• Forum has been upgraded, all links, images, etc are as they were. Please see Official Announcements for more information

Security Advisory for CoinShuffle and Darkwallet

eduffield

Core Developer
It’s a well known fact that the anonymity of Bitcoin is trivial to break, and many projects have started with an intention to bring anonymity to digital currency to protect consumers and businesses.

Darkcoin is the first privacy-centric digital currency. Founded in 2014, Darkcoin uses its anonymizing technology called Darksend to keep users funds safe and make the blockchain protected for everyday use without being tracked at some point in the future. Darksend uses a 2-tier network known as the masternode network to provide mixing services. Utilizing this technology, users are able to achieve a high level of anonymity. Darksend is trustless, decentralized and it’s nearly free to use.

CoinShuffle and Darkwallet are new technologies targeted at providing anonymity on the Bitcoin network. CoinShuffle was created by researchers from Saarland University. Included were Tim Ruffing, Pedro Moreno-Sanchez, and Aniket Kate. Their paper can be found at http://crypsys.mmci.uni-saarland.de/projects/CoinShuffle/coinshuffle.pdf.

DarkWallet was created in 2013 by Amir Taaki and Cody Wilson, but has since been adopted by a group of open source programmers.

The problem with CoinShuffle arises from the need to return change to the participants. Change has to be handled with the greatest of care in situations where anonymity is important. Change is very important because it can expose anonymized transactions if dealt with incorrectly. This can happen by observing what is done with the change after doing the anonymous transaction.

When making anonymity technology, one must remember the blockchain can be traced bi-directionally. These vulnerabilities come from the fact that, if you anonymize 1BTC at a point, then you spend some of it, later on that change must be kept separate from any identifiable transactions. Otherwise you can simply walk backward through the transactions from the identifiable transaction, to the transaction meant to be anonymous.

From the paper:

“The use of change addresses is supported in CoinShuffle: Participants can announce additional change addresses in phase 1, if they do not have an address holding exactly the mixing amount B ν. In phase 5, every participant adds all the change addresses as outputs of the mixing transaction tx before it is signed. CoinShuffle still preserves the unlinkability between the input addresses and the (regular) output addresses of the honest participants.”

There are 2 connected issues with the mismanagement of change. Mario Müller (DarkcoinTalk user Aswan) originally found this issue in Darksend. Presently, this has been resolved in Darksend and it is not vulnerable these kind of attacks.

1. CoinShuffle Vulnerability
Forward Change Linking:


ZF12PbKo8vzj8ih1KN-erH_sDD7Yo5F4pGfYsKuhhgw35zKynzEgru0nvHr4tDg2WvvbiGtBYnBWGiGDhRVYUNoBuFqbFwAJ0e258vbnjyL7Pe8Xf-1gD-zWrf6PR-7TvQ



In this example, Alice anonymizes 1.2BTC, which goes to 2 outputs, 1BTC and 0.2BTC. She then spends .7BTC from the 1BTC output, receiving change of 0.3BTC. That 0.3BTC then goes to an identifiable source, confirming Alice also spent the .7BTC in the prior transaction.

To identify the sender of the anonymous transaction, start at the “coinbase” transaction and go backwards in the blockchain till you get to the “Alice sends 0.7BTC anonymously”. As coinbase, you know it was your user who just recently bought something anonymously, thus breaking the anonymity completely.

Through Change Linking:

7ufB4-1EDn2S-6C3XDO9z8pZk8_Bb7bEV02QWEw44HY3tMhnLj5oGPz00qIjSx86p68E21Adv1SGAMIAH5kCtFixTodsn5DaC0sB62MniP-SgsQ73l2fjwBiQzAy5GE7Pw


In the second example, Alice buys 1.2 BTC from coinbase, then anonymizes this amount into a 1BTC output. She then spends the 1BTC, receives change in the amount of 0.3BTC and then combines that with her 0.2BTC earlier change.

By combining the change from the anonymous transaction (0.3BTC) and the change she received from the CoinShuffle transaction, you can link the entire history before and after, completely breaking the anonymity.

Solution:

All issues presented here can be solved, but require denominated inputs and outputs. Just like the United States Dollar, which has denominations of $1, $5, $10 and $20, Darksend uses 0.1DRK, 1DRK, 10DRK and 100DRK. When mixing on the network, users can only send and receive these denominations. Afterward, transactions are protected by combining the denominations to pay slightly over the required amount.

