Coin Mixing within Counterparty

If one could trade XCP for XCP on the decentralized exchange, with the rule that an order can’t match itself then this would enable decentralized coin mixing within the Counterparty Protocol for enhanced privacy of the users who wish to avail of it. This should work for any asset that can be escrowed by the Counterparty Protocol.

How feasible is it to enable this within Counterparty? What needs to be changed (if anything)?

[quote author=Equality 7-2521 link=topic=358.msg2450#msg2450 date=1401054641]
If one could trade XCP for XCP on the decentralized exchange, with the rule that an order can’t match itself then this would enable decentralized coin mixing within the Counterparty Protocol for enhanced privacy of the users who wish to avail of it. This should work for any asset that can be escrowed by the Counterparty Protocol.

How feasible is it to enable this within Counterparty? What needs to be changed (if anything)?
[/quote]


This is a great idea. It seems like this could already be possible within the protocol. We just need someone to make a nice little interface for it.

Now do it with XBTC that can be seamlessly traded back via Vennd into BTC and you’re really onto something. Repeat for LTC, DOGE, holy shit. This is an awesome idea. Devs do this omg

Great idea! I don’t see any reason not to enable trading an asset for itself (except BTC, which just wouldn’t work), which was disabled in the protocol arbitrarily.

Orders already can’t match themselves, so that’s fine.

[quote author=PhantomPhreak link=topic=358.msg2467#msg2467 date=1401206799]
Great idea! I don’t see any reason not to enable trading an asset for itself (except BTC, which just wouldn’t work), which was disabled in the protocol arbitrarily.

Orders already can’t match themselves, so that’s fine.
[/quote]

Done! https://github.com/CounterpartyXCP/counterpartyd/commit/4f192ed97dcd19d09508008b5008789a9035a516

[quote author=PhantomPhreak link=topic=358.msg2468#msg2468 date=1401207573]
[quote author=PhantomPhreak link=topic=358.msg2467#msg2467 date=1401206799]
Great idea! I don’t see any reason not to enable trading an asset for itself (except BTC, which just wouldn’t work), which was disabled in the protocol arbitrarily.

Orders already can’t match themselves, so that’s fine.
[/quote]

Done! https://github.com/CounterpartyXCP/counterpartyd/commit/4f192ed97dcd19d09508008b5008789a9035a516
[/quote]


Counterwallet code adjusted as well: https://github.com/CounterpartyXCP/counterwallet/commit/000af6d560470b5a8d7f5c4f933a93c231c1511a


we’ll be kicking this live tomorrow, most likely.

Thank you PhantomPhreak and xnova. We are very impressed with this response. You’re efforts are greatly appreciated. We are delighted that this feature was so straightforward to implement.

We have posted the following on The Bitcointalk Forum’s CounterParty Protocol Thread:

[quote author=Equality 7-2521 link=topic=395761.msg6978040#msg6978040 date=1401221586]
[quote author=baddw link=topic=395761.msg6976563#msg6976563 date=1401217046]
[quote author=romerun link=topic=395761.msg6975582#msg6975582 date=1401214029]
Apparently, we have darksend before darkcoin, we just did not turn it on.

Coin Mixing within Counterparty
[/quote]

Well, it’s not quite darksend (because as far as I can tell, your sending address ends up with the same amount of XCP that it put in; you can’t have the mixed XCP end up in an arbitrary address, right?); but it is decentralized, trustless coinmixing.  Although it only works between two parties, right?  And they both have to contribute the same amount, and they both receive the same amount… So it’s not a huge win for anonymity/privacy, although it is a tool that can be used for greater obfuscation.
[/quote]

You certainly can have mixed XCP (or any asset) end up in different addresses by placing multiple orders on the exchange simultaneously. Also, it works between more than two parties because the network matches partial orders too. So, for example, you can place an order of 100XCP for 100XCP and you can place another order from a different address of 50XCP for 50XCP. You get the 50XCP match (swap) and other users can match the rest of the 100XCP order. In this simple example you have mixed the coins a little bit with yourself (your pseudonyms) and a little bit with others. This all comes with the plausible deniabliity of the trades verifiably having gone through the decentralized exchange. You have now broken any chain of deanonymized transactions at that address. Feel free to simply send the balance to any arbitrary address of your choice at that stage to start from a clean slate.

Best practice must now be established for mixing within Counterparty.
[/quote]

We must think about the best practice approaches for coin/asset mixing within Counterparty now.

A good start is to read the relevant Bitcoin Mixing material. Examples:

[1] http://blog.ezyang.com/2012/07/secure-multiparty-bitcoin-anonymization/
[2] https://bitcointalk.org/index.php?topic=93390.0 - “P2P coin mixing”
[3] https://bitcointalk.org/index.php?topic=279249.0 - "CoinJoin"

We encourage everyone to discuss the utility of the decentralized mixing capabilities of the Counterparty Protocol.

The only problem with coin mixing in Counterparty as it stands is you can’t obfuscate the receiving address when you place an order.

Imagine you could specify a stealth address to receive orders to.

With Vennd involved, the process would be:

- Send BTC to a Vennd-BTC address
- Receive XBTC
- Place order, sell 100 XBTC, receive 100 XBTC at stealth address
- Send XBTC to Vennd, receive BTC back

[quote author=Giants link=topic=358.msg2472#msg2472 date=1401230291]
The only problem with coin mixing in Counterparty as it stands is you can’t obfuscate the receiving address when you place an order.

Imagine you could specify a stealth address to receive orders to.

