Oddbean

At least with lightning, I can say I am using it to save money on tx fees. Any time I say I am doing something to save money, it can't be disputed. Converting to #monero, I can say I thought the price was going up.

Joinmarket does sybil resistance via fidelity bonds, that is, you only coinjoin with people who first prove they locked up a bunch of bitcoin in a timelocked address. Sybils would have to spend a lot of money to do that, thus bankrupting themselves, so you're only left with honest people. I think emessbee can do the same thing, so yay. As for zerolink, its purpose is to prevent linking the equal amount outputs to their inputs and to prevent linking people's ip addresses to their inputs. I think I've managed to do the first part in a different way, so I don't think following the zerolink protocol would improve anything on that front. The other part seems achievable by just writing a client that runs over tor and creates a new identity for all three rounds. Thoughts?

If you do fidelity bonds for sybil resistance, there's not much that distinguishes it from JM, except for a nostr relay orderbook instead of p2p gossiping. That does protect IPs (if you dont use tor) but I would still say it's just a marginal improvement. The point of zerolink is not protecting IPs, it's to break all deterministic links using equal output coinjoins. I actually see a future in which JM or your proposal could implement it. It could be something like an "advanced coinjoin market pool" that would require a previous tx0 type transaction that guarantees the utxo to mix is compliant with the pool amount.

Destroy them from afar and from within a blind. Stop using your state identity when developing the tools to defang them. There can be no companies or corporations at this moment of time. Those structures are compromised and will give your snipe position away. No corporate addresses No corporate phone numbers No corporate emails No real names from now on. It's war. Act like it. nostr:note1xm4uype7ctrajfa64x0gcu3pw64ar6pge9849pzpaehntumw5w7qafenn3

Ah OK, I see. Forgive me because I haven't reviewed in detail what you're doing but: I vaguely remember seeing someone propose ring sigs before .. somewhere ..., and in particular, I remember musing about linkability in this context: surely, you do actually need it? You need that each person that owns one utxo (simplest model) gets to choose *one* output. Without linkability they aren't restricted like that right? So imagine alice bob and charlie all publish their ring sig key "with" their utxo, then in the second round alice can just publish 3 (cj_addr, ring_sig) pairs to the BB and since all the ring sig validates nobody is any the wiser? Linkability will just mean each (ring sig) key only gets one usage. (Using ed25519 keys or whatever instead of secp is ofc not actually a problem here, but that extra layer could get removed ofc; just mentioning it). I think coinshuffle and coinshuffle++ had some of the most interesting thinking along these lines (purely p2p coinjoin with privacy of each party from each party, and using a BB only for communication, and very importantly, having blame protocols to eject miscreant peers). It's somewhat related to mixnets and dc-nets iirc but I'd have to look it up. Beautiful protocol in its base form. Tim Ruffing was one of the main authors.

> You need that each person that owns one utxo (simplest model) gets to choose *one* output. Without linkability they aren't restricted like that right? I have an alternative way to stop someone from submitting more than one cj_addr. See my "kickout protocol," specifically the section "Kicking trolls out of Round 2." https://github.com/supertestnet/coinjoin-workshop?tab=readme-ov-file#kicking-trolls-out-of-round-2

Yep, you are describing there a "blame" protocol pretty similar to what happens in coinshuffle. Basically an "open the commitment" thing. The most crucial element is as described both in coinshuffle and in your protocol.: say 10 participants, the blame kicks out the bad behaviour and the remaining 9 continue, etc. I think a linkable ring sig makes a lot of sense though, as it cleans up one form of delay of the process. To note: there is another nuance in ring sig design that's relevant (I discussed it in https://reyify.com/blog/ring-signatures#culpability-exculpability-and-claimability ; it's the idea of "exculpability". Some versions of ring sig have a property that, if you reveal the private key, you still do not reveal whether it was *your* private key that signed; in your description, you would need the type that do not have that (so "culpability"). The LWW LSAG, Back-LSAG and MLSAG types are indeed "culpable" so you're probably OK just with that, but: if you have linkability, I don't *think* you even need culpability.

I don't think I need to try as hard to place blame in round 3, which is where bitcoin signatures are shared. If anyone does not do that, everyone can detect it, so all of the honest users just remove their inputs from the transaction and their key from the ring, and they restart from step 2.

💪 very very nice. Thanks man!!! I guess wallets has to support this? In order to get adoption. What is next step? Do you need funds? Did you think about talking to Nunchuck? Those guys seems leaning forward and working fast.

> What is next step? Most of what I do is "proof of concept." I am not a very good coder and not interested in becoming one, so I consider this project "done" as far as proving the concept is concerned. I hope someone who is a better coder than me rewrites it as a "real" software project, perhaps with a library so that wallets can easily import support for this protocol. Some of the guys at Zebedee expressed an interest in helping with this, maybe that's a good next step. > Do you need funds? Eventually yes. Earlier this year I earned a bitcoin from the Human Rights Foundation for my work on Zaplocker, and I suspect that bitcoin can fund me for the rest of this year and part of the next. But I would really appreciate more money from anyone who thinks I do cool stuff! My bitcoin address is in my nostr profile and on my website, supertestnet.org > Did you think about talking to Nunchuck? Great idea! No, I did not think of that

😆 You serious? These guys has made probably the best wallet out there and..last update was 3 days ago. And all you care is the background color 😃 Go to https://github.com/nunchuk-io/nunchuk-android-nativesdk/releases to see their update frequency, which is pretty high.

So does that mean GitHub is an MSB now that they hosted your code? How about the company that manufactured your computer? They made possible the transmission of your code too. How about the electricity company? They provided the electrons that transmitted the messages too. How about the food companies that provided inputs to the meals you ate. Surely they’re responsible for giving you the energy to write the software. Anyway good job. We need to highlight the ludcriousness of their position and push back. Thanks for doing your part in that effort.

Please someone correct me if I an wrong, but with JM it seems the on chain fees are paid by a single entity (single user with multiple market makers) for each tx, which is very costly? Also the default behaviour in JM of consolidating all original input utxos is not ideal. If a protocol could both share the txs between users and avoid tying the original input together, without impacting negatively the other characteristics, it would be awesome.

That's pretty cool. Downsides seem to be that there is no denial of service protection across rounds, the same utxo can disrupt many rounds. A centralized coordinator banns a utxo for numerous rounds. Also blockspace efficiency is not great, a single equal denomination means users need to do a lot of rounds and create / spend many coins. I don't know how this can be fixed though, maybe some ring signature credential that commits to a homomorphic value commitment, something like Wabisabi kvac but with federeted authorship.

I am using stacker news to custody my zaps and they have a limit of 100k total sats they are willing to custody on my behalf. I am currently at about 95k. Trying to reduce but have a 70k sat payment stuck in flight for 18 hours now, so it will be a bit. Consider dming me for an invoice