BitShares Forum

Main => Stakeholder Proposals => Topic started by: bytemaster on June 12, 2015, 10:45:58 pm

Title: What if BitShares could have perfect privacy?
Post by: bytemaster on June 12, 2015, 10:45:58 pm
What if you combined Confidential Transactions (https://bitcointalk.org/index.php?topic=1085273.0) with Stealth Addresses?
What if you could do this while still processing 100,000 transactions per second?
What if Cryptonomex's first worker proposal was to implement this at a protocol level (no GUI support) for 2M BTS?

Stealth Transfers enable users to maintain their financial privacy even though all transactions are public.  Ie: better than Dash or other alternatives.

Every account would have three balances:

Public Balance - every can see the balance changes and the parties involved
Blinded Balance - everyone can see who is transacting but not the amounts involved
Stealth Balance - both the amounts and parties involved are completely obscured

Account owners may set a flag that allows their account to receive(or not) transfers of these kinds Asset issuers can enable or disable the use of each of these types of accounts.

Using the "temp account" which has no permissions required, users can transfer a stealth balance to the temp account and then use the temp account to register a new account. In this way users can use stealth funds to create anonymous accounts with which they can perform other actions that are not compatible with blinded balances (such as market orders)

Stealth transfers that do not specify any account id cannot pay referral fees so 100% of the transaction fee is paid to the network.
Stealth transfers can have an arbitrarily large size and therefore the transaction fee for stealth transfers is based purely on the data size of the transaction.

Title: Re: What if BitShares could have perfect privacy?
Post by: sittingduck on June 12, 2015, 10:57:36 pm
Nice


Sent from my iPhone using Tapatalk
Title: Re: What if BitShares could have perfect privacy?
Post by: JA on June 12, 2015, 10:57:50 pm
stealth + 5%... sounds good
Title: Re: What if BitShares could have perfect privacy?
Post by: arhag on June 12, 2015, 11:26:40 pm
Didn't stealth addresses (aka TITAN) give all kinds of problems which was the reason they were removed in 2.0? How are stealth addresses going to be done differently this time to avoid all of those complications? In particular, how do lightweight wallets reliably keep track of all their balances without access to the full blockchain and without compromising their privacy? Is the compromise some kind of observer private key that is shared with the wallet host (meaning your wallet host knows the accounts you transact with but not the amounts but the rest of the world doesn't know both)? How does voting work with confidential transactions? Wouldn't only public BTS balances be able to vote for delegates/witnesses/workers?

Title: Re: What if BitShares could have perfect privacy?
Post by: sittingduck on June 12, 2015, 11:30:23 pm
Confidential addresses couldn't vote because no one knows the balance. 

Light wallets need out of band notification.   


Sent from my iPhone using Tapatalk
Title: Re: What if BitShares could have perfect privacy?
Post by: arhag on June 12, 2015, 11:44:26 pm
Confidential addresses couldn't vote because no one knows the balance. 

Yeah, which means people protecting their BTS balances will be in opposition to network security.

What if it was possible to count some of the blinded BTS votes if the owner elected to share the blinding factor with some trusted third party (thus exposing their balance amount to that third party)? You could have some subset of balances that all voted for witness 8, and the trusted third party could provide proof that the summation of the blinded values of all the accounts in this subset is a BTS amount X (they can sum all the blinded factors they collect and use that to sign the proof). Then the network could recognize that and add X votes to witness 8's approval rating.

Light wallets need out of band notification.   

But what happens if you lose your local data (but not your private key). You in theory have enough information to recover access to your funds if you had a full client with access to the blockchain. But at 100,000 tx/s it is not feasible. And you don't want to give your private key away to someone to do it for you because they could steal your funds. Observer keys could allow you to expose your financial history to a trusted third party (but not access) for the sake of recovering your account from a single brain key imported into a lightweight wallet.
Title: Re: What if BitShares could have perfect privacy?
Post by: Akado on June 12, 2015, 11:51:43 pm
with the new multisig system wouldn't it be possible to create a general account and them make every fund a user sends, pass through before reaching the destiny? Then automate the timings of each transaction, ie. i want to send 100 bts to user X, i send them to that general account, which would then send 10 bts, then 20 bts, etc to user X. Making everyone's transactions pass through and with TITAN, would it be possible to know the origin of the transactions?

However, I think the biggest problem we have is anonymous voting. Once that's figured out, tx will be too. But private transactions with votes being public jeopardizes the network
Title: Re: What if BitShares could have perfect privacy?
Post by: CLains on June 13, 2015, 12:09:50 am
Just when we got used to our weakness.
Title: Re: What if BitShares could have perfect privacy?
Post by: sittingduck on June 13, 2015, 12:45:55 am
Privacy means more personal responsibility for tracking keys and larger wallets.   Seems like a reasonable trade off.


Sent from my iPhone using Tapatalk
Title: Re: What if BitShares could have perfect privacy?
Post by: rgcrypto on June 13, 2015, 01:45:41 am
I think I peed a little...
Title: Re: What if BitShares could have perfect privacy?
Post by: yellowecho on June 13, 2015, 02:15:13 am
amazing. a no brainer


Sent from my iPhone using Tapatalk
Title: Re: What if BitShares could have perfect privacy?
Post by: merivercap on June 13, 2015, 02:26:45 am
Yeah this is great.  I heard Greg Maxwell discuss this at the Sidechains Bitcoin meetup.  It seems like a very good and efficient solution. 
Title: Re: What if BitShares could have perfect privacy?
Post by: bubble789 on June 13, 2015, 02:34:48 am
stealth + 5%... sounds good

this is good haha
Title: Re: What if BitShares could have perfect privacy?
Post by: oco101 on June 13, 2015, 04:25:46 am
stealth + 5%... sounds good

this is good haha
Title: Re: What if BitShares could have perfect privacy?
Post by: puppies on June 13, 2015, 05:50:51 am
Depending upon the payout terms, and vesting schedule I would most certainly vote for a delegate that promoted paying 2M BTS to workers to enable this system.

