They can’t do anything except create harsh regulations for anybody using this kind of math. This is what US is doing and it does work at stripping away user privacy.
Recent ZK Knowledge podcast recently discussed a lot of this, how you can determine IP addresses inside blockchain transactions, and DDoS, and Chainanalysis usage of IP for KYC.
> people have the right to financial privacy, but technology shouldn’t be “warrant-proof.”
people aren’t warrant proof, the government is just used to a brief period of time where they could go to intermediaries instead of doing an actual investigation. this is just a reversion to the mean.
As much as I appreciate the sentiment, ring signatures are not a perfect solution for sender privacy at the moment given current ringsizes.
Almost every cryptocurrency with sender-obfuscation features bumps up against "poisoned output" attacks for low enough anonymity sets: https://www.youtube.com/watch?v=iABIcsDJKyM
But it is good enough for many purposes. The goal is to provide a high level of plausible deniability for the sender.
The privacy characteristics of the lightning network are probably worse than that of the traditional banking system, but this depends on implementations.
No, there was a limit in the early days (0.16777215 BTC for channels, 0.04294967 BTC payments) but it’s been optimal for about two years.
Direct peers are only limited by channel capacity, and the biggest nodes (exchanges like Bitfinex) keep 5+ BTC public channels (could be much larger unannounced channels).
As far as routing larger payments across the network, the Loop service handles 1.2 BTC swaps today:
Lightning is a lot less untraceable than people think. Settlement payments on a lightning channel are still traceable, and can be matched up. Also, lightning nodes get a lot of information about transactions that they don't publish to the blockchain, and you can bet that most lightning nodes that are around today keep logs. Most of them are run by big crypto companies, several of which are US-based.
More people have tried to sell me on the lightning network on the basis that it offers privacy and reduces net transaction fees than on the basis that it offers speed.
Really bizarre that the whole asset class is labelled "crypto" when it's not even traceable. The blockchain being an unalterable ledger makes this generation of cryptocurrencies weirdly public. Perhaps in the future there will be true crypto currency.
It is quite difficult to compare the obfuscation features of lightning network with that of "conventional" systems like cryptonote-style ring signatures. Consider two different situations:
A) A user picks the economically best peer to open channels with, or chooses peers randomly. Neither of these are sybil proof, which basically means you are transmitting your requests publicly.
B) A user only opens channels privately within a cohort of peers that privately agree not to keep logs, have special means of transmitting requests privately, etc.
I would assume that most users follow some of A's heuristic and some of B's. To the extent that situation B offers privacy, it prevents you from transacting with other users globally in a more general sense.
In other words, it is useful as a privacy mechanism only if you trust your peers not to keep logs, but don't trust them not to double-spend, and also you are not worried about guilt-by-association of owning a channel with these peers. If you were running some sort of dark net market or something, it would be easier to implement some sort of (cryptocurrency-backed?) chaumian cash, as you already implicitly trust the marketplace's sysadmin to some extent (as they can simply MITM your relationships unless you establish them by keypairs out-of-band (this is another sybil problem), which is probably more dangerous than double-spending).
What prevents lightning network operators from making transactions records and details available --- for fun and/or profit?
Better yet, what prevents a lightning network operator from going rogue and draining your account to fund his retirement and then moving to Tonga?
Imagine the outcry if government suddenly announced that all your fiat bank transactions will be routed through small, unregulated 3rd party operators who can do as they see fit with them?
What are you talking about? The lightning network is permissionless, you open channels with other nodes and then you can send funds across them, the other nodes can't take your funds.
Unless you mean signing up with strike or some centralized service in which case the old adage "not your keys not your coins" applies.
Most of the transactions with Bitcoin happen offchain, depending of course how you define "transaction". Definition for transaction can be stricter or more lax but for sure it is not only onchain transactions.
For example Bitcoin onchain transactions are routinely compared to Visa network - fairer comparison would also include transactions from lightning network and offchain transactions within services.
As far as I know, the state of crypto privacy is that everything is directly traceable except:
* Bitcoin lightning transactions when the lightning nodes involved are trusted to not keep logs
* Transactions through mixers with a lot of users
* Monero transactions
* Zcash private transactions
And everything is de-facto traceable except:
* Tornado cash users who use standard-size amounts (or users of another equivalently large smart-contract-based mixer)
* Monero users who are careful about their entry/exit
Zcash privacy doesn't have enough users for anonymity, most mixers are too small, and lightning users generally use nodes from exchanges which do log a lot of information that isn't kept on chain.