For example, if a user needs to pay 1.17DRK anonymously, they will use 1DRK + 0.1DRK + 0.1DRK. This results in a transaction that pays exactly 1.17DRK to the payee, and pays a mining fee of 0.03DRK to eliminate change related tracking.

3. DarkWallet Vulnerability : Uniquely identifiable amounts

This mixer is constructed in such a way, where multiple users (or idle mixing bots) are paired up with users desiring to send funds in real time. It’s trivial to de-anonymize any transaction used in DarkWallet due to the unique values of the amounts in the transactions.


c6TjIg5ppkApRaOpYbtc1XsexJb_7fSc_YWe9vEFDb0SCof2tykaj0yABG6c_ExjwrOlUodRCCPiONKcw1SRdFBTi_UW-opEpuyOxuwuYM7fvyGq2ZEiJyUEV2_dWpoO4A


For Example:

In this transaction, 0.05BTC was sent through the mixer. To identify the source of the money, one simply has to add up the values on the right until they match one of the values on the left.

0.05+0.0499+0.0001(fee) = 0.10BTC.
0.0499+0.05940182+0.0001(fee) = 0.10940182BTC.

This gets exponentially more difficult as more users are added to the mixer. However, these sessions can be retroactively de-anonymized at any point in the future.

Transactions involved:
https://blockchain.info/tx/4eb3b2f9fe597d0aef6e43b58bbaa7b8fb727e645fa89f922952f3e57ee6d603
https://blockchain.info/tx/1694122b34c8543d01ad422ce600d59f8d8fde495ac9ddd894edc7139aed7617

Solution:

There is no known solution to this issue.

4. CoinShuffle and DarkWallet Vulnerability : DOS attack

Both Coinshuffle and Darkwallet are susceptible to DOS attacks, where a malicious user simply refuses to sign the final transaction or logs off during one of the final phases. Since a signature is required to successfully make the final transaction, this process can be stopped simply by refusing to participate.

Darkwallet and CoinShuffle have suggested a few different approaches to solve this, but all of these allow initial attacks to take place on the network before some action can be taken to protect the network further.

Solution:

Darksend uses a novel approach to protect the network from attack known as a collateral transaction. When opening a new mixing session, the user must make out a complete and signed transaction to the masternode he wishes to mix on. Once the process begins, the user is then obligated to complete the process by responding to requests and completing the mixing session or else the collateral transaction will be cashed. This can be thought of as putting a deposit down on a lease, afterward you retain your money if you acted according to the contract.
 
Last edited by a moderator:

Example Darksend Transaction:


As an example of the type of anonymity Darkcoin provides, I’ve listed a fully anonymous transaction here. This transaction went more than 10 layers deep (mixed funds went through the process on more than 10 separate masternodes, each with 3 total participants). You’ll notice, there is no change to track transactions with and each participant in each phases uses the same denominations.