With that on topic comment above, I feel liberated to quote
with the new multisig system wouldn't it be possible to create a general account and them make every fund a user sends, pass through before reaching the destiny? Then automate the timings of each transaction, ie. i want to send 100 bts to user X, i send them to that general account, which would then send 10 bts, then 20 bts, etc to user X. Making everyone's transactions pass through and with TITAN, would it be possible to know the origin of the transactions?

However, I think the biggest problem we have is anonymous voting. Once that's figured out, tx will be too. But private transactions with votes being public jeopardizes the network

and to bring in an old favorite.  Spooner. from no treason 6
Quote
NT.6.2.14   7. As all the different votes are given secretly (by secret ballot), there is no legal means of knowing, from the votes themselves, who votes for, and who votes against, the Constitution. Therefore, voting affords no legal evidence that any particular individual supports the Constitution. And where there can be no legal evidence that any particular individual supports the Constitution, it cannot legally be said that anybody supports it. It is clearly impossible to have any legal proof of the intentions of large numbers of men, where there can be no legal proof of the intentions of any particular one of them.
NT.6.2.15   8. There being no legal proof of any man's intentions, in voting, we can only conjecture them. As a conjecture, it is probable, that a very large proportion of those who vote, do so on this principle, viz., that if, by voting, they could but get the government into their own hands (or that of their friends), and use its powers against their opponents, they would then willingly support the Constitution; but if their opponents are to have the power, and use it against them, then they would not willingly support the Constitution.
NT.6.2.16   In short, men’s voluntary support of the Constitution is doubtless, in most cases, wholly contingent upon the question whether, by means of the Constitution, they can make themselves masters, or are to be made slaves.
NT.6.2.17   Such contingent consent as that is, in law and reason, no consent at all.
NT.6.2.18   9. As everybody who supports the Constitution by voting (if there are any such) does so secretly (by secret ballot), and in a way to avoid all personal responsibility for the acts of his agents or representatives, it cannot legally or reasonably be said that anybody at all supports the Constitution by voting. No man can reasonably or legally be said to do such a thing as assent to, or support, the Constitution, unless he does it openly, and in a way to make himself personally responsible for the acts of his agents, so long as they act within the limits of the power he delegates to them.
NT.6.2.19   10. As all voting is secret (by secret ballot), and as all secret governments are necessarily only secret bands of robbers, tyrants, and murderers, the general fact that our government is practically carried on by means of such voting, only proves that there is among us a secret band of robbers, tyrants, and murderers, whose purpose is to rob, enslave, and, so far as necessary to accomplish their purposes, murder, the rest of the people. The simple fact of the existence of such a band does nothing towards proving that “the people of the United States,” or any one of them, voluntarily supports the Constitution.
NT.6.2.20   For all the reasons that have now been given, voting furnishes no legal evidence as to who the particular individuals are (if there are any), who voluntarily support the Constitution. It therefore furnishes no legal evidence that anybody supports it voluntarily.

I think it rather elegantly explains the reasons why a secret vote could never work.  It is admittedly off topic, but a good read none the less.
Title: Re: What if BitShares could have perfect privacy?
Post by: montpelerin on June 13, 2015, 08:04:05 am
This sounds terrific.

Questions:

1. Will this allow for private voting, as questioned previously by Akado? ( - Private voting should work just fine given Bitshares stake voting method - )

2. Will the contract payment be subject to a significant vesting schedule?


I'd like to see the community use the opportunity of this first new worker proposal to begin a practice of requiring a reasonable percentage and duration for vesting large payments. Obviously, not all workers will be able to delay large amounts for excessive amounts of time. However, I'd like to see most workers employed by Bitshares make this offer as a proof-of-faith in both the potential benefit of their particular proposal to Bitshares overall value, as well as the Bitshares community, in general.

Because incentives.
Title: Re: What if BitShares could have perfect privacy?
Post by: Riverhead on June 13, 2015, 10:13:28 am

Sounds like we need a smart contract that pays out on milestones rather than time :).
Title: Re: What if BitShares could have perfect privacy?
Post by: betax on June 13, 2015, 10:32:43 am
This is great, privacy and transparency.
Title: Re: What if BitShares could have perfect privacy?
Post by: oldman on June 13, 2015, 02:33:50 pm
Yes, will vote and needs to be implemented wasp.
Title: Re: What if BitShares could have perfect privacy?
Post by: karnal on June 13, 2015, 04:35:17 pm
+5%

This is really important.
Title: Re: What if BitShares could have perfect privacy?
Post by: arhag on June 13, 2015, 09:26:27 pm
Bytemaster, please don't make stealth transfers require only a single key permission to spend the blinded output balances. That would mean there would be no way to have multisig protection of balances received through stealth transfers starting from the moment they are received. The user could of course quickly move the balances to another account (obviously not their main account since that would just compromise the privacy of the stealth transfer unless it was funneled through a CoinJoin-like process first [1]) with appropriate permissions set up shortly after receiving it, but this would be an annoying (and costlier) inconvenience. And if the funds were sent unsolicited, there can be an arbitrarily long period of time during which the funds can be stolen by an attacker who knows the account's active private key and is scanning the blockchain with it looking for opportunities to make money.

Of course stealth transfer recipient's having many different permission structures harms privacy. If only one account has an M-of-N multisig set up for a particular value of M and N, then sending a stealth transfer to that account while respecting their multisig permissions would create an output balance with a M-of-N multisig spending permission, which would clearly associate the supposedly stealth balance output to the named account.

