I found myself pondering about malleability: it's just a posh word for "change(ability)", see variants "malleable", "malleate". More malleability is more power but also more danger. Pushing analogies to their extreme, consider the difference between pure gold and alloyed gold. Pure gold is perfectly resistant to corrosion but being extremely malleable, is useless for building strong structures. In a similar way, cryptographic constructs that are naively built with very powerful primitives (like schnorr signatures) that are easily malleated can lead to useful outcomes (adaptors) and highly dangerous ones (naive MuSig). So-called "textbook RSA" is also like this (here's a good explanation: https://crypto.stackexchange.com/questions/1448/definition-of-textbook-rsa ).

Hesitate to put a number on it, but first and last 6 is already very strong, yeah .. maybe 9 bytes of entropy based on base58 expansion? Don't quote me, heh.

Fascinating that they grinded the leading and ending characters of the address. I guess I will be more careful recommending people to check the last few and the first few characters of an address.

To be fair, that's always only a second or third line of defence, for low or medium size transactions, but still ...

There are two forms of Sybil protection in Joinmarket, because of the taker-maker asymmetry. Both forms use utxo ownership. The takers have to produce what we call a "PoDLE", a commitment to a proof of discrete logarithm equivalence - in English, they publish a hash and have to reveal the utxo behind that hash to makers that agree to join with them, revealing the utxo behind it. The attack this dissuades: constantly spamming request to find out maker utxos. If someone can see all the makers' utxos they can deanon coinjoins, so it's a "snooping" attack. With PoDLE you are quite heavily rate limited in how many coinjoin requests you can make.

See the first two articles on my blog (P(o)ODLE and Racing against Snoopers) for more on that. https://reyify.com/blog/racing-against-snoopers-in-joinmarket-0.2

The makers have to publish a fidelity bond, as others have noted. See docs/ subdirectory in joinmarket-clientserver for some explanation and links to further explanation.

Fidelity bonds directly dissuade Sybilling and are much weightier, in general (the size of the utxo involved tends to be large), but note that in neither case are utxos spent, they are just held (for PoDLE) or timelocked (for FB). And FB UTXOs are actually published, which is a bad thing; I've recently spent a lot of time looking for efficient utxo set proofs, partly motivated by that.

(Although it's a bad thing, those utxos can be completely separate from utxos used in coinjoins, so it's not *that* bad.)

Yes thanks. It being Japanese *is* starting to ring bells, so thanks. 500k btc still sounds incredible, is that a calculation of all cryptoccy stolen in btc value? Would make way more sense. Article is blocked.

You mention cryptopia, was that the NZ one? I'm remembering cryptsy also.

That Coincheck number is incredible. I don't remember hearing about it.

nostr:nevent1qqsp4nqnld6agw6s8wa0pdulrajm39jmmarml8el6sq8dl67xtvphpqpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsygrps4yhdws62w9emlk3k80eksh9wcp8jr5n2nze3yd70vm38kmr0spsgqqqqqqs4yjxjr

Forgive me for slightly derailing, but .. isn't that a fascinating moral quandary, what I just mentioned? I am Mr Trusted Bitcoin Developer (MTBD) and I set up a mint anonymously, and the mint's key I ring-sign using 10 other famous people's keys. These are "SAG"s (spontaneous, no involvement of other 10). Then a year later police get warrants to search all the other 10 people's houses. Maybe it's unlikely that police power extends that far, but .. given history I would not doubt it. It seems pretty obvious that this is *not* OK, right? But it can't be stopped except by .. an ethical choice?

Yes, it's not workable imo, either 1/ the group is small enough that LEA goes after and harrasses all individuals or 2/ large enough that nobody can place trust in it because nobody knows(of) all the members.

Ring sigs usually have exculpability, meaning you can't be proven as the signer even if your key is coerced out of you. But similar to OTR, it sounds nice on paper, but (maybe?) doesn't help too much in practice if LEAs are harassing and intimidating you.

I'm reading about it at the moment. Very interesting but there's a lot to take in.

Not sure that I remember exactly right, but I feel like there was also a big delay in hearing anything about Pertsev after he was arrested.

I feel like it has to be qualified that economic nodes' power is of a different quality. And yet I definitely don't disagree that these 4 categories exist, but also, line between investors and economic nodes is very blurred.