http://explorer.darkcoin.io/tx/14be41bfbcda630615be6a7e7df5d2391f60c570bc2280763e22349f689f6474 (sent 3.2DRK anonymously)
http://explorer.darkcoin.io/tx/1d7072ab9448d8b59b453fcb53f49f3601f4418e21adc00b03a9bf46cbad7955
http://explorer.darkcoin.io/tx/d71ba5edd833e0a13cc3f4f828e7ae8bdebb7b8eeabc3a780099695d0bde9525
http://explorer.darkcoin.io/tx/327c39874c5e6bb981001b5ac4e14a59549007d202bc42bf404b9232944c1255
http://explorer.darkcoin.io/tx/05be05e35917043ec128fffac6d1c18832f62ed93616cfc805cca1de18b152f7
http://explorer.darkcoin.io/tx/fd946e98a4e4168ba426e69d0a7d2c8a871973c013698900aa4a3c9e23722d5d
http://explorer.darkcoin.io/tx/de8be67ed9a45ded8c179d5cb9e4ca5dc958a57804645cc83ad30a57229bfe05
http://explorer.darkcoin.io/tx/5ce1b10d8d39ee12fada352f646a0bc7fd10e5c68be3657b7e1f25daa96445ec
http://explorer.darkcoin.io/tx/d438fbdc1cd08a9335d0d85705cca1b4b16ae02ccf4c912202288750fa3d3a06
http://explorer.darkcoin.io/tx/12d0d2f81eabc990556126e8e86abd7f6587ce9a252e697d49babe02e1e0784d
http://explorer.darkcoin.io/tx/faa07d6d48cbaabc6cf7f6167cd851b722d8b5d56ed5b45be4c221cd54a4dc7f
http://explorer.darkcoin.io/tx/278ac690ed283b2f8c6d27173fb45d777198b612b3a67484724fea5c340b1b35
http://explorer.darkcoin.io/tx/0c1c8796010c466d340c209bf3804d14f8ded70e523fa92baa25d938491625d7
http://explorer.darkcoin.io/tx/990e5d83a66fa189241af04492496f7d1d2ea7ebb958cc7e3a75185525b94116
http://explorer.darkcoin.io/tx/01edb919d043e7f34a54e58714cd0e4796a7752132d7d7498938b6b9c2ec4595
http://explorer.darkcoin.io/tx/6b32a47efebf9c2d8ed4fd97f6f3787cb01b47100a51fc38cd63457ffe254a05
http://explorer.darkcoin.io/tx/0c16df3800da43b22cfb1caeeedb6ac77e919a8609d0a863337a992f7c9757a6
http://explorer.darkcoin.io/tx/e5a084b5ca7d0f98b80f142fc4a216b5f210e29d5a1c143ac376416240d09074
http://explorer.darkcoin.io/tx/bd2f5435ef5a3ba2ff9c873606745d2ced11854977119a017dbe6ad150cfafde
http://explorer.darkcoin.io/tx/a8452f95817a42531f42440dc5ff489eda0fcf76c3219847cb6bb4e99c0e5d88
http://explorer.darkcoin.io/tx/54e885792b0d7e07604ed3d2915f6b86499b932ebc2c888125ab68b48720abd4
http://explorer.darkcoin.io/tx/26906bef4c41e02565561a54dcdaf9e242d3830921b0ba4d5e5bfa085579a0de
http://explorer.darkcoin.io/tx/1777adc8c015d8282c562d9401902330e9db1ffb18c830222d51c4f7e7c4388b
http://explorer.darkcoin.io/tx/2edccdb8e9544d6d096b0369c02db7b4c8d3350465ca5b7b772609746a27b15c
http://explorer.darkcoin.io/tx/15383602cf81ed5e3ddfac17211b5078cbbd1dcec882c4ec8d0a8ce7e6902496
http://explorer.darkcoin.io/tx/37ec592c7b609e837a6265d7ba28e944e43319a072528e3e6c9e6d39a67a569d
http://explorer.darkcoin.io/tx/995c8ad4347d7157683a3ac40625d366e1f5f8773e5dc8ac2c3a8148aa4cd423
http://explorer.darkcoin.io/tx/b8d1475ca6d43934f4d6ce3d4b2cc7e2a01782c506a4e73e036ed4f83c3cdcf7
http://explorer.darkcoin.io/tx/32ee32b2c2458100a64ee04679c3961f7b714ba3a58e5c425c9ec9d5c4c5b670
http://explorer.darkcoin.io/tx/4162c8bf1704a2eb3d1e8a4e81dfcae144d231c52e33f992814c0a1d381c3eb7
http://explorer.darkcoin.io/tx/59f9bfb8d822b8044e143a8a2c32e753aaa50cc34e179579314a0ca85f200faa
http://explorer.darkcoin.io/tx/57a403abac5e3c244b2206101d4419bf21ede3aee79a69a49eb9bf91dfc4d2ea
http://explorer.darkcoin.io/tx/e00181d3a04aca647501cea5970b84e932838a71e4bbd4e1ed4a0c850d81d26c
http://explorer.darkcoin.io/tx/92c4774c1459b71a111ed9dc04eac80a287040797a179c2618590455a3475114
http://explorer.darkcoin.io/tx/bbba3c932ce873be4d7fcc99832f289e24e94e85dd4fe267d5f9a9daed055228
http://explorer.darkcoin.io/tx/c802ef9a3c7bf82fa95a6bd9afd05eb8ce656e6a292246c2600ae47298d9aefc
http://explorer.darkcoin.io/tx/741b07d77cc42c586228a4704bb9c25e2552277399f443c79e08c1af41004e04
http://explorer.darkcoin.io/tx/fd2f659f41239383bd3ff48062adfee3735c5c35155d2bee045cb044f4f4218e (source)

It’s worth noting that Darksend anonymizes large portions of Darkcoin at a time, so a mixing session like the one above can be used to send many different anonymous transactions afterward.