For maximum privacy while still balancing usability, I think all stealth transfer output balances on the blockchain should follow the same spending permission system that I will describe next. Each account that specifies that it can receive stealth transfers should also specify three public keys: a hot key, a cold key, and a third-party key. Each of these keys will be converted into an obscured version for use in the output balance using child key derivation. The obscured hot key will be derived from the hot key using a child index of sha256(sha256(V)), where V is the shared secret. The obscured cold key will be derived from the hot key using a child index of sha256(sha256(sha256(V))). And, the obscured third-party key will be derived from the third-party key using a child index of sha256(sha256(sha256(sha256(V)))). The different hashes are used so that if any of the three keys are the same, that equality relationship will not also be visible with the obscured keys. Furthermore, the index for deriving the obscured third-party key from the third-party key (for use in possibly signing a spending transaction) can be shared with the third-party without exposing the decryption key for the memo or the blinding factor for the blinded balances to the third-party. To spend the balance the network would require a signature from either the obscured cold key OR signatures from both the obscured hot key and the obscured third-party key. The idea is to allow the cold storage private key alone to be able to spend/recover the funds [2], or alternatively to spend/recover the funds using the hot private key and cooperation with the owner of the private key corresponding to the third-party key assigned to the account (this allows two-factor authentication even for spending output balances of stealth transfers). Now if the user is not interested in relying on a third-party, the third-party key in the account can be also set to the hot key, thus allowing either the cold storage private key or the hot active private key to spend the balance. Regardless of the setup, the public always sees output balances with three unique keys in the spending permissions, so they cannot determine whether it is a multisig setup or not.

I also think it is important to add EdDSA cryptography to Graphene so that users have a computationally and user friendly way of computing threshold signatures. The new multisig permission system in Graphene is very powerful but it has two characteristics that can be perceived as flaws in some cases. First, the number of signatures needed (and thus transaction fees) scales with the number of parties that need to sign, whereas threshold signatures are indistinguishable from a single normal signature. Second, the permissions structure is public (some entities, such as companies and organizations, may wish to hide such information with the opaque threshold signatures even though it comes at the cost of having to manually update public keys any time a single key in the permission hierarchy needs to change and also needing to coordinate the signature generation process off-chain). Furthermore, threshold signatures become very useful in stealth transfers because any of those three keys can have their independent opaque threshold scheme (I think... do hierarchical deterministic wallets using EdDSA still allow threshold signature generation?). So you can imagine that the third-party key added to an account would actually be a result of some threshold scheme set up by the two-factor security company.


[1] By the way, I think it is so important to make sure the blockchain has all the support it needs to make CoinJoin-like processes easy and efficient to do, and then also have some standard code built into the wallet frontend and backend that implements that process. It would be great if the following was possible. The user's wallets could submit to the wallet host a pseudo-transaction with blinded input operations that each pay a small unblinded fixed fee, blinded (with random blinding factors) output operations that each pay a small unblinded fixed fee, and the blinding factor difference to make the balance proof possible. Then the host waits to collect these pseudo-transactions (for the same asset type) from many different users and aggregates them together in random order into a single transaction (the wallet host will have to balance inputs and outputs by adding to the transaction a commitment to 0 value with a blinding factor equal to the sum of the collected blinding factor differences, and also sign that commitment with the blinding factor to prove it is committed to a 0 value). Then the wallet host sends the completed unsigned transaction to all those users so they can verify, sign, and send the signatures to the wallet host who would then finally broadcast the final signed CoinJoin transaction. The wallet host knows the metadata of which inputs map to which outputs (but not the amounts which are blinded), but the public doesn't know either the amounts or the mapping.

[2] I believe it is also necessary for the hot active private key to always be set up such that it can be derived from the cold storage private key since the hot active private key is needed to derive the one-time private key for the output balances of the transaction which is in turn needed to calculate the shared secret V. In fact, going from the one-time private key to V also requires knowing the recipients public key, which means the recipient of the transaction must be known. Since there is so much free space available thanks to the blinding proofs, it shouldn't be any problem to use some of that space to store important information to help recovery. For example a decryption key derived from the one-time private key could be used to decrypt a fixed-size first segment of the encrypted memo that stores information meant for the senders eyes only. This information would store a small checksum and the account ID of the recipient (and perhaps even the recipient public key as well to speed the process up if space isn't a problem) which would provide enough information to then derive V. The encrypted memo may even have a fixed-size second segment which can be decrypted by an observer (assuming the recipient account assigned an observer account for stealth transfers) and would have a checksum to let the observer know that this transaction output was meant for them and the account ID of the recipient so that the observer would know who to inform of the transaction. Then the rest of the encrypted memo would be the third segment which would be the original encrypted memo that uses V as the encryption/decryption key. The observer could scan the blockchain with just a single key to quickly determine whether the transaction outputs of a stealth transfer concerned them or not, and if it did, with a little more work could determine the recipient account that (if the account was a customer of the observer) would need to somehow be informed of the existence of this transaction since it would very likely be a stealth transfer of some asset to the recipient. That way senders don't need to rely on off-chain methods of communicating the existence of a balance output to the recipient, and also it is in theory possible for the user to recover all stealth balances without needing full access to the blockchain by delegating the scanning task to the user's observer (perhaps after compensating the observer with some fee) and without needing to reveal any information to the observer that could allow it to steal (or even view the balance of) the funds.
Edit: Actually, after thinking about the cryptography more, I believe what I missed was that the "free" space in the signature used in the memos could only be useful for those who are supposed to be able to see the unblinded values. If I understand it correctly, the random nature (to those without a decryption key) of the encrypted memo means that outsiders cannot tell which version of the commitment in the ring for each blinded bit is the "corrected" one, but those with the decryption key would easily be able to deduce that information and thus figure out what the underlying value actually is. So, again assuming I understood correctly, it is only possible to design the cryptography to share the "free" memo space between the sender and receiver (both of which must be able to get access to the plain-text amount), but not an observer who is not supposed to know the plain-text amount (the observer would just need a separate small fixed-size memo field outside of the signature if we would want it to be able to do its job).
Title: Re: What if BitShares could have perfect privacy?
Post by: sumantso on June 14, 2015, 04:42:37 am
I think trying to make BTS a jack of all trades is a non-starter. Its better to stick to the core areas of strength and build on it.

Eventually you will find that there are stuff which can't be implemented on BTS blockchain and we will have to look into a second, separate chain. I can see a market for a perfect stealth crypto and can see it being used as storage; something what BTC was expected to be by the average enthusiast.

