Reply to Kristov's paper

[eduffield]

In the spirit of transparency we contacted Kristov Atlas to ask him to do a review of our technology, Darksend. Shortly after, our community happily crowd funded it and Kristov got to work.

Darksend+ is an iterative improvement on the previous version of Darksend and offers greatly improved anonymity. This functionality is directly built into the reference client for ease of use. Kristov reviewed the technology from every angle to give a thorough rundown of everything we needed to focus on in the future.

What are we trying to fix?

Bitcoin works with an unprecedented level of transparency that most people are not used to dealing with. Every transaction that has ever happened is stored permanently in a ledger that is made public for the world to see, forever.

Darkcoin solves this problem by implementing an ahead-of-time CoinJoin implementation called Darksend. A user that wants to be anonymous can use the built in technology to utilize the Masternode network to make their transaction nearly impossible to track.

How it works, By Kristov Atlas:
http://blog.anonymousbitcoinbook.com/2014/08/visualizing-one-round-of-darkcoins-darksend/

An analysis of Darkcoin’s Blockchain Privacy via Darksend+:
http://cdn.anonymousbitcoinbook.com/darkcoin/darksend-paper/Atlas_Darksend-Analysis-v001.pdf

Yesterday Kristov Atlas published an exhaustive review of the Darksend technology. It’s the most extensive review of Darksend to date. Below is an overview of the weaknesses that Atlas identified.

Solved Weaknesses, utilizing Darksend+:

• Contextual Fingerprinting Attack
• Significand Attack
• Lonely Denomination Attack
• Disparate Spending Weaknesses
• Conjoined Spend Weakness
• Output Bias Weakness
• Blockchain Analysis
• Timing Analysis

It’s worth noting that our strategy for Darksend+ has mitigated many different kinds of attacks that work on all similar crypto-currencies, while utilizing a trustless and decentralized system unlike anything else in existence.

Overcoming these weaknesses was not a small feat, but will be our strongest advantage when competing as a privacy centric crypto-currency.

Sybil Attack

In a Sybil attack, the attacker subverts the reputation system of a peer-to-peer network by creating a large number of pseudonymous identities. This allows an attacker to gain information by observation.

One of the most serious attack vectors found was a sybil attack on a two-peer Darksend denominated transaction. Requiring as few as two peers for Darksend transactions was never intended to be used beyond the scope of testing. As of RC5 this issue has been resolved.

Other sybil-type attacks (such as the active denial to sign) are mitigated by the use of collateral in the core protocol, which is actively used in RC5.

It’s worth noting that Darksend is not the only technology vulnerable to Sybil attack. All peer-to-peer systems have to deal with Sybil attacks, including Bitcoin and Cryptonote currencies.

Masternode Snooping

When Darksend peers mix with each other they use a dedicated node, called a Masternode. This node in the present implementation is required to be able to see the inputs and outputs of the transactions to ensure that parties sign, otherwise the system will charge them collateral fees.

Peers mix with many different Masternodes in a row, known as “rounds” of anonymity in the client. To follow a transaction through the full process, a user must go through a series of malicious Masternodes. This process is random, so a bad actor would need to control many Masternodes in order to attack in this way.

The trade off is a sybil resistant system or one with more personal privacy from snooping Masternodes. But in the case where a Masternode is blinded, collateral protection can’t be used. If a Masternode is blind to the submission of outputs and signing, by definition it would not know who to charge the collateral.

There are other options available, such as banning inputs of users that attempt to break the system. Something like this will have to be utilized in addition to a blinded setup to protect the system from abuse.

Darksend Queue Gaming

This can completely be eliminated by utilizing a provably random Masternode using a deterministic algorithm based on the first user who enters the node, spawning the queue message. A Masternode then could detect the gaming and reject the user eliminating the problem altogether.

Fat Sum Weakness

This weakness happens when someone spends Darksend denominated funds that could not have come from another party.