Don't feel bad at all, it never hurts to ask. I don't do much work in that area nowadays, as it happens.

Heraclitus in shambles

nostr:nevent1qqsdzjjyl6qzv8cgz4uncpu596zqcq2ydfw0f56l6yzlc7sq96s2wlgpzpmhxue69uhkummnw3ezuamfdejsygqnhj2ajgwgk6exeu65jjtymtuxlycjlegfy3yr6fngy7temqyf05psgqqqqqqsk9weva

why "fees OR rate limiting"? I think you need both and the former is the solution for the latter (in anonymous user context).

With "fee" interpreted in the most general way possible. Any scarcity is possible. Hence things like RIDDLE/aut-ct, and indeed hence things like privacypass/cashu/any chaumian cash,lightning payments (weaker privacy but other adv.), etc. Although, in some contexts, some of those things need a kind of "bootstrap" (i.e. they might be private, but if you have to pay for them with a non-private payment the problem isn't fully solved).

The COPA vs Wright written judgement is out.

https://www.judiciary.uk/judgments/copa-v-wright/

Curious as to if there's a path to criminal prosecution here?

Not disagreeing entirely, but I'm not sure. People's response may depend on how directy they can empathise with the context.

Great to hear. I am not as bullish as many are on chaumian ecash generally, but for this it really ticks the boxes. Are you aware of privacypass? It was designed for a very similar use case, and cashu uses an almost identical crypto protocol.

Many analogies for the Tornado cash case have been offered, here's a better one ;)

You are a manufacturer of blinds for windows, and tinted windows for cars.

This is not the manufacture of something that harms people directly, or harms people if misused (you'd have a lot of trouble trying to kill someone with these products).

These products have a direct usage in aiding privacy and security (that the two are linked is apparently entirely unobvious to many in the general public when asked about the privacy issue, and apparently also unobvious to certain Dutch judges).

Once you sell the product, you have no further involvement. You may see a car with your tinted windows pass by on the road, but you can't stop that car, even if you somehow know that it is a bank robbery getaway in action. By their nature, your products make it more difficult for you to see if the actions occurring behind them is criminal or not criminal.

Finally, like literally every product on the planet that is *actually useful*, it IS useful in criminal activity. But as per the 4th paragraph, it is ALSO very useful in non criminal activity.

If you got this far in reading, I'd like to pose the question: how do we get the general public to understand or care that this is the case?

I used to love squash. But I'm curious, I thought 'racquetball' was just the American word for 'squash'. Are they different sports?

Should be 2.5,0.5 not 2,0.5 duh. Meant each input split into 2.

> Im not sure I understand your argument re cjs, is it that CISA makes batching in general cheaper with cjs being a byproduct, meaning that private txs would have no economic benefit over batched txs and, assuming cjs will continue to be centrally coordinated in a fee model, cj txs continue to be less economically favorable to non-cj txs even with CISA?

Yes. Except, I don't think the coordination (centralized or not) really plays a role in this analysis. It's just that subset sum analysis works if there is no ambiguity (simplest example: inputs: (3, 7) and outputs (2,0.5,3.6,3.4)); while in theory (see Bell's number) there are always a huge number of possible interpretations *in theory*, but in practice 2 normal payments are overwhelmingly likely. The "counterarguments" I mentioned, mainly I'm thinking of at large number of utxos consumed, ambiguities start to become common. As for the last sentence: cjs are not really less economically favourable, they gain from CISA in the same way as another large tx does; the point is more: if the coinjoin is of the form of a batched payment it doesn't do anything much, whereas if you create an extra separate coinjoin in the right form to promote privacy it's an extra cost; with CISA it's just a smaller extra cost.

(Might help: i define coinjoin as any single transaction that cospends inputs of more than 1 party. see e.g. payjoin).

> Practically I think I disagree if we assume that the tx gets cheaper the bigger it gets with full aggregation – reaching sizes of 400+ inputs will likely mostly be unachievable for single signers, so i think cjs practically would have an economic benefit over non-private txs excluding fees (at least until there is non-private CISA collaboration).