With Vennd involved, the process would be:

- Send BTC to a Vennd-BTC address
- Receive XBTC
- Place order, sell 100 XBTC, receive 100 XBTC at stealth address
- Send XBTC to Vennd, receive BTC back
[/quote]

Vennd will support a feature to generate a payment and refund address from a web page. This web page takes 2 parameters:

1) The address you wish to receive your Counterparty asset - the stealth addresss to receive XBTC in your example.
2) The address you wish to receive back your BTC

Vennd will generate:
1) An address to send your BTC
2) An address to send your XBTC (to redeem your BTC)

This means in your example it would be possible for the following process:

- Generate a payment address on a Vennd XBTC web page
- Send BTC to a Vennd-BTC address
- Receive XBTC on stealth address
- Send XBTC to Vennd, receive BTC back

Note when using Vennd in this way you need to trust the operator to not store logs.

Cross-post from Bitcointalk:

[quote author=Equality 7-2521 link=topic=395761.msg6988675#msg6988675 date=1401269704]
[quote author=baddw link=topic=395761.msg6985637#msg6985637 date=1401255865]
[quote author=mindtomatter link=topic=395761.msg6984762#msg6984762 date=1401251166]
[quote author=baddw link=topic=395761.msg6976563#msg6976563 date=1401217046]
[quote author=romerun link=topic=395761.msg6975582#msg6975582 date=1401214029]
Apparently, we have darksend before darkcoin, we just did not turn it on.

Coin Mixing within Counterparty
[/quote]

Well, it’s not quite darksend (because as far as I can tell, your sending address ends up with the same amount of XCP that it put in; you can’t have the mixed XCP end up in an arbitrary address, right?); but it is decentralized, trustless coinmixing.  Although it only works between two parties, right?  And they both have to contribute the same amount, and they both receive the same amount… So it’s not a huge win for anonymity/privacy, although it is a tool that can be used for greater obfuscation.
[/quote]

Its a win if people standardize the amounts they want to mix, so .1, 1btc, 10btc and 100btc - This can be a best practices thing with it just the unwritten rule those are the increments or a drop-down preset option for this trade-for-same transaction.
[/quote]

But, again, there can only be two parties to a trade, right?  And it’s an atomic transaction, right?  If I trade 1BTC to you, in return for 1BTC from you, we both end up with 1BTC, and both of our BTC’s can be traced to the transaction where we openly and transparently swapped 1BTC for 1BTC.  Such a transaction could never be mistaken for anything other than an attempt to obfuscate, and it really doesn’t even do a good job of that.

CoinJoin and Darksend work because they have a BUNCH of inputs from a BUNCH of addresses, all sending (say) 10 DRK as input, all receiving different outputs, where all of the outputs are to new wallet addresses and/or third parties, and everything is bundled into one large transaction that is signed by all sending addresses so that it is impossible to match up the inputs with the outputs, since the inputs are all standardized and the outputs are in randomized order.

The whole reason why it works is that it takes coins from more than 2 senders, so there is some plausible deniability there.  If you and I both have 10 $1 bills, and we each drop the $1 bills into a hat, and then we each pull out $10 from the hat and go on our separate ways, there’s no denying what the hell is going on.  It’s a pointless transaction.  We each put in $10, and we each took out $10.

But now think if 20 people (let’s call them A_1 through A_20) walk up to the hat, and each of them deposits 10 $1 bills, so there’s now $200 in the hat.  Now 20 new people (B_1 through B_20) walk up and withdraw varying amounts out of the hat – some take $1, some take $9, some take $10, some take $5 – it’s impossible for an outside observer to determine which of the depositors gave the money to which of the withdrawers.  (And of course some of the withdrawers are proxies for the original depositors anyway – i.e., new wallet addresses or even stealth addresses.)  If the police come up to A_3 afterwards and say “Hey!  You sent money to B_17, who is a drug dealer!” then they can never prove it because there were 19 other people acting as senders in the transaction, and any one of them could have been the one who sent the money to B_17.
[/quote]

We apologize, you are correct. We do not mean to mislead anyone. As it stands, trading XCP for XCP appears to be a trivial obfuscation as it is still a direct public link in the chain of ownership. (Please largely ignore our previous post as we misunderstood your initial qualms and we addressed the wrong thing entirely). However, it may prove to be one of a number of tools which when used in combination provide varying degrees of anonymity: from trivial obfuscation to near total anonymity.

As you say, if a number of orders could be bundled together to make one composite order (from one address say) and then redistributed after being matched (to new addresses) then we have more significant privacy.
[/quote]

Again, we do not mean to mislead anyone. Currently, this coin swapping capability does not appear to lead to increased privacy in and of itself. But it may be one component of a more complete solution and at least it has started a vibrant discussion and once again exhibited the impressive community engagement of the Counterparty developers.

Vennd looks like a very promising project which is very relevant to this discussion. Keep up the good work.

Mallory is always keeping logs :p. I don’t think Vennd could be an end-to-end solution.

OTOH, if you could place a DEx order and specify a stealth address, you could effectively swap coins at a known address for coins at an unknown address. And you could do this with all trading pairs.

A person tracking the blockchain would only see your coins moving to some other address. They could know exactly what you are doing but still have no recourse against you or the counterparty.

New idea: What if it were possible to sell an asset on the DEx with SIGHASH_ANYONECANPAY?

Then you could have numerous orders all placed by individuals, and each order specifies its own receiving stealth address.

For example, one person declares SIGHASH_ANYONECANPAY, 100 XBTC for 100 XBTC. This order isn’t cleared until all 100 XBTC are accounted for. Then a bunch of individuals could come together for a total of 100 XBTC, and the funds could be much more thoroughly dispersed to stealth addresses.

It’s not optimal - but you could use CFD’s or binary bets (the non-efficiency comes from the intended side having to win the bet/ gain on the CFD to get the money across) - while the addresses are not obfuscated, the connection is arbitrary for an outside observer.