Conclusion:

We would suggest CoinShuffle and DarkWallet not be used for any type of sensitive transactions due to these flaws in the design. The issues raised here will apply to a high percentage of all transactions that go through the anonymization process and result in the complete loss of anonymity for users involved.
 
Last edited by a moderator:
Thank you so much Evan for providing this explanation. As someone who lacks programing skills it is sometimes frustrating to find that explanations of these matters to often fall into only two camps; either highly technical explanations filled with programming code, or simplistic explanations that amount to "trust me, I know what I'm doing." Your concise explanation respects our intelligence without demanding highly specialized knowledge. I now feel that I have a good understanding of the problems associated with other anonymization systems and of why DRK has a better implementation.

In short I can trust your programing skills which I don't understand, because you have taken time to explain the logic, which I do understand.

Again, thank you, and keep up the good work!
 
I find it funny that any time a flaw is discovered or pointed out by someone not in the Bitcoin camp they seem to take offense by the comments and posts. Sometimes I love reddit, but for the most part it's full of inbread fucktards who cant tell the difference between left and right. "Which way is up again?"

Nice work on this advisory Evan, you deserve a lot more credit than you get.
 
I find it funny that any time a flaw is discovered or pointed out by someone not in the Bitcoin camp they seem to take offense by the comments and posts. Sometimes I love reddit, but for the most part it's full of inbread fucktards who cant tell the difference between left and right. "Which way is up again?"

Nice work on this advisory Evan, you deserve a lot more credit than you get.
This, exactly. Well said! Who cares what they think at this point, we'll show them all eventually...
 
So by choosing a small number of low denominations for mixing makes tracing harder because all the denominations are going to look so similar, as opposed to many more unique values which would surely make tracking easier, plus the fact that the (randomizing) small change element is chopped off the end to pay the miners, making the transaction more tricky to track (if not impossible) because the formula does not add up(LHS ≠ RHS) as there is a unknown element (small change).
Is this a kind of a complex variation of a none invertable hash function then?
 
The light of technology and the innovation behind the Darkcoin illuminate the fog of lies and foolish.
 
Lols. People calling it an advertisement for DarkCoin... Well, by definition, Evan designed DarkCoin to solve these problems. It's the one that solves all this... BTC wouldn't do it. So, here's the project that does... It's not an advertisement it's just true... Fact: a thing that is true. Evan made it that way. How dare he mention the reasons why he did so...

Even among cryptotards... Mass adoption? It'll never happen for any crypto when the majority of crypto users are till too dumb/petty to figure it out... And the totally clueless masses who can barely operate an iPhone? The percentage of the popualtion who can even comprehend the issues at hand, then subtract those who insist on denial and egotism... There might be 8 people on the planet qualified to even read what Evan says, much less talk to him about it or criticize him...

"I R BAGHOLDER, HOW DARE YOU SAY STUFFS! CULT OF EVAN! TRUST MIXER WITH OBVIOUS CHANGE IS JUST FINE! I HAVE NO IDEA, BUT I BELIEVE! THE TV SAID ANON INTERNET DEVIL DRUG MONEY! IT MUST BE TRUE! EVANCOIN IS PUMPER SCAM"

Whatever... I should charge a fee to let people get heard by me.
 
For example, if a user needs to pay 1.17DRK anonymously, they will use 1DRK + 0.1DRK + 0.1DRK. This results in a transaction that pays exactly 1.17DRK to the payee, and pays a mining fee of 0.03DRK to eliminate change related tracking.

How does it work? I am not well versed in this technology, but when I look at it, it doesn't really add up. 1DRK+0.1DRK+0.01DRK = 1.11DRk. Even if 0.03DRK goes to the miner for processing the transaction we are still 0.03DRK short. Does 0.03DRK go to the masternodes as well? If yes, does it mean that if I send 1.17DRK the receiver will get only 1.11DRK?
 