Am I missing anything? This seems kind of bad for cryptocurrencies in general if everything is basically traceable.
Seems about right. More users would use Tornado Cash if regulation was clear and allowed it. Zcash and Monero lack smart contracts which limits their use cases.
ZK based privacy was possible and working fine for many users through TC before the sanctions. Now it is risky as you may end up with locked funds or in jail for seeking privacy.
Edit: Should also mention Aztec and Aleo. These are working currently but in the same position that TC was before its sanctions. Hard to know what regulators will do as these tools allow for absolute privacy which is antithetical to the US government’s goals.
Many who had USDC on TC pools have had their assets frozen. Others might have a hard time sending or receiving these assets to typical US-based services because they will be hesitant to touch anything that has been through TC.
> More users would use Tornado Cash if regulation was clear and allowed it
This is simply not going to happen in the current anti-money-laundering environment. The US made Switzerland give up hiding money, they're not going to let some random geeks make trillions of dollars vanish.
well... these institutions are a bunch of random geeks? Have you ever been to any of the crypto hackathons? From Jump Capital, to Parity It's a bunch of geeks who where obssesed with flipping on the grand exchange in runescape, got into crypto and are now adept at Rust, flipping bots and essoteric coding concepts like "Ownership".
The blockchain does pose new questions about digital privacy rights. Cryptography that privatizes transactional flow of USDC tokens is indistinguishable from the same cryptography that privatizes transactional flow of digital assets.
Want to purchase an ENS name without corporations and the US government having clear knowledge of it? Too bad, the US government will not allow that. The privacy that we enjoy wish cash purchases will erode as we continue down the path of stripping away privacy in digital transactional systems.
Didn't US and FATF pressure other nations into giving up 'hiding money' through threats to cut them off from the US or partner financial systems? What happens if some coin and its developers have no interest in being connected to the US financial system -- it seems like then there would be limited ability to influence them and off/on ramps would still exist through criminal networks (and the mere presence of an on/off ramp lends USD/"X" pair value, even if the person using "X" doesn't use the ramp).
It's about how you purchase and sell it. If you sell Monero for USD on a centralised exchange, they might ask you for your ID, the source of the funds, source of the funds of your source of the funds (really!) and similar.
AFAIK ring signatures hold. It's like a mixer on every transaction so trying to track more than a few transactions back, the complexity explodes.
If you do BTC-XMR-BTC in a specific amount, you can get traced through that. Tornado cash is the same. All the exit points from Monero are non-anonymous, so you need to be careful that you don't enter and exit in ways that can be correlated.
A relatable, simplified, example: If you withdraw $3858.28 from a bank under the name Alice, and then deposit $3858.28 in a different bank under the name Bob, and those two banks share data, then someone could reasonably say Alice and Bob are connected.
He may be referring to opsec more generally (onramps, offramps), or he may be specificially referring to poisoned output attacks: https://www.youtube.com/watch?v=iABIcsDJKyM
TL;DR Ring signatures, like all sender-obfuscation methods, have a limited anonymity set: it limits you to a pool of possible senders. If Alice frequently sends funds to Bob, who frequently sends funds to Carl, who frequently sends to Alice, she can see that Alice->Bob->Carl->Alice is one possible outcome. She does this because she can trace the coin she associates with Bob to a coin she associates with Carl. There is a ton of plausible deniability at first, but the relationship between Bob and Carl becomes more obvious the more Alice->Bob->Carl->Alice continues to happen.
Alice can be multiple exchanges collaborating using KYC.
How to resist poisoning: limit your risk, churn, bigger ring-size/anonymity set, do atomic swaps (this severs chain of ownership, but is not generally sybil-proof), do multi-output transactions if you are sending to multiple people at once who can co-ordinate (this reduces the number of coins they can co-ordinate).
When using one’s own lightning node it doesn’t matter if individual nodes on the path to your destination node keep logs, they can’t collect much information besides who the last and next node are in the route. The original and final destination (as well as any other useful payment information) are obscured through onion routing and the information you can learn from traffic analysis is limited and difficult to perform well.
