Stealth Transfers Worker Proposal

[bitacer]

I agree with bytemaster 100%+5%.  The public accounts here feel even less private than my centralized brokerage account.  At least there, only the brokerage company knows my transactions.  Here it feels like someone took my bank statement from the mail, crossed my name/address out, and posted it on the internet.  That feeling alone holds me back.

The backbone of bitshares won't come from the general public initially.  Heck, I can't even get engineers I know to buy one bitcoin, let alone buying bts to trade here.  The fundamental driver of all cryptos has been freedom & privacy.  bitacer already pointed that out.  Bank institutions want privacy because it's part of doing business, traders need the privacy to perform the way they want.

Joe public will be the last group to use bitshares.  Ease of use, low fees, and stealth transactions will bring in the current users of crypto and the banks.  Let the public work through them to get here.

 

[TravelsAsia]

I disagree that anonymity the most important... The most important is as follows

1. Fees for trading updated per the worker proposal
2. Referral program for trading fees
3. API for 3rd party platforms and liquidity bots

We are a decentralized exchange. We have finally discovered what we are and what we are niche is.  Most people never get a chance to discover that much less exploit it... DON'T GET DISTRACTED!

Yeah, focus on the exchange first which will hopefully bring liquidity to a few key smartcoin markets. Stealth transfers are kind of useless if people are trapped in an illiquid market. I definitely think blinded transfers will be very important after some liquidity has been reached.

This! Improve the fu***ing API real quick!!

 

The exchange is the backbone for making smartcoins useful. Let's get that working, smooth out the wallets and bring existing crypto investors into the BitShares ecosystem. There's been so much great progress in this area, let's keep that focus.

[monsterer]

Under BitShares 2 you are completely protected from 3rd parties, but have slightly less protection from those you do business with.

...because they can prove a link between sender and receipient, therefore can leak the information, which is a fairly large hole. That's where ring signatures come into play.

I would rather have full privacy, than a halfway house - the bond market would be a better goal than a half way house,  IMO.

[Tuck Fheman]

Are we trying to build this...

Or are we trying to build this....

afaict we're building this ...

[emailtooaj]

Are we trying to build this...



Or are we trying to build this....


If we're trying to build this... ^^^^^^^^^^^^
then there must be a coherent way in approaching this.  Stealth features are awesome... but it's just tint on the windows,  an "aftermarket" item.

Why can we NOT focus on getting a SOLID and SMOOTH running back end first and foremost! (analogy= Engine, Transmission and Frame)
*with 2.0 this has been much better!

Why can we NOT get a clear and usable API put together (analogy= The doors and windows to the car)
*other devs have bitched and complained about this for some time now

Why can we NOT get an intuitive and simple GUI together (analogy=Instrument panel, Steering wheel and  Keyed Ignition)
*again kudos...light years from 1.0  to 2.0 but still lacking many features and usability

Sooo... with this analogy,  If you had a gas can (analogy= gas is liquidity) and wanted to use it to fill up a form of transportation and be able to use it... which of the above two vehicles above would you choose?  Right now we're resembling the first!

I know we have the smartest and most talented Engineers working on this project but,  DAMN... let's step away from the draft tables in Engineering Dept. for a minute and let's get "all hands on deck"  and onto the shop floor working everyone available... going station by station... helping to get this thing +99% complete.
Once done...THEN we can focus how best to find/get willing users with gas cans in hand and then proceed listening to the markets of "what" aftermarket features are wanted/needed.

Bitshares IMO, always has and always should be the DEX it was meant to be.  After this has been established and implemented 100% ,  other features and add-on's should be quicker and easier to implement once the time comes.  I say this because you'll already have "most" of the ideas/plans sitting on the shelves in Engineering Dept. and will have "free'd" up man power to jump on those projects. 

So please...
We need to get away from this   vvvvvvvv


and move towards this vvvvvvv


Could stealth bring liquidity to Bitshares... ABSOLUTELY,  but not until everything else get's wrapped up IMO.

And please don't take this as a "Bash" towards the Devs or any of the hard working community members;  but realistically... It's time we get our shit together and be who we're suppose to be, THE MOST PROFESSIONAL AND BEST IN CRYPTO! 
And it must start with solid/clear project management that leads to end goals; not the other way around. 
We have plenty of goals ATM to keep us busy.

[Tuck Fheman]

So many advancements in the crypto scene. This particular change would require a hard fork to implement and would only provide a marginal increase in privacy.

Under BitShares 2:
You cannot tell two transfers were to the same recipient.... until they spend them together. 
When they are spent together you don't know which output was to someone else and which was change.... unless one of the outputs is combined with another output for which you know the owner.
Through tracing of blinded balances back to their public source you can calculate an upper bound on the value of a blinded balance, for example we know the total value of all blinded balances is the clear upper bound on any individual blinded balance.

There are only two kinds of attackers on your privacy:

1. 3rd parties whom you have never done business
2. Those with whom you have done business.