I think there would be a lot more issues out there which need solving which would be better served to spend 2m BTS on. More informed members will be able to say that, but on top of my head having a smaller blockchain would be a start. I personally would be happier running a full node rather than depending on light wallets.
Title: Re: What if BitShares could have perfect privacy?
Post by: tonyk on June 14, 2015, 05:29:58 am
I think trying to make BTS a jack of all trades is a non-starter. Its better to stick to the core areas of strength and build on it.

Eventually you will find that there are stuff which can't be implemented on BTS blockchain and we will have to look into a second, separate chain. I can see a market for a perfect stealth crypto and can see it being used as storage; something what BTC was expected to be by the average enthusiast.

I think there would be a lot more issues out there which need solving which would be better served to spend 2m BTS on. More informed members will be able to say that, but on top of my head having a smaller blockchain would be a start. I personally would be happier running a full node rather than depending on light wallets.

Neeh sumantso...you make too much sense!
It is a perfect time to reintroduce TITAN (well 50% of it) back!
Its been 3 days or so, so lets do it! 3 days is way too much time without stupid ideas?!
If we just do it - BTS 2.0 will be fresh out of the box and totally not working in no time of 17 mo. so!!!
I really do not get your point! You make too much sense, and you must know by now this is frown upon here!

 
Title: Re: What if BitShares could have perfect privacy?
Post by: Ander on June 14, 2015, 05:44:50 am
I'm not really sure about the technicals of this or whether it should be the top priority. 

I really like the idea of the devs making several proposals and then having the community debate and vote for which they think is best (by voting for the proposal in the blockchain)
Title: Re: What if BitShares could have perfect privacy?
Post by: mint chocolate chip on June 14, 2015, 05:51:05 am
What if Cryptonomex's first worker proposal was to implement this at a protocol level (no GUI support) for 2M BTS?
In layman's terms does this mean that it would be operational but not actually usable by most people?

Maybe we should be asking who, what, when, how much etc. regarding GUI support if it is important to this.
Title: Re: What if BitShares could have perfect privacy?
Post by: starspirit on June 14, 2015, 05:58:22 am
It seems to me a bit premature to be putting up a complex proposal (or proposal for a proposal) like this when everyone just wants to see 2.0 actually implemented first. Fine to toss around the possibility, but let's not get too distracted.
Title: Re: What if BitShares could have perfect privacy?
Post by: puppies on June 14, 2015, 06:54:16 am
I think it is safe to make a couple of assumptions.

Assumption #1.
           BitShares 2.0 is already up and running.  Witnesses are witnessing blocks.  Delegates are proposing ideas, and workers are getting paid.  This is  a necessary assumption in order to pay anyone 2M BTS within a reasonable amount of time.

Assumption #2
           There is a clear understanding amongst the community of exactly that which we will get.  i.e.  What level of anonymity?  Can those balances vote?  Will there be multisig by default?  What if any performance penalties will this have on the network?

Assumption #3
            There is a clear plan of when these funds will be paid.  When they will vest, and exactly what the communities options are should they consider #2 not fulfilled.

I felt as if those assumptions were understood even if not stated.  I hope that stating them will help to assuage the fears of those that may be concerned that we are rushing towards 3.0 before we even have 2.0.  If the above assumptions are met, then I believe that it would be a bargain to be able to add anonymity onto a functional 2.0 for the miserly sum of 2M BTS in inflation.

I tends towards the non inflationary camp, and of course I recognize that the funds I would spend to feed this development do not belong solely to me.  I am attempting to be extra cautious about how easy it is to spend other peoples money.  I honestly believe that a solid anonymous transaction method would be a net benefit for the bitshares community.  I would love to hear a counter argument either assuming the assumptions above, or arguing against the ability to make those assumptions. 

***edit*** I do know that a couple does not mean three.  I probably made lots of other mistakes in this post.
Title: Re: What if BitShares could have perfect privacy?
Post by: starspirit on June 14, 2015, 07:38:49 am
It's not about a whether there is a counterargument or not, its about whether this is the the most important use of funds once 2.0 is launched and there are potentially many competing proposals. I guess the sentiment I was trying to express is that, given the breadth of the recent announcement, you need to allow time now for other proposals to emerge and develop before trying to establish any sort of consensus. Maybe we should even encourage a competition for the first set of proposals, with a bounty prize to the community's top choice.
Title: Re: What if BitShares could have perfect privacy?
Post by: xeroc on June 14, 2015, 08:14:58 am
I am almost sure there will be more proposals worth plenty of discission by the time bts2 goes live.

+5% for the community already learning to discuss those!
Title: Re: What if BitShares could have perfect privacy?
Post by: karnal on June 14, 2015, 08:20:09 am
Yes, a list of other proposals and the community voting on which one(s) to implement makes sense.

And, I too would also like further clarification regarding "implementing at the protocol level" only. Why not in the gui as well? it'll be useless from a practical standpoint if it does not make it to the gui.
Title: Re: What if BitShares could have perfect privacy?
Post by: Permie on June 14, 2015, 10:57:28 am
Yes, a list of other proposals and the community voting on which one(s) to implement makes sense.

And, I too would also like further clarification regarding "implementing at the protocol level" only. Why not in the gui as well? it'll be useless from a practical standpoint if it does not make it to the gui.
My impression is that BM will develop the code, and then leave it up to wallet providers for the GUI to use it
Title: Re: What if BitShares could have perfect privacy?
Post by: sittingduck on June 14, 2015, 01:38:56 pm
GUI would require JavaScript implementation of crypto used for blinded trx.   I bet that is a lot more work than just using the library produced by blockstream


Sent from my iPhone using Tapatalk
Title: Re: What if BitShares could have perfect privacy?
Post by: arhag on June 14, 2015, 02:48:17 pm
GUI would require JavaScript implementation of crypto used for blinded trx.   I bet that is a lot more work than just using the library produced by blockstream

Couldn't emscripten help with that?
Title: Re: What if BitShares could have perfect privacy?
Post by: bytemaster on June 14, 2015, 06:10:29 pm
GUI would require JavaScript implementation of crypto used for blinded trx.   I bet that is a lot more work than just using the library produced by blockstream

Couldn't emscripten help with that?