If you use your own lightning node, the other nodes on the path to your destination can still tell which node the information came from, and that can be used to de-anonymize your transaction. If you are the only user of your lightning node, it is trivial for the next person in the chain to attribute transactions to you.
No they can't, that's the whole point of onion routing. The next hop doesn't know if the packet started with you or if you're just another node in the payment path.
It is possible but unlikely. It is likely that clearnet use of monero is monitored, for example. But in terms of security, monero users are very cautious. The code has been independently audited, and has generally succeeded where other cryptonote-based cryptocurrencies have taken fatal missteps.
I suspect that most monero black markets are taken down by sting operations. The black markets all have a limited shelf life and these days they tend to intentionally retire before getting "silk-roaded"
A couple of other projects for privacy on ethereum:
zk.money and railgun.ch
Also dark.fi is a project that aims to produce easy-to-use developer tools for private transactions.
Satoshi's largest error was not making Bitcoin private by default and it strikes me as out of character given his/her level of commitment to being anonymous.
The BTC core team was highly concerned with the legality of the network due to previous failed currency's (eCash, B-money, Bit Gold, and Hashcash) that ended up driving certain decisions in architecture.
The original btc had a networked pokergame along with the wallet, but was taken out for a couple of reasons, including regulatory issues.
I'm not saying parent is right, or wrong but to dismiss it and to speak for the core team out of hand is folly.
Please share your reasoning - as the sibling comment mentions, there was a series of high profile online cash cases at the time, KYC being the biggest problem. It'd be weird if they didn't think hard about avoiding the same fate and perhaps this was they way they've chosen.
I don’t recall why that decision was made, but there could be a couple reasons.
First, it isn’t easy technically. Especially back when you’re designing the very first decentralized cryptocurrency and have no prior experience informing your design. ZCash, Monero, MimbleWimble and others came later after learning from Bitcoin, and there’s zero chance they could have come first.
Second, shielded transactions risk undetected inflation bugs, which actually happened to ZCash some years ago.
Third, Bitcoin was designed shortly after the Liberty Dollar founder was arrested and jailed, and everyone in Bitcoin was concerned about that too, including Satoshi. He may have decided just not to push his luck.
It seems like satoshi thought pseudo-anonyminity was sufficient. The integration of zero-knowlege proofs into cryptocurrencies was not really well understood at the time.
Quit it with this revisionist history nonsense, your second link contains where Satoshi specifically mentioned that a ZK-based version of bitcoin would be better, he just didn't know how to do it: https://bitcointalk.org/index.php?topic=770.msg8637#msg8637
Thanks, I knew there were discussions of it back then on bitcointalk and probably bitcoin wizards irc, just not where to find them. The bitcointalk thread seems to confirm #1 - it was just technically difficult to do back then.
Being anonymous to the 'Real world' but carry an identity in the "BTC world". Wallets, mining, interactions are all public within the network and significantly contributed to it's 'Community', 'make btc wallet size go up', and increase account nonce with use.
Early in the community, these metrics where your 'leaderboards'.
BTC never was anonymous, but rather a 'seperate idenitity'.
Bitcoin may not be private but it's pseudonymous, multiple public keys per private key. I think if it had have been private though, it never would have taken off. The transparency and exploitability of blockchains is key to their success. Without Bitcoin & other prominent open source blockchain-based crypto-currencies and crypto-assets, private crypto-currencies and crypto-assets wouldn't stand up.
So is it safe to say Monero is a sort of Bitcoin 2.0? I mean if Bitcoin had 'versions' that would be great. Then we wouldn't have to invent entirely new cryptocurrencies, we could just iterate on existing ones, and have our userbase intact without having to 'gain traction' for an entirely new alt-coin.
I suppose the monero userbase has similar attitudes as the early bitcoin userbase, but monero/cryptonote is not a bitcoin fork in the same sense that zcash/zerocoin is.
>we could just iterate on existing ones, and have our userbase intact without having to 'gain traction' for an entirely new alt-coin.
I think there are some fundamental limits to the throughput of a single cryptocurrency due to network latency and bandwidth. Perhaps the solution to scalability is simply to have multiple cryptocurrencies and to facilitate atomic swaps between them. So in this sense, the creation of new cryptocurrencies with minor feature changes (litecoin, bitcoin cash, wownero, cheapeth, etc.) is actually good for network diversity.