Under BitShares 2 you are completely protected from 3rd parties, but have slightly less protection from those you do business with. If I send you a lot of payments I may be able to identify a large subset of the blinded outputs that belong to you, but I would be unable to learn your balance. If you then transfer the blind output I gave you to a 3rd party then I know the upper bound on all outputs derived from the one I sent you.   

The conclusion is that the BitShares wallet should always combine all of an individual's inputs in every transaction. This will provide a similar protection to ring signatures (preventing those who sent you funds from being able to know the upper bound on downstream transactions). 

At the end of the day the only information leaked is that "you received payments from multiple people".   With every subsequent payment the probability that an individual output belongs to the same person falls by 50%.

Privacy is therefore most compromised around the edges of the blinded/stealth transfers when users convert to/from public/private it leaks some information.

Adopting ring signatures would therefore increase your privacy by increasing the "upper bound" value for an output by merging in outputs that don't belong to you and by not grouping multiple transactions as being to/from a single party.

So for almost every conceivable use case what BitShares provides is more than sufficient even if ring signatures are technically better privacy. 

What I would like to know is what kind of size and computational penalty one takes for adopting the more comprehensive solution.

I'll be that guy again.

From a layman's perspective this sounds much like what was said concerning TITAN in 1.0 and now we're being asked to pay $45,000 to get a similar level of privacy in 2.0.

Please ELI5 why that is not the case.

[bytemaster]

My "gut" tells me that crypto-diehards are looking for an easy to use ANONYMOUS currency and those of us that are freedom loving actually want and need this.  Our current lack of privacy is a turnoff to many in the crypto and banking world.

I would prefer a proposal which brings bitshares core anonymity up to the state of the art, instead of just an 'also ran':

https://github.com/ShenNoether/MiniNero/blob/master/RingCT0.1_copy.pdf

As mentioned here:

Privacy/anonymity consists of:

A. unlinkability (can't tell two transactions are to the same recipient): stealth (or just not reusing addresses)
B. untraceability (can't trace paths between tranasctions): ring signatures (or coinjoin, coinswap, though with many complications and hazards, etc.)
C. content privacy (can't see amount being spent): CT (or limited ambiguity of which outputs are change)

Bitshares with CT gives you A and C, but nothing at all for B. Monero gives you A and B, and somewhat C (via ambiguity of change outputs). Monero with ringCT will give A,B, and C, for a comprehensive solution.

So many advancements in the crypto scene. This particular change would require a hard fork to implement and would only provide a marginal increase in privacy.

Under BitShares 2:
You cannot tell two transfers were to the same recipient.... until they spend them together. 
When they are spent together you don't know which output was to someone else and which was change.... unless one of the outputs is combined with another output for which you know the owner.
Through tracing of blinded balances back to their public source you can calculate an upper bound on the value of a blinded balance, for example we know the total value of all blinded balances is the clear upper bound on any individual blinded balance.

There are only two kinds of attackers on your privacy:

1. 3rd parties whom you have never done business
2. Those with whom you have done business.

Under BitShares 2 you are completely protected from 3rd parties, but have slightly less protection from those you do business with. If I send you a lot of payments I may be able to identify a large subset of the blinded outputs that belong to you, but I would be unable to learn your balance. If you then transfer the blind output I gave you to a 3rd party then I know the upper bound on all outputs derived from the one I sent you.   

The conclusion is that the BitShares wallet should always combine all of an individual's inputs in every transaction. This will provide a similar protection to ring signatures (preventing those who sent you funds from being able to know the upper bound on downstream transactions). 

At the end of the day the only information leaked is that "you received payments from multiple people".   With every subsequent payment the probability that an individual output belongs to the same person falls by 50%.

Privacy is therefore most compromised around the edges of the blinded/stealth transfers when users convert to/from public/private it leaks some information.

Adopting ring signatures would therefore increase your privacy by increasing the "upper bound" value for an output by merging in outputs that don't belong to you and by not grouping multiple transactions as being to/from a single party.

So for almost every conceivable use case what BitShares provides is more than sufficient even if ring signatures are technically better privacy. 

What I would like to know is what kind of size and computational penalty one takes for adopting the more comprehensive solution.

[kingslanding]

I agree with bytemaster 100%+5%.  The public accounts here feel even less private than my centralized brokerage account.  At least there, only the brokerage company knows my transactions.  Here it feels like someone took my bank statement from the mail, crossed my name/address out, and posted it on the internet.  That feeling alone holds me back.

The backbone of bitshares won't come from the general public initially.  Heck, I can't even get engineers I know to buy one bitcoin, let alone buying bts to trade here.  The fundamental driver of all cryptos has been freedom & privacy.  bitacer already pointed that out.  Bank institutions want privacy because it's part of doing business, traders need the privacy to perform the way they want.

