Why I think stealth, backups and sidechains shouldn't be added in BitShares

in #bitshares4 years ago (edited)

I created this post in order to express my opinion, about the additions of some features in BitShares. I know that a lot of people won’t like what I’ll say, but I think that adding the stealth feature on BitShares is a very bad idea. Same goes for the on ‘’chain backups’’ and sidechains.

As some well-known community members pointed out, stealth has a few problems. The main one is the metadata. Shadowcash’s chain was denonymized because they hadn’t applied something appropriately. Dash and Shadowcash sold and are still selling fake promises that their finances are private. However in the near future even a small adversary will be able to analyse their chain. Is this a thing that the BitShares community wants to do? Sell fake promises to raise the market cap? NXT added CoinShuffle many months ago and nothing really changed. It isn’t just the damage that will be done by all the imminent problems, but also in terms of labor costs etc.

There are so many more things that will have to be done to the GUI and the chances of people losing funds is huge. Think of the efforts svk will have to put in making everything bug free. Also the backup feature as good as it might seem, it sounds very dangerous to me. New users will be storing online backups with poor passwords which will be easily cracked.

Want anonymity? Wash your coins appropriately before buying BitShares and spread them into random accounts and use TOR to stay anonymous.

Want a secure backup of your files? Try Sia or Storj after their full release, or another encrypted provider. The whole point of the blockchain is that you hold your private keys and not anybody else.

Also don’t forget about the fact that if you hide your balance you won’t be able to vote afterwards. That is quite worrying especially if you wanna hide a big amount. At least Yunbi won’t be hiding it’s balance, so it will be a big blow to how people receive funding.

Finally I wanted to add a side note on sidechains. Honestly that would be even worse than adding stealth. Doom scenario for sidechains : Bitcoins worth 2M USD are held by the Bitshares Blockchain.

  1. All witnesses collude to steal all coins or all witnesses are hacked and have no control, 2. Someone takes control over big proxies or stakes and votes witnesses his/her own (Hacking proxies or exchanges) 3. Big proxies/holders/exchanges collude to steal funds

Bytemaster said that it wouldn’t make sense for someone do so. But did he consider the fact that BitShares are a lot less liquid that Bitcoin? Even if Bitshares were worth 20M USD the fact that they are illiquid makes them worth a lot less than they actually are.

For example if someone controls a big stake, he can then open a big short position on Bitshares, take all Bitcoins and then sell the rest of the shares if he managed to steal any. After the hack there will be a panic sell of BitShares, not of Bitcoins though. 2M USD worth of Bitcoin’s can be hacked and nobody cares. If 2M USD of BitShares were hacked, the panic would be over the roof and the price of BitShares below the floor. His short position would make him huge profits, plus he could make the price go down even more by selling his shares. Currently someone needs to either control all the voting shares (about ¼ of the total supply) or 1/3 to ½ of the non voting BitShares.

In conclusion I would like to point that all these features as good as might seem, are very dangerous. The BitShares community should focus on more practical stuff, especially in the following :

Rate limited fees, Autobridging, Maker/Taker, Negative Fees, Smartcoin Park rates, Bond Market, MetaTrader Integration, Trading Bots. All these would add a lot of potential and value to BitShares, they don’t have any hidden dangers for the BitShares platform and their cost is relatively low. At current rates they could be done in 1 year.

PS I do want privacy, but stealth isn’t the answer. I know a lot of time has been spent on this feature, but we need to move forward without it.

Sort:  

ShadowCash was de-anonymized because the developers had adopted ring cryptography from CryptoNote and applied it to the Bitcoin Core codebase. In doing so, they had to modify certain parameters as the underlying elliptic curve used in the two protocols are different.

What happened was that they chose to hash some values that allowed someone, i.e. Shen Noether from Monero, who knows some basic Linear Algebra and Cryptography to apply a type of Gaussian Elimination to obtain which public key was used in the supposed anonymous send if someone wanted to use Ring Cryptography to hide the fact they are the sender. This, as you mention, de-anonymizes their chain, since it was incorrectly implemented.

A fix was found by a different team of developers (I forget by whom at the moment) and, from what I could tell, the dev(s?) seemed to have a firm grasp on the underlying mathematics and subsequently released his/her/their solution as a clone of ShadowCash.

A week or two later, the Shadow Team adopted precisely this fix.

Now, this is also fundamentally different from stealth addresses, which masks the receiving address, and not the sender address.

I can confidently say that both stealth addresses and the use of ring cryptography to anonymize both the receiver and sender in a transaction, respectively, are more powerful technologies than 'washing' and using TOR. To think that this is a 'gimmick' or a 'fad' to raise the market cap and to believe that these are 'false' claims (even by DASH, as the mixing that is done is, for all intents and purposes, a "practical" solution) about how much privacy is obtained is a gross misunderstanding of the mathematics.

To be honest, I didn't know that this was the exact story behind Shadowcash, but regardless of what happened and how, I wanted to point out that this is serious stuff. In order to apply this stuff properly, good cryptographers are needed, and not just some good coders.

I totally agree with everything you mentioned. My point is that if you wanna add a gimmick to BitShares, just do it with gimmicks that already exist... