,Samourai Wallet Releases Privacy-Enhancing,Samourai Wallet Releases Privacy-Enhancing,Samourai Wallet Releases Privacy-Enhancing,Samourai Wallet Releases Privacy-Enhancing,Samourai Wallet Releases Privacy-Enhancing,Samourai Wallet Releases Privacy-Enhancing,Samourai Wallet Releases Privacy-Enhancing,Samourai Wallet Releases Privacy-Enhancing