Joe public will be the last group to use bitshares.  Ease of use, low fees, and stealth transactions will bring in the current users of crypto and the banks.  Let the public work through them to get here.

[lil_jay890]

Give me one good reason why I should invest in bonds on this platform compared to the current centralized system. I would like to know why bonds are priority on a public ledger open to the whole world .

The cost of buying bonds in the centralized system is much higher than it would be on bitshares.  We (small investors) also would have the ability to issue bonds on our system, which you can't do as a regular investor in the current centralized system.

But the bond market isn't the priority right now either.  The priority is the exchange.

[topcandle]

liquidity and bond market are more important.  We need yield back.

Look at Monero.  It hasn't all faired that well even though it has anonymity. 

[Rune]

I echo the sentiment that liquidity and easy user access to the decentralized exchange should be the sole priority for any short term resources, and is a critical issue that is more important than privacy or pretty much anything else at this point. Privacy is something existing users will demand over time, rather than something that draws in new users (because few users + lots of privacy tech still means low privacy)

That being said, high privacy is going to become industry standard quite soon and I think it's a good idea for BitShares to have it on the horizon. Even Ethereum is doing it now as Vitalik has apparently implemented ring signatures: https://www.reddit.com/r/ethereum/comments/3tappe/early_alpha_monerolike_linkable_ring_signatures/

[Akado]

Anonymity is not profitable, meaning it's a no no for me. API and Bond Markets first.

Anonymity is useless with no liquidity, plus there are already other well known option for that like monero and dash. I don't know if they're as good as advertised but that doesn't matter. We're not trying to compete with them. There's less money in the anonymity market than in a proper exchange used by traders.

The only way anonymity would be profitable is if it was to be used by darkmarkets which (1) Don't even use monero and dash, well established projects known for anonymity and (2) some people don't want to be associated to dnms.

No profits can be taken from anonymity right now. It doesn't bring as much value as bringing in traders. They don't care about anonymity, they care about having a proper tool that can be used for profits.

It's all nice being libertarian but we need to follow the money. Only then when we're into a well established position, recognized as a brand, can we have the luxury of implementing certain things

[monsterer]

Where's this second quote from?

While I admit my understanding of the new stealth transactions is limited, it seems to me they can offer B.

My understanding is that if you make a blinded transaction from a blinded account to another blinded account, no one can see that transaction. In fact you even have to notify the receiver that you've made the transaction by off-chain methods because they won't be able to tell they've received it. Not very practical, granted, but seems untraceable to me.

No one can see who sent the transaction except the recipient. That's where the hole is. The new stuff is just the old stuff + blinded quantities, isn't it?

[svk]

My "gut" tells me that crypto-diehards are looking for an easy to use ANONYMOUS currency and those of us that are freedom loving actually want and need this.  Our current lack of privacy is a turnoff to many in the crypto and banking world.

I would prefer a proposal which brings bitshares core anonymity up to the state of the art, instead of just an 'also ran':

https://github.com/ShenNoether/MiniNero/blob/master/RingCT0.1_copy.pdf

As mentioned here:

Privacy/anonymity consists of:

A. unlinkability (can't tell two transactions are to the same recipient): stealth (or just not reusing addresses)
B. untraceability (can't trace paths between tranasctions): ring signatures (or coinjoin, coinswap, though with many complications and hazards, etc.)
C. content privacy (can't see amount being spent): CT (or limited ambiguity of which outputs are change)

Bitshares with CT gives you A and C, but nothing at all for B. Monero gives you A and B, and somewhat C (via ambiguity of change outputs). Monero with ringCT will give A,B, and C, for a comprehensive solution.

Where's this second quote from?

While I admit my understanding of the new stealth transactions is limited, it seems to me they can offer B.

My understanding is that if you make a blinded transaction from a blinded account to another blinded account, no one can see that transaction. In fact you even have to notify the receiver that you've made the transaction by off-chain methods because they won't be able to tell they've received it. Not very practical, granted, but seems untraceable to me.

[monsterer]

My "gut" tells me that crypto-diehards are looking for an easy to use ANONYMOUS currency and those of us that are freedom loving actually want and need this.  Our current lack of privacy is a turnoff to many in the crypto and banking world.

I would prefer a proposal which brings bitshares core anonymity up to the state of the art, instead of just an 'also ran':

https://github.com/ShenNoether/MiniNero/blob/master/RingCT0.1_copy.pdf

As mentioned here:

Privacy/anonymity consists of:

A. unlinkability (can't tell two transactions are to the same recipient): stealth (or just not reusing addresses)
B. untraceability (can't trace paths between tranasctions): ring signatures (or coinjoin, coinswap, though with many complications and hazards, etc.)
C. content privacy (can't see amount being spent): CT (or limited ambiguity of which outputs are change)

Bitshares with CT gives you A and C, but nothing at all for B. Monero gives you A and B, and somewhat C (via ambiguity of change outputs). Monero with ringCT will give A,B, and C, for a comprehensive solution.