Right that's another way of looking at it; if as per above coinjoin = any cospending then there's clearly a benefit to doing it, but my point is that isn't by default a "private tx". Maybe "somewhat private". By the way curious historical fact the first version of public coinjoin was by blockchain dot info and they used exactly this model, centralized, and without CISA of course - just take everyone's payments and throw them into a single big transaction. People were pretty ignorant back then 😄

> Do you have any proposals in mind that would explicitly make privacy cheaper than non-privacy?

Almost anything offchain gets this by default. *More* private and *less* expensive. LN, Ark, sidechains, rollup models etc. I remember years ago talking about this as "cutting the gordian knot of bitcoin privacy", because by default privacy techniques tend to use more space - see coinjoins, see confidential transactions; there's a natural way to create privacy by obfuscating by *adding* data. The difficulty is (1) to make offchain work *securely* is very difficult and (2) L1 always exists and so things like coinjoin IMO will always exist in some form (some level of obfuscation) but it will be at large values/sizes. As for what *that* might look like yes CISA could be involved but there's lots of ideas out there, I like a model I called "coinjoin done right" (there's a talk on youtube with that title, btc++ cdmx), based on coinjoinXT, basically trying to make coinjoin steganographic so they can't be flagged, but people are branching out and trying various things. See e.g. wabisabi for payments in coinjoin, see e.g. nothingmuch's recent work. Also just channel dual funding by nostr:npub1e0z776cpe0gllgktjk54fuzv8pdfxmq6smsmh8xd7t8s7n474n9smk0txy et al. is a huge step forward

It's a common perception that the problem with things like Bisq (P2P trade) is UI, but it's not.

First, it's crucial to distinguish between P2P trade of fiat for bitcoin and P2P trade of 2 different cryptocurrencies, because they're entirely different animals. I'm only going to talk about the former, because that's the one that really matters, and that's the hard one.

Problem 1: because of the ethically odious AML policies there is substantial real risk from counterparties. If you are receiving dollars/euros into your bank account without first doing a full scale police level investigation into your counterparty you are potentially violating AML and this could impact *your* bank account. Even if you did such investigations, if you start doing multiple such trades your account can easily get flagged and frozen. Nothing I'm saying here is theoretical, it really does happen, a lot.

Problem 2: The process of P2P fiat trade is *intrinsically* not convenient and doesn't give *traders* what they want, which is why it doesn't tend to have volume, and volume is a necessary component for convenience (low spreads, quick matching), to the extent that ordinary users just give up (when you see 15-25% spreads you tend to give up, that is not because you're a lazy user who needs good UI). It's true that e.g. in Europe you have SEPA and very quick bank-to-bank is possible, but it's very precarious and ironically, when problem 2 is solved, problem 1 just reappears quickly anyway.

Problem 1 is mostly solved by avoiding banks and using cash or cash substitutes in *small* amounts only. Localbitcoins had this perfect in the early days, but they got "done" at some point, and sold out to KYC only. I would even argue that a cash-only localbitcoins substitute that's Tor-only might be the best we could do ... if things get tough enough for people I could see them putting up with this inconvenience, but of course this is a world away from the volume you get from degen traders sitting in their bedrooms, who just want braindead point and click. But old localbitcoins for cash *did* work, though it is subject to stings by LEA, you only have to exercise minimal common sense to avoid the law coming for you. This is not a "solution" for 6 figure trades though ...

Problem 2, I don't think it really gets solved, if anything it'll get worse over time, as banks for the last decade have only moved in the direction of making conversion of fiat to bitcoin more and more absurdly difficult.

I was chatting a lot with Manfred Karrer right at the time he invented Bitsquare, I even managed to convince him not to use MAD 2 of 2 multisig, so you can blame me on that, and I tried it in the early days. It was honestly decent in UI even then (yes I know it *looks* complicated, but I mean, try using Interactive Brokers interface to trade stocks, it just takes a little time), and I'm sure it's way better now. IMHO, The problem is not UI.

Lol, Tim Ruffing did a funny and I don't think anyone noticed:

[1] It's so bad, we can't even agree on a spelling. BIP340 spells it "X-only", some people write "x-only", and some write "xonly", probably in order to save a byte

😆

https://github.com/jonasnick/bips/issues/32#issuecomment-1177725159

Don't know if it's still true but for years bitcoin node IBD was like *the* stress test of a hard disk. People used to report failures all the time.