Thats pretty cool. 
Title: Re: What if BitShares could have perfect privacy?
Post by: puppies on June 15, 2015, 04:41:02 am
It's not about a whether there is a counterargument or not, its about whether this is the the most important use of funds once 2.0 is launched and there are potentially many competing proposals. I guess the sentiment I was trying to express is that, given the breadth of the recent announcement, you need to allow time now for other proposals to emerge and develop before trying to establish any sort of consensus. Maybe we should even encourage a competition for the first set of proposals, with a bounty prize to the community's top choice.

I agree with you.  I think.

To me it seems as if you accepted my assumptions as valid.  And offered the counter argument that we should wait until we have more proposals to decide which is most important.  Bravo.  I accept your counter argument as true, and await all the proposals we will hopefully see.  While I am still really excited by the idea of privacy on the blockchain I am very open to the idea that something more important could come up.

I really am attempting to communicate and realize that my style of writing is not always conducive to that.  Please forgive me for my writing deficiencies.  Writing takes so much longer than thinking or speaking and I often feel as if iI have lost my point by the time I am done. 
Title: Re: What if BitShares could have perfect privacy?
Post by: Erlich Bachman on June 16, 2015, 02:29:45 pm
I for one can't think of a better option, especially if we can get this to market first, like BM said is possible.

The lure of being the first mover in this space is well worth the risk, IMVO.
Title: Re: What if BitShares could have perfect privacy?
Post by: karnal on June 16, 2015, 02:32:53 pm
One thing that has been bothering me: Properly used, TITAN appears to have done the job well.

Now, that was unilaterally stripped out, (shareholders were not consulted on the matter) and what is being proposed is moneis to essentially re-implement something we already had.

Anybody else sees a potential issue with this ?
Title: Re: What if BitShares could have perfect privacy?
Post by: bytemaster on June 16, 2015, 02:36:47 pm
One thing that has been bothering me: Properly used, TITAN appears to have done the job well.

Now, that was unilaterally stripped out, (shareholders were not consulted on the matter) and what is being proposed is moneis to essentially re-implement something we already had.

Anybody else sees a potential issue with this ?

The titan part isn't what you would be paying for.  It is the confidential transactions part.   TITAN didn't do the job well.
Title: Re: What if BitShares could have perfect privacy?
Post by: karnal on June 16, 2015, 02:42:47 pm
One thing that has been bothering me: Properly used, TITAN appears to have done the job well.

Now, that was unilaterally stripped out, (shareholders were not consulted on the matter) and what is being proposed is moneis to essentially re-implement something we already had.

Anybody else sees a potential issue with this ?

The titan part isn't what you would be paying for.  It is the confidential transactions part.   TITAN didn't do the job well.

So the thing was/is fully broken? Sending funds between accounts and then from the account to itself several times over days/weeks is not enough to clear the trail?

I have voting turned off as I realize that's a dead giveaway.
Title: Re: What if BitShares could have perfect privacy?
Post by: bytemaster on June 16, 2015, 02:49:52 pm
One thing that has been bothering me: Properly used, TITAN appears to have done the job well.

Now, that was unilaterally stripped out, (shareholders were not consulted on the matter) and what is being proposed is moneis to essentially re-implement something we already had.

Anybody else sees a potential issue with this ?

The titan part isn't what you would be paying for.  It is the confidential transactions part.   TITAN didn't do the job well.

So the thing was/is fully broken? Sending funds between accounts and then from the account to itself several times over days/weeks is not enough to clear the trail?

I have voting turned off as I realize that's a dead giveaway.

Perhaps it would work if you sent random amounts to yourself over time but it wouldn't be perfect.
Title: Re: What if BitShares could have perfect privacy?
Post by: arhag on June 16, 2015, 06:03:56 pm
I have voting turned off as I realize that's a dead giveaway.

I think we really need a solution to this that could work with blinded values without compromising privacy much. Otherwise, people who really care about privacy won't vote to the detriment of the network.

I already discussed this elsewhere but I think it is important to allow some semi-trusted third party to claim vote tallies from the blinded BTS balances of some selection of accounts. But it has to be done in a way that prevents the third party from changing the votes (they could only choose to exclude accounts from the vote tally, but not use their stake to vote for someone the stakeholder didn't vote for). So let's say some subset of accounts with blinded BTS balances decide to elect a particular third party to see their BTS balance (by privately sharing the blinding factor with the third party) and aggregate their vote. The third party would specify the account IDs of all the account's vote it will be aggregating. It will also specify a blacklist of delegates/witnesses/workers that it will not aggregate votes for because not enough of the specified accounts are voting for that delegate/witness/worker (which would compromise privacy for the few accounts in the selection that were voting for that delegate/witness/worker). Then for each member in the union of the delegates/witnesses/workers that were included in the votes of the selected accounts, the third party provides a plain-text stake tally and proof that the sum is valid. This proof is a commitment of the tally and a signature proving that fact, where the blinding factor of the commitment is selected so that the sum of commitments of the BTS balances for all accounts voting for the specific delegate/witness/worker (subtracted by the sum of the commitments of the BTS balances for all accounts voting against the specified worker, in the specific case of workers since they can be downvoted) equals the commitment of the tally provided as part of the proof. In other words, for each member X (delegate/witness/worker) add all the blinding factors of accounts approving of X and, if X is a worker, subtract all the blinding factors of accounts disapproving of X to get the blinding factor for the commitment to the tally. This transaction only needs to be provided to the blockchain once per maintenance period to save costs (it is okay if there is even a 1 day delay in incorporating all the votes).