That being said, the owners of existing "big" cryptocurrencies will usually want to make changes that increase its usability to compete with these "trivial forks"
Bitcoiners have been soured by the idea of a hard fork since the XT dispute, while the monero userbase has commited itself to regular hard forks every 6 months to upgrade the network.
many cryptocurrencies do have 'versions' of a sort. See ethereum's recent one known as "the merge" which moved that currency to a completely different consensus algorithm!
The category of risk I'd add is that a public ledger means you have to also consider the odds of future improvements — for example, if someone else's data leak contributes some information about a set of transactions[1] or the analysis tools get more sophisticated then people who thought they were secure at the time might turn out not to be. This seems like a fairly risky gamble versus simply not publishing a detailed transaction log.
1. e.g. what happens if a large exchange's records leak / are subpoenaed, a criminal group being compromised by law enforcement, etc. means that a fair fraction of a mixer's transaction volume at a particular time can be identified, making it easier to focus on the remainder?
And aren't there any open source tools to do roughly similar analyses?
I'd be surprised if there aren't any. Any large-scale criminal action can be strategically simulated and analyzed on those to make these guys' job harder up to the point that it's no longer feasible for many situations.
(clarification: while I do not support any criminal action, I equally hate government survelliance)
This is mostly snake oil, perhaps efficient against the dumbest of criminals. The newer generation coin laundry service, for example Chipmixer, will have pre-funded addresses already waiting in the blockchain before the "client" even makes an account. In exchange for a deposit in a wallet controlled by Chipmixer, the client will receive a set of corresponding private keys that add up to the total value being laundered.
You might trace that the coins went into a laundry, but you will never associate with the previously laundered coins that the client got.
Yeah considering in the article he says half of his clients are private sector this seems like a bad title. Maybe they meant because most revenue comes from government? Hard to say
a lotta yall still dont get it. ape holders can use multiple slurp juices on a single ape. so if you have 1 astro ape and 3 slurp juices you can create 3 new apes. tonight's slurp juice mint event is essentially a minting event for both Lab Monkes and Special Forces.
They help anyone who wants to pay trace crypto. Their product is well implemented, and they have skilled and motivated people. There are competitors who offer similar, and in my opinion not as well done, but for considerably money.
I don't like the way any of these companies encourage authorities to impose requirements for KYT, but it's unsurprising.
103 comments
[ 3.4 ms ] story [ 152 ms ] threadhttps://zeroknowledge.fm/246-2/
I'm not clear if the conversation concluded with zk is impervious, or whether it is an active question of research.
Chainalysis in Action: Justice Dept Demands Forfeiture of 280 Crypto Addresses - https://news.ycombinator.com/item?id=24306511 - Aug 2020 (54 comments)
I, for one, am shocked that moving decentralized currency to a centralized service that knows your identity de-anonymizes said currency.
people aren’t warrant proof, the government is just used to a brief period of time where they could go to intermediaries instead of doing an actual investigation. this is just a reversion to the mean.
sorry, federal government. Keep up
Almost every cryptocurrency with sender-obfuscation features bumps up against "poisoned output" attacks for low enough anonymity sets: https://www.youtube.com/watch?v=iABIcsDJKyM
But it is good enough for many purposes. The goal is to provide a high level of plausible deniability for the sender.
I sure was.
Bitcoin as it currently exists will never be a replacement for fiat --- not even close --- for a multitude of reasons.
Individual lightning transactions are not recorded on the blockchain and are not subject to chain analysis.
Direct peers are only limited by channel capacity, and the biggest nodes (exchanges like Bitfinex) keep 5+ BTC public channels (could be much larger unannounced channels).
As far as routing larger payments across the network, the Loop service handles 1.2 BTC swaps today:
https://twitter.com/alexbosworth/status/1570189188091514880
If you want untraceable, you can go out of your way to achieve that using something akin to tornado.cash
I think the point is that the technology is already here and available - it's just not evenly distributed yet.
A) A user picks the economically best peer to open channels with, or chooses peers randomly. Neither of these are sybil proof, which basically means you are transmitting your requests publicly.