How does it work? I am not well versed in this technology, but when I look at it, it doesn't really add up. 1DRK+0.1DRK+0.01DRK = 1.11DRk. Even if 0.03DRK goes to the miner for processing the transaction we are still 0.03DRK short. Does 0.03DRK go to the masternodes as well? If yes, does it mean that if I send 1.17DRK the receiver will get only 1.11DRK?
"1DRK + 0.1DRK + 0.1DRK."
1.00 + 0.10 + 0.10 = 1.20
1.20 - 1.17 = 0.03

What Evan meant is to avoid a change back, you just pay the whole amount of 1.20 for something that costs 1.17, and the 0.03 will be a fee to miners. However the split between miners and masternodes is another issue according to their payment scale.
 
Last edited by a moderator:
Lols. People calling it an advertisement for DarkCoin... Well, by definition, Evan designed DarkCoin to solve these problems. It's the one that solves all this... BTC wouldn't do it. So, here's the project that does... It's not an advertisement it's just true... Fact: a thing that is true. Evan made it that way. How dare he mention the reasons why he did so...

Even among cryptotards... Mass adoption? It'll never happen for any crypto when the majority of crypto users are till too dumb/petty to figure it out... And the totally clueless masses who can barely operate an iPhone? The percentage of the popualtion who can even comprehend the issues at hand, then subtract those who insist on denial and egotism... There might be 8 people on the planet qualified to even read what Evan says, much less talk to him about it or criticize him...

"I R BAGHOLDER, HOW DARE YOU SAY STUFFS! CULT OF EVAN! TRUST MIXER WITH OBVIOUS CHANGE IS JUST FINE! I HAVE NO IDEA, BUT I BELIEVE! THE TV SAID ANON INTERNET DEVIL DRUG MONEY! IT MUST BE TRUE! EVANCOIN IS PUMPER SCAM"

Whatever... I should charge a fee to let people get heard by me.


Unfortunately this is very true, the cult of fiat has ingrained its self so deep in peoples heads that most are simply incapable of seeing value without reference to dollars, pounds, euros and are blinded to the risks and potential consequences of their own actions by layers and layers of regulatory cotton wool, such easy pray to those pulling the strings, slaves that fight to wear their chains. And it goes down so deep, endless layers with a sense of finally achieving freedom as each is pulled away that only serves to better hide the next layer of indoctrination, will we ever learn to see things clearly again, to listen to our instinctive sense of value and risk? Its become a religion, all hail our priests of value! What about or other religions, what have they hidden from us never to be seen again?

Sorry for the off-topic rant, kind of sickened by how blind we are to the risk of fractional reserves on the exchanges at the mo and I'm sure there's plenty more I'm blind to, the truth seems so close but maybe its just convention all the way down to the basic animal.
 
Unfortunately this is very true, the cult of fiat has ingrained its self so deep in peoples heads that most are simply incapable of seeing value without reference to dollars, pounds, euros and are blinded to the risks and potential consequences of their own actions by layers and layers of regulatory cotton wool, such easy pray to those pulling the strings, slaves that fight to wear their chains. And it goes down so deep, endless layers with a sense of finally achieving freedom as each is pulled away that only serves to better hide the next layer of indoctrination, will we ever learn to see things clearly again, to listen to our instinctive sense of value and risk? Its become a religion, all hail our priests of value! What about or other religions, what have they hidden from us never to be seen again?

Sorry for the off-topic rant, kind of sickened by how blind we are to the risk of fractional reserves on the exchanges at the mo and I'm sure there's plenty more I'm blind to, the truth seems so close but maybe its just convention all the way down to the basic animal.

Its not realy off topic, this strikes at the very reason why DRK exists.

You can't force people to embrace freedom over slavery. But, for those who choose it, Evan has created DRK. Choice. We finally have one. Not all will choose to be free. Free will. For what is love but the choice to give it? Some wish to be robbed of it, some give it up for comforts and convenience, some would rather die on their feet than live on their knees...

And by this truth, we know evil by it's desire to eliminate choice.
 
Last edited by a moderator:
Its not realy off topic, this strikes at the very reason why DRK exists.
Thanks :) And to give those bastards trying to kill or control Bitcoin something serious to think about ofc. For everything else there's Darkcoin. Maybe for everything if they get their way, if semi-anonymous gave their minions a surprise just wait 'till they get a load of the real thing!
 
Thanks :) And to give those bastards trying to kill or control Bitcoin something serious to think about ofc. For everything else there's Darkcoin. Maybe for everything if they get their way, if semi-anonymous gave their minions a surprise just wait 'till they get a load of the real thing!
Be the consequence.
 
Back
Top