The good thing about this approach is that the third-party cannot lie about the votes (only exclude them). Aggregating the vote results from different third-parties is problematic for the blockchain if the selections of accounts for each of the aggregates have some overlap. The blockchain can always ignore valid vote tally transactions for the same maintenance period from third parties if their account selections are a subset of that of a valid vote tally transaction of the same maintenance period from another third party. But when neither account selection of two different valid tally transactions are a subset of the other but yet do still overlap, the blockchain is forced to ignore at least one of them. To avoid this, each account should only choose one third party to aggregate their vote at any given time. This selection by each account could be recorded on the blockchain, so that any vote tally transaction by a third party trying to include the votes of an account that has not specified them as the third party that is allowed to aggregate their vote is automatically dismissed as invalid. Furthermore, the accounts could publicly put some money in a fund specifically to economically motivate the third party to include them into the vote tally. The third party including an account into the aggregation of a vote tally transaction could withdraw a specific amount of funds from that account. The account may automatically pay the third party some small fee from the fund each day for each delegate/witness/worker that they voted for and that was included (meaning not blacklisted) into the vote tally for the day by the designated third party.

One way to make this better would be if the cryptography could allow each account to publish information on the blockchain that proves that they publicly provide enough information for someone who knows the private key corresponding to some specified public key (the public key of the third party in this case) to be able to derive the blinding factor for the account's BTS balance commitment (but without actually revealing the blinding factor to anyone else who doesn't possess that private key). If the cryptography could be designed this way (some kind of zero knowledge proof), then the blockchain could assume that the owner of that private key (the third party) would include all accounts which provide such valid proofs in their vote tally transaction and had set a maximum pay per day per voting item that was more than or equal to the minimum threshold defined by the third party (and of course had enough funds set aside to pay for that cost of including their votes in the vote tally transaction for that day). This would mean that the third party would not need to specify a long list of account IDs as part of the daily vote tally transactions (meaning smaller transaction size and lower costs). Obviously in that situation the third party would be forced to include the votes (with the exception of blacklisted delegate/witness/worker votes that hardly anyone voted for) of every account that elected them to aggregate the vote and provided the valid proof and had enough funds designated for the purpose of paying the necessary costs, since that is what the blockchain protocol would expect from the vote tally transaction submitted by the third party.
Title: Re: What if BitShares could have perfect privacy?
Post by: Thom on June 19, 2015, 01:09:25 am
Yes, a list of other proposals and the community voting on which one(s) to implement makes sense.

And, I too would also like further clarification regarding "implementing at the protocol level" only. Why not in the gui as well? it'll be useless from a practical standpoint if it does not make it to the gui.

Most early adopters of this feature could probably get by with the CLI (no GUI) implementation initially. Besides, I think the CNX team has shown they're far more innovative in the backend than the UI / UX.

It's not about a whether there is a counterargument or not, its about whether this is the the most important use of funds once 2.0 is launched and there are potentially many competing proposals. I guess the sentiment I was trying to express is that, given the breadth of the recent announcement, you need to allow time now for other proposals to emerge and develop before trying to establish any sort of consensus. Maybe we should even encourage a competition for the first set of proposals, with a bounty prize to the community's top choice.

I agree with you.  I think.

To me it seems as if you accepted my assumptions as valid.  And offered the counter argument that we should wait until we have more proposals to decide which is most important.  Bravo.  I accept your counter argument as true, and await all the proposals we will hopefully see.  While I am still really excited by the idea of privacy on the blockchain I am very open to the idea that something more important could come up.

I really am attempting to communicate and realize that my style of writing is not always conducive to that.  Please forgive me for my writing deficiencies.  Writing takes so much longer than thinking or speaking and I often feel as if iI have lost my point by the time I am done.

I think you express yourself quite well puppies, and I can actually get through your posts in one sitting unlike other TL;DR posts in this thread (no offense intended arhag :) )
Title: Re: What if BitShares could have perfect privacy?
Post by: puppies on June 19, 2015, 06:26:32 am
Thanks Thom.  I sometimes feel as if I am speaking a different language than everyone else on this board.

Arhag.  I am not going to pretend that I have spent the time to understand why your proposed method is provably fair.  With that said, I don't think it would work.  We already have a dearth of voting shareholders.  I don't think many at all would vote with their private stake if it took so many hoops, and reduced their privacy so much.  The only way to be sure that your private balance wasn't being leaked would be to designate your own account as the voting party, and that has obvious repercussions.  I know I wouldn't trust it.
Title: Re: What if BitShares could have perfect privacy?
Post by: arhag on June 19, 2015, 06:28:56 am
I already discussed this elsewhere but I think it is important to allow some semi-trusted third party to claim vote tallies from the blinded BTS balances of some selection of accounts. But it has to be done in a way that prevents the third party from changing the votes (they could only choose to exclude accounts from the vote tally, but not use their stake to vote for someone the stakeholder didn't vote for). So let's say some subset of accounts with blinded BTS balances decide to elect a particular third party to see their BTS balance (by privately sharing the blinding factor with the third party) and aggregate their vote. The third party would specify the account IDs of all the account's vote it will be aggregating. It will also specify a blacklist of delegates/witnesses/workers that it will not aggregate votes for because not enough of the specified accounts are voting for that delegate/witness/worker (which would compromise privacy for the few accounts in the selection that were voting for that delegate/witness/worker). Then for each member in the union of the delegates/witnesses/workers that were included in the votes of the selected accounts, the third party provides a plain-text stake tally and proof that the sum is valid. This proof is a commitment of the tally and a signature proving that fact, where the blinding factor of the commitment is selected so that the sum of commitments of the BTS balances for all accounts voting for the specific delegate/witness/worker (subtracted by the sum of the commitments of the BTS balances for all accounts voting against the specified worker, in the specific case of workers since they can be downvoted) equals the commitment of the tally provided as part of the proof. In other words, for each member X (delegate/witness/worker) add all the blinding factors of accounts approving of X and, if X is a worker, subtract all the blinding factors of accounts disapproving of X to get the blinding factor for the commitment to the tally. This transaction only needs to be provided to the blockchain once per maintenance period to save costs (it is okay if there is even a 1 day delay in incorporating all the votes).