B) A user only opens channels privately within a cohort of peers that privately agree not to keep logs, have special means of transmitting requests privately, etc.
I would assume that most users follow some of A's heuristic and some of B's. To the extent that situation B offers privacy, it prevents you from transacting with other users globally in a more general sense.
In other words, it is useful as a privacy mechanism only if you trust your peers not to keep logs, but don't trust them not to double-spend, and also you are not worried about guilt-by-association of owning a channel with these peers. If you were running some sort of dark net market or something, it would be easier to implement some sort of (cryptocurrency-backed?) chaumian cash, as you already implicitly trust the marketplace's sysadmin to some extent (as they can simply MITM your relationships unless you establish them by keypairs out-of-band (this is another sybil problem), which is probably more dangerous than double-spending).
Better yet, what prevents a lightning network operator from going rogue and draining your account to fund his retirement and then moving to Tonga?
Imagine the outcry if government suddenly announced that all your fiat bank transactions will be routed through small, unregulated 3rd party operators who can do as they see fit with them?
From day one anyone in the know with Bitcoin has said LN is a scam and/or completely pointless for the users.
LN is a way for big central authorities to lock away and control the assets of individuals, sounds like a bank right?
Amazing that such an obvious scam has gone on for so long and gathered so many "users".
Unless you mean signing up with strike or some centralized service in which case the old adage "not your keys not your coins" applies.
For example Bitcoin onchain transactions are routinely compared to Visa network - fairer comparison would also include transactions from lightning network and offchain transactions within services.
* Bitcoin lightning transactions when the lightning nodes involved are trusted to not keep logs
* Transactions through mixers with a lot of users
* Monero transactions
* Zcash private transactions
And everything is de-facto traceable except:
* Tornado cash users who use standard-size amounts (or users of another equivalently large smart-contract-based mixer)
* Monero users who are careful about their entry/exit
Zcash privacy doesn't have enough users for anonymity, most mixers are too small, and lightning users generally use nodes from exchanges which do log a lot of information that isn't kept on chain.
Am I missing anything? This seems kind of bad for cryptocurrencies in general if everything is basically traceable.
ZK based privacy was possible and working fine for many users through TC before the sanctions. Now it is risky as you may end up with locked funds or in jail for seeking privacy.
Edit: Should also mention Aztec and Aleo. These are working currently but in the same position that TC was before its sanctions. Hard to know what regulators will do as these tools allow for absolute privacy which is antithetical to the US government’s goals.
This is simply not going to happen in the current anti-money-laundering environment. The US made Switzerland give up hiding money, they're not going to let some random geeks make trillions of dollars vanish.
i've heard this sentiment conveyed in the crypto space since 2011... still waiting on this prophecy to come true.
Due to incompetence, profit motive or traitors to their country, who can tell the difference? (Paraphrasing Robespierre here)
Want to purchase an ENS name without corporations and the US government having clear knowledge of it? Too bad, the US government will not allow that. The privacy that we enjoy wish cash purchases will erode as we continue down the path of stripping away privacy in digital transactional systems.
AFAIK ring signatures hold. It's like a mixer on every transaction so trying to track more than a few transactions back, the complexity explodes.
TL;DR Ring signatures, like all sender-obfuscation methods, have a limited anonymity set: it limits you to a pool of possible senders. If Alice frequently sends funds to Bob, who frequently sends funds to Carl, who frequently sends to Alice, she can see that Alice->Bob->Carl->Alice is one possible outcome. She does this because she can trace the coin she associates with Bob to a coin she associates with Carl. There is a ton of plausible deniability at first, but the relationship between Bob and Carl becomes more obvious the more Alice->Bob->Carl->Alice continues to happen.
Alice can be multiple exchanges collaborating using KYC.
How to resist poisoning: limit your risk, churn, bigger ring-size/anonymity set, do atomic swaps (this severs chain of ownership, but is not generally sybil-proof), do multi-output transactions if you are sending to multiple people at once who can co-ordinate (this reduces the number of coins they can co-ordinate).
Reference: https://github.com/lightning/bolts/blob/master/04-onion-rout...
It seems an obvious target to be a Trojan horse in the midst of criminals and tax-evaders.