This is partially mitigated by having three participants per Darksend transaction and can be further mitigated by checking outgoing transactions and asking the user “This action will reduce your anonymity, are you sure?”.

Blockchain Bloat

Darkcoin utilizes anonymity only where it’s needed in the ecosystem. It’s automatically disabled for daemons, so the highest transaction clients will not be creating any form of bloat (Exchanges, Pools and most other high volume clients don’t require anonymity). This will allow the blockchain to grow at a much slower level than our competitors (i.e. cryptonote).

Conclusion

Darkcoin solves the anonymity problem by making the blockchain a fog. There are very few practical ways to attack our system and at it’s core and most of the attacks listed were based solely on the fact that the merged transaction were using only two participants while in the test environment. This has always been a known issue and never was intended to be used beyond testing.

Privacy offered by Darksend can be thought of as a spectrum. Although no technology can ever be perfect, Darksend is intended to provide nearly complete anonymity. The research shows that while discounting the two-peer issues, the anonymity provided by Darksend is strong and will become stronger with further development.

This research shows that Darkcoin and Darksend are maturing technologies and are ready for adoption and use by the general public.

 

[GreyGhost]

Seriousness and maturity with which you steer this development is commendable. As a humble investor into this project, I thank you for it.

 

[Coins101]

Great response.

Can we remove ref to any particular coin that shall not be named, insert instead cryptonote?

Well done. DRK is ready for prime time.

edits made

 

[moli]

Thank you, Evan, for all your hard work and for clearing some issues. So, MNs can't be blinded... Does it mean transactions can't be encrypted because of this? Is the MN snooping in your next plan to tackle?

Again, thank you very much for this exciting project.

 

[pbleak]

Thanks for the quick response and the transparency.

 

[georgem]

 

[vertoe]

All right, flare can close all my tickets on Jira then

 

[TanteStefana]

I just posted on BCT how I felt every duff we donated to Kristov was worth it. I really appreciate that he explained all the known attack vectors (I'm assuming he checked every type of attack known, it certainly seemed thorough). He also gave us that wonderful chart from which I'm sure the team can deduce the best way to prioritize what needs to be done.

Thanks Kristov! Great work, and I'm glad you said you'd update as things change. We really appreciate your keeping your eye on us!

Note: I think Kristov mentioned that some of these issues would be resolved via a minimum of 3 participants in a mix, but it'd be nice if he could eventually update clearly that it does work. I have difficulty tracking and writing out this info myself, so his charts are a huge help. I'd love to see those same charts updated with 3 participants. I know and can "see" it in my head, how it mitigates many of these issues, but I don't trust my brain, and would love to see it written out and in pictures, LOL. I like picture books ;P

 

[JGCMiner]

Evan, this may be a silly question, but if in a blinded setup it is possible to ban malicious peers (as you mention above) then why can't we ban them AND force them to pay collateral. After all, to ban them don't we (the network) need to know who they are?

 

[stonehedge]

eduffield

I have a nagging concern. Last night I got a friend with no altcoin knowledge but with a fairly good grasp of consumer computing to read both Kristov's paper and your response.

In my friends opinion he felt that Kristov had identified several major flaws in Darkcoin and that you hadn't made it clear on whether you had already fixed the problems or had plans to.

I think everybody in this community must remember that in order to attract new money and interest we need to be able able to communicate to people with zero knowledge of what the product is.

I appreciate that this might be an invalid argument as Kristov's paper was not intended for the layman but IMHO I think our public response to it has to be written in terms that anybody can understand.

 

[iHeartSmartArt]

What I read, reassures my hunch. Darkcoin is leagues ahead of Bitcoin and other digital currencies. Making me instantly a proud member of this community.

In terms of development on securing vulnerabilities, Atlas was showing every known attack vector to most cryptocoins. Alot went over my head, but I find and novices must understand Bitcoin attacks continue unmitigated, Duffield makes a better coin then Satoshi; By correcting what matters most and going about it in all the right ways.

stonehedge I don't think it a valid argument considering this is the form we have had announcements in the past. Darkcoin is to be layman but you can get technical.