Damn. I just thought of a complication to the above that can compromise privacy. If one account changes their vote from one maintenance period to another and they are the only one to do so, the public could compare the differences in the aggregated votes to determine the stake of the account. Even if a few accounts do this each maintenance period, it may still be possible to over time figure out their stakes as long as the members from that set change their votes in different unrelated sets in other future maintenance periods. Basically, unless you have a very large fraction of voters all changing their votes in the same maintenance period, you will likely leak  information over time. Extending the maintenance period for voting can help with privacy but at the cost of increasing the delay of incorporating the updates to votes by blinded stake.

Privacy is damn hard.
Title: Re: What if BitShares could have perfect privacy?
Post by: arhag on June 19, 2015, 06:33:56 am
Arhag.  I am not going to pretend that I have spent the time to understand why your proposed method is provably fair.  With that said, I don't think it would work.  We already have a dearth of voting shareholders.  I don't think many at all would vote with their private stake if it took so many hoops, and reduced their privacy so much.  The only way to be sure that your private balance wasn't being leaked would be to designate your own account as the voting party, and that has obvious repercussions.  I know I wouldn't trust it.

Even if we could figure out a very good privacy solution and make it user friendly (which I still believe is possible, but it is hard), I think it would necessarily be more costly than public voting. Who would pay for the cost of that extra expense. I doubt the voter would since they would then have to sacrifice some cost and a minimal amount of privacy for the sake of a public good. But also having the cost subsidized by the blockchain is problematic because it would likely be exploited by the people who make revenue from these expenses (and we have no way of measuring what a good voter is anyway).

This seems like a big problem to me. Will there be enough people willing to expose their BTS stake publicly for the sake of the network?
Title: Re: What if BitShares could have perfect privacy?
Post by: puppies on June 19, 2015, 06:47:03 am
I think it depends on the expected payoff from exposing that balance and thus being allowed to vote.  If you can create an account completely anonymously, and then use it for unblinded transactions like market trades, you should be able to create a truly anonymous account and then vote with the stake.  If you are voting a popular slate you should be able to do this without giving up your privacy.  The issue I see with this is then any future transactions would likely leak at least the paying account and the receiving account.  Perhaps if you could unblind a portion of your stake, and this portion is recomputed daily depending upon a random number generator within a certain parameter.  Your voting stake would vary day to day, and it would be hard to determine if any transactions had been sent, and if so to who.  Especially because transactions would by default come out of the blinded portion and be sent to the blinded portion of the receiver.  This should be easy enough to set up in the wallet, and could be a standard feature that can be turned off. 

I really don't understand how the balances are going to be blinded though, so I may be way off base.
Title: Re: What if BitShares could have perfect privacy?
Post by: sudo on June 20, 2015, 09:33:58 am
cool
Title: Re: What if BitShares could have perfect privacy?
Post by: karnal on June 20, 2015, 09:59:18 am
bump
Title: Re: What if BitShares could have perfect privacy?
Post by: monsterer on June 21, 2015, 12:36:53 pm
I just wanted to point out that perfect privacy is not this. Perfect privacy would be a transaction which never hit the blockchain, but this is an unsolved problem (due to double spend), as far as I know.
Title: Re: What if BitShares could have perfect privacy?
Post by: Akado on June 21, 2015, 02:01:47 pm
I just wanted to point out that perfect privacy is not this. Perfect privacy would be a transaction which never hit the blockchain, but this is an unsolved problem (due to double spend), as far as I know.

Indeed, it kinda of contradicts itself. For perfect anonymity you can't have info on transactions, however, if you don't, how can you avoid double spend? Unless you can do this with the less amount of info possible on the transaction, but enough to avoid it (the double spend)
Title: Re: What if BitShares could have perfect privacy?
Post by: karnal on June 21, 2015, 08:48:31 pm
Bottom line: We need privacy + anonymity in BTS 2.0!

Title: Re: What if BitShares could have perfect privacy?
Post by: jakub on June 22, 2015, 07:21:05 am
The only case I am aware of where perfect privacy & anonymity existed was the implementation of digital cash in Open Transactions (http://opentransactions.org/wiki/index.php/About) by Chris Odom.

Since it looks like in 2.0 we are drifting towards a federation-of-servers architecture (full nodes being maintained on server side and most users limited to light wallets) I am beginning to think that the whole beauty & power of Open Transactions can be gradually implemented in BTS, including digital cash. This would be absolutely amazing if we could pull this trick.

I wonder if BM is familiar with the Open Transactions concept and what he thinks of going in this direction in the future.
Title: Re: What if BitShares could have perfect privacy?
Post by: Tuck Fheman on June 22, 2015, 07:31:22 am
The only case I am aware of where perfect privacy & anonymity existed was the implementation of digital cash in Open Transactions (http://opentransactions.org/wiki/index.php/About) by Chris Odom.

Since it looks like in 2.0 we are drifting towards a federation-of-servers architecture (full nodes being maintained on server side and most users limited to light wallets) I am beginning to think that the whole beauty & power of Open Transactions can be gradually implemented in BTS, including digital cash. This would be absolutely amazing if we could pull this trick.

I wonder if BM is familiar with the Open Transactions concept and what he thinks of going in this direction in the future.

I posed this same question to Feathercoin/Pete in 2013. Back me up @Mirrax :D
Title: Re: What if BitShares could have perfect privacy?
Post by: bytemaster on June 22, 2015, 01:18:43 pm
The only case I am aware of where perfect privacy & anonymity existed was the implementation of digital cash in Open Transactions (http://opentransactions.org/wiki/index.php/About) by Chris Odom.

Since it looks like in 2.0 we are drifting towards a federation-of-servers architecture (full nodes being maintained on server side and most users limited to light wallets) I am beginning to think that the whole beauty & power of Open Transactions can be gradually implemented in BTS, including digital cash. This would be absolutely amazing if we could pull this trick.

I wonder if BM is familiar with the Open Transactions concept and what he thinks of going in this direction in the future.

