• Forum has been upgraded, all links, images, etc are as they were. Please see Official Announcements for more information

Could stealth addresses reinforce Darksend+ against sybil attacks?

Dr.Crypto

Member
Hey everyone,

As a disclaimer, I'd like to say that I've always been pretty skeptical regarding stealth addresses, especially when some guy started to ask for it to be implemented for Darkcoin a few days ago on Reddit.

Now, I still believe in the higher degree of anonymity offered by Darksend+, however liquidity is a problem and in the current situation, it would be relatively inexpensive to run tens of rogue liquidity providers in order to gain information and possibly reconstruct the other peers' mixing history. This issue is well known and was naturally reported during Kristov Atlas' review on Darksend+, see the section on sybil attacks. In particular, Atlas considered it to be the major threat to Darksend+, describing Darksend+ Status as "Vulnerable", Remaining Impact as "High" and Fix Difficulty as "Difficult".

As far as I understood, the dev team has chosen to mitimate the problem by requiring a minimum of three peers for each Darksend+ round. However, in the current situation, not many people are trying to mix their coins at the same time, resulting in the possibility for attackers to create several rogue liquidity providers at the sole cost of collaterals. A partial solution that was mentioned before would be to reduce the probability of rogue liquidity providers of being selected for mixing operations by ensuring that even more "honest" liquidity providers take part in Darksend+, however (1) this would create blockchain bloat, and (2) nothing would prevent an attacker to create even more rogue liquidity providers, requiring more honest liquidity providers, generating more blockchain bloat and so on.

The fact that dedicated liquidity providers are needed for the sole purpose of balancing out essentially costless rogue liquidity providers is an important issue in itself,. Liquidity providers, if anything, should only serve as increasing the mixing speed for everyone.

But the recent open-sourcing of Vertcoin's stealth addresses made me wonder: how about combining them with Darksend+? Wouldn't it ensure that that for each anonymisation round, observed transactions cannot be traced back to the source anymore? Though I haven't looked into the implementation details yet, I believe this could act as a substantial additional layer of privacy, that would virtually annihilate the incentive to run rogue liquidity providers as no useful information could be extracted. As a result, Darksend+ could be fully protected from sybil attacks and the blockchain remain fit.

Of course, this message is in no way a call to the devs, as now that the code is open sourced anyone is welcome to contribute, but I'd like to have some opinions on that matter, especially if I overlooked something.
Still, it would be great if the main threat to Darkcoin could be resolved with an elegant solution!

Thanks for reading :)
 
Hi,

Evan and me discussed stealth addresses some time ago, We came to the conclusion that Darksend (DS) and Stealthaddresses (SX) could make up a good pair:

DS is primarily protecting the privacy of the sender, whereas SX is primarily protecting the privacy of the receiver.

Given that there was still quite some work to be done on DS and InstantX we postponed the decision wether Darkcoin will add SX in the future :)

Holger
 
while I don't understand stealth addresses yet
I like the idea of adding additional layers of anonymity to darkcoin.
We need to keep upgrading the anonymity level for darkcoin especially since it is our " killer app "
I also think in the future we should look into the zerocoin technology for now it has too much problems esp blockbloat.
 
I like the idea of adding additional layers of anonymity to darkcoin.
We need to keep upgrading the anonymity level for darkcoin especially since it is our " killer app "
this.

it shouldnt be hard to implement this, isnt it?
 
Hi,

Evan and me discussed stealth addresses some time ago, We came to the conclusion that Darksend (DS) and Stealthaddresses (SX) could make up a good pair:

DS is primarily protecting the privacy of the sender, whereas SX is primarily protecting the privacy of the receiver.

Given that there was still quite some work to be done on DS and InstantX we postponed the decision wether Darkcoin will add SX in the future :)

Holger

But in the case of denominating the sender is also a receiver would denominating to stealth addresses not improve things?

So amount of x was denominated to multiple stealth addresses. And repeated multiple rounds.
So each round after 1 its being sent from a stealth address to a stealth address.
 
OK, so I read more about stealth addresses (SX) after reading from eduffield's post on reddit: http://www.reddit.com/r/DRKCoin/com..._stealth_addresses_implemented_in_drk/clyea3j

Here is a detailed breakdown on the SX process by one of the vertcoin devs (the full thread is also worth reading, but watch out - they all have difficulties formulating their examples): http://www.reddit.com/r/vertcoin/comments/296dsw/a_question_on_stealth_addresses/cii9pgi

So yeah, basically, there's no such thing as 'sending to / from' stealth addresses from the point of view of the blockchain. What stealth addresses essentially do is generate a new address for the payee each time a payment is sent to a single stealth address.

Example: suppose that A is some guy collecting donations.

What he could do would be posting a regular address on a forum, say A-reg.
Now, suppose that users B and C want to send him money, from respective regular addresses B-reg and C-reg (there's no such thing as sending 'from' a stealth address anyway).
The blockchain now shows B-reg -> A-reg and C-reg -> A-reg, so that anyone in the world can know that users B and C gave money to A's charity (or not). Furthermore, if A decides to spend his coins somewhere, everyone in the world can examine the outputs of his regular address A-reg1.

As an alternative, A could post a stealth address on a forum, say A-sx.
When B and C send coins to A-sx, what happens behind the scene is that new regular addresses are generated for each payment from the single stealth address A-sx.
Therefore, when B makes the payment B-reg -> A-sx, what is really visible on the blockchain is B-reg -> A-regFromB, with A-regFromB being a new regular address generated from the stealth address A-sx.
No one besides B knows that A-regFromB is controlled by A. For the rest of the world, it will just look like a payment from B to some guy. Similarly, A can then spend his coins without anyone (besides B) knowing that he got his coins from the donation fund.

This offers exactly the same level of protection as generating a brand new regular address for each transaction, which Darksend already does.

Therefore, though SX have interesting properties, such as allowing to post a single address to receive donations, in no way they would provide an additional layer of obfuscation for Darksend (which was my initial thought).
 
By the way, anyone can add SX to darkcoin, just go to github, fork darkcoin and start coding, debugging, testing, coding, deb.... ;)
Yeah, I was actually considering that. Unfortunately the latest Pokémon game came across my path so maybe later... :')
 
Back
Top