 

[stonehedge]

Every small step that Evan and the community makes without pitching the success at Joe or Jane Average is a missed opportunity to lure in the lurkers.

 

[iHeartSmartArt]

I think Evan gave a green light on that.:"This research shows that Darkcoin and Darksend are maturing technologies and are ready for adoption and use by the general public."
"Get out, spread the word, use social media to relay updates and news of all kinds." vertoe Duffette#2

 

[moli]

Every small step that Evan and the community makes without pitching the success at Joe or Jane Average is a missed opportunity to lure in the lurkers.

I believe Evan would not let this coin to continue to have the flaws, seeing the progress he's made within just a short time for this project. So I would say we can be confident that perfecting Darkcoin is always in his mind. At the same time, I don't believe there's 100% anonymity in any crypto currency, but achieving 99.9999% or even a little lower is pretty amazing.

 

[stonehedge]

I believe that too. I'm not questioning the project or Evan's will to deliver.

I'm just trying to say that imho we're not blowing our own trumpet enough. And when we do blow our own trumpet, we're playing freestyle jazz and putting off the punters

 

[moli]

I believe that too. I'm not questioning the project or Evan's will to deliver.

I'm just trying to say that imho we're not blowing our own trumpet enough. And when we do blow our own trumpet, we're playing freestyle jazz and putting off the punters

Oh.. I'm so sorry... lol.. my fault. I meant to respond to your other post and the line you said that, "In my friends opinion he felt that Kristov had identified several major flaws in Darkcoin and that you hadn't made it clear on whether you had already fixed the problems or had plans to."

Also, right now Evan is trying to roll out RC5, he's probably got too much to do, so i think we can wait and see.

 

[stonehedge]

Agreed. I apologise if I come across overly negative sometimes. I used to work for a venture capital company that specialised in technology startups. I just can't get it out of my head that PR and comms should be a continual part of a project rather than something that happens from launch. I guess I'm not used to the concept of the development of a service/product being in the public eye. I still believe that the way our dev team works is a USP and that we should be shouting it from the rooftops.

I feel wary that there are a lot of people reading these threads agonising over whether they want to get involved financially or not and if we want this project to succeed long term, we are going to have to pitch our announcements at the average home computer user.

We have something awesome and for me, I'd rather attract a lot of smalltime adopters than be pumped and dumped by a whale.

 

[stonehedge]

For the record, I have never been pumped and dumped by a whale.

 

[eduffield]

eduffield

I have a nagging concern. Last night I got a friend with no altcoin knowledge but with a fairly good grasp of consumer computing to read both Kristov's paper and your response.

In my friends opinion he felt that Kristov had identified several major flaws in Darkcoin and that you hadn't made it clear on whether you had already fixed the problems or had plans to.

I think everybody in this community must remember that in order to attract new money and interest we need to be able able to communicate to people with zero knowledge of what the product is.

I appreciate that this might be an invalid argument as Kristov's paper was not intended for the layman but IMHO I think our public response to it has to be written in terms that anybody can understand.

I systematically went through every issue that came up in the paper. Was there a specific question your friend could pose?

 

[Probe]

****** PLEASE UPDATE TO v9.13.9 (Stable) OR 10.13.9 (RC) *******

There's good reason why we don't use three participants for DS on testnet, there's just not enough wallets to combine with to keep the network going all of the time. I really just wanted to make sure 3 worked, so we could use it on mainnet.

- Testnet merges use two, while mainnet merges will use 3 participants
- Fixed the endless splitting issue causes by splitting 1000DRK and not making a DS compatible input

(waiting for flare's excellent compiling service)

Is "three participants DS" going to solve the sybil attack issue ?
Masternode snooping appearing to be easy fix. Is it going to be implemented in RC 5 ?