I posed this same question to Feathercoin/Pete in 2013. Back me up @mirrax :D

I am familiar with his digital cash and it is the foundation of our voting architecture.   

Title: Re: What if BitShares could have perfect privacy?
Post by: jakub on June 22, 2015, 02:09:56 pm
The only case I am aware of where perfect privacy & anonymity existed was the implementation of digital cash in Open Transactions (http://opentransactions.org/wiki/index.php/About) by Chris Odom.

Since it looks like in 2.0 we are drifting towards a federation-of-servers architecture (full nodes being maintained on server side and most users limited to light wallets) I am beginning to think that the whole beauty & power of Open Transactions can be gradually implemented in BTS, including digital cash. This would be absolutely amazing if we could pull this trick.

I wonder if BM is familiar with the Open Transactions concept and what he thinks of going in this direction in the future.

I posed this same question to Feathercoin/Pete in 2013. Back me up @mirrax :D

I am familiar with his digital cash and it is the foundation of our voting architecture.
Happy to hear it.
Do you envision having something similar to digital cash issued by BTS blockchain in the long run?
I mean: is it technically feasible for BTS full nodes to take on the role of OT federated servers?
Title: Re: What if BitShares could have perfect privacy?
Post by: arhag on June 22, 2015, 03:09:36 pm
I am familiar with his digital cash and it is the foundation of our voting architecture.

Has the cryptography behind the voting architecture changed? If I remember correctly I think you were at some point planning on using linkable ring signatures to protect voter privacy, were you not? I assume the change is due to the fact that using ring signatures would require very large signatures if we wanted to provide sufficient privacy (hiding in a large enough group) for voters.

If you are using blinded signatures, what steps are being taken to prevent the signer from creating fake votes to take over the votes of people who sign up for an election but don't bother to vote? Are the blinded signatures using multisig or better yet threshold sigs (is a blinded threshold sig doable?) to reduce the chance of collusion to create fake votes? Are there economic incentives designed in the voting system to encourage everyone who signed up for the election to cast a vote (even if the vote is to say they refuse to vote)? For example, the voter could put up some fixed amount of money that goes into a common pool when registering for the election (and getting their blinded token signed), and then after the period to sign up for the election ended an new period would open up to allow users to anonymously associate their signed unblinded tokens to a new pseudonymous public key (with which they sign the ballots they will later cast) and provide a new blinded token to be signed with another set of keys by the token signers. After this second period ended, the election could finally open up to accept ballots and the voters would also be able to reveal the second signed blinded token to withdraw the fixed fund from the common pool. The economic motivation to get their money back would mean that nearly all of the people who signed up would broadcast their unblinded tokens. If the number of valid signed unblinded tokens ever exceeded the number of blinded tokens that were signed, everyone would know the signers were manipulating the results and the results of the election could not be trusted. In fact, the signers could put up some amount of funds into an escrow which they would lose if this manipulation were to ever happen. That way even if they didn't care about their reputation, they wouldn't even have an economic motivation to create fake signed tokens in order to steal the voters' temporary deposits.
Title: Re: What if BitShares could have perfect privacy?
Post by: Permie on July 05, 2015, 06:32:10 pm
I've been reading around on privacy and I found some useful info on /r/cryptoanarchy and
I didn't realise HOW hard privacy really is.
IMO truly private/anon bitshares accounts cannot be associated with a forum user or other communication tool

http://www.reddit.com/r/CryptoAnarchy/comments/3biac4/requirements_for_a_communication_platform_for/

From user /u/DataPhreak:
Quote
    No logging of private information.
    Be able to go back in 'chat-history'.

These two things are mutually exclusive. For example, I know you frequent /r/communism /r/socialism /r/occupywallstreet and more. If i wanted to read through all of your posts, I could determine other details about you. Did you know it only takes 7 timestamped references to the weather to geolocate you to a specific city? One of the members of Lulzsec was busted based on the fact that he mentioned he was a freegan in IRC.

"Ops, espionage*. The Danish term is spionage.." Is Danish.

" My speedometer won't go +15mph, but it moves. How can that be? " has a dual sport. Honda XL600R

You see now why this is a bad idea? I'm just going to stop there.

Also, they would look at the date that the old one stopped posting and the new one started posting. Also, even though you may not keep logs, and even if the traffic is encrypted, if they can MITM like the government, they can watch for your upstream traffic and use it's time stamp to determine what you've posted. So, let's say the Danish government decides they don't like what this new wave extremist honda xl600r rider is posting. All they have to do is run the internet backbone through wireshark, filter out all IPs of people who don't have dual sports, watch for the one who connects to the website, and poof, he disappears.
Title: Re: What if BitShares could have perfect privacy?
Post by: ElMato on July 06, 2015, 05:28:53 am
I just wanted to point out that perfect privacy is not this. Perfect privacy would be a transaction which never hit the blockchain, but this is an unsolved problem (due to double spend), as far as I know.

Razvan Dragomirescu from Othercoin has a nice solution to this problem.
http://www.othercoin.com/OtherCoin.pdf

Basically you exchange privates key (that you dont know) in a secure way using Smartarcds and remote attestation.
Title: Re: What if BitShares could have perfect privacy?
Post by: Yao on July 06, 2015, 11:50:06 am
Nice !
 +5%
Title: Re: What if BitShares could have perfect privacy?
Post by: mirrax on July 08, 2015, 07:26:11 am
Quote
I posed this same question to Feathercoin/Pete in 2013. Back me up @mirrax :D
As you said Sir.
Title: Re: What if BitShares could have perfect privacy?
Post by: clayop on July 22, 2015, 07:58:41 pm
Bump... and excited

https://github.com/cryptonomex/graphene/commit/be65c277c96b96cfa6e31773cce9805d3d51be87
Title: Re: What if BitShares could have perfect privacy?
Post by: karnal on July 24, 2015, 07:58:57 pm
Bump... and excited

https://github.com/cryptonomex/graphene/commit/be65c277c96b96cfa6e31773cce9805d3d51be87

:)