I suspect that most monero black markets are taken down by sting operations. The black markets all have a limited shelf life and these days they tend to intentionally retire before getting "silk-roaded"
The original btc had a networked pokergame along with the wallet, but was taken out for a couple of reasons, including regulatory issues.
I'm not saying parent is right, or wrong but to dismiss it and to speak for the core team out of hand is folly.
First, it isn’t easy technically. Especially back when you’re designing the very first decentralized cryptocurrency and have no prior experience informing your design. ZCash, Monero, MimbleWimble and others came later after learning from Bitcoin, and there’s zero chance they could have come first.
Second, shielded transactions risk undetected inflation bugs, which actually happened to ZCash some years ago.
Third, Bitcoin was designed shortly after the Liberty Dollar founder was arrested and jailed, and everyone in Bitcoin was concerned about that too, including Satoshi. He may have decided just not to push his luck.
https://satoshi.nakamotoinstitute.org/quotes/privacy/
https://bitcointalk.org/index.php?topic=770
It seems like satoshi thought pseudo-anonyminity was sufficient. The integration of zero-knowlege proofs into cryptocurrencies was not really well understood at the time.
Being anonymous to the 'Real world' but carry an identity in the "BTC world". Wallets, mining, interactions are all public within the network and significantly contributed to it's 'Community', 'make btc wallet size go up', and increase account nonce with use.
Early in the community, these metrics where your 'leaderboards'.
BTC never was anonymous, but rather a 'seperate idenitity'.
The transparency of the ledger is key to the censorship, control, and abuse of the network.
>open source
Are you implying that the cryptonote/zerocoin projects like monero aren't open source?
>we could just iterate on existing ones, and have our userbase intact without having to 'gain traction' for an entirely new alt-coin.
I think there are some fundamental limits to the throughput of a single cryptocurrency due to network latency and bandwidth. Perhaps the solution to scalability is simply to have multiple cryptocurrencies and to facilitate atomic swaps between them. So in this sense, the creation of new cryptocurrencies with minor feature changes (litecoin, bitcoin cash, wownero, cheapeth, etc.) is actually good for network diversity.
That being said, the owners of existing "big" cryptocurrencies will usually want to make changes that increase its usability to compete with these "trivial forks"
Bitcoiners have been soured by the idea of a hard fork since the XT dispute, while the monero userbase has commited itself to regular hard forks every 6 months to upgrade the network.
[1] https://phyro.github.io/grinvestigation/why_grin.html
1. e.g. what happens if a large exchange's records leak / are subpoenaed, a criminal group being compromised by law enforcement, etc. means that a fair fraction of a mixer's transaction volume at a particular time can be identified, making it easier to focus on the remainder?
Bitcoin transactions that use CoinJoin (e.g. Wasabi Wallet). https://en.bitcoinwiki.org/wiki/CoinJoin
> is a very effective decentralised Bitcoin mixer with many privacy-focused options
> provides possibly the most convenient and secure way to mix Bitcoins
[0] https://www.tbstat.com/wp/uploads/2020/06/Europol-Wasabi-Wal...
Similar tech to this could become standard on Ethereum L2s in the future after more optimisations.
I'm pretty sure withdraws from Ren darknodes are private as they come from the network itself and aren't correlates to your node.
I'd be surprised if there aren't any. Any large-scale criminal action can be strategically simulated and analyzed on those to make these guys' job harder up to the point that it's no longer feasible for many situations.
(clarification: while I do not support any criminal action, I equally hate government survelliance)
It's called Ballet and it's open source, too!
- Quick demo video: https://www.youtube.com/watch?v=7hnNzSf2-Ak
- Live application: https://alexisrondeau.me/algorand-ballet/
- Github repo: https://github.com/akaalias/algorand-ballet
You might trace that the coins went into a laundry, but you will never associate with the previously laundered coins that the client got.
There are many, relatively simple, models to do that in real time. Wouldn't the market appreciate this?
There's XMR, some interesting little projects like DERO, and a vast sea of tokenomic pyramid scheme garbage that governments can and should stop.
Can I get this on a t-shirt? I have no idea what it means, but it sounds amazing.
https://www.buzzfeednews.com/article/katienotopoulos/you-can...
I don't like the way any of these companies encourage authorities to impose requirements for KYT, but it's unsurprising.
Specifically U.S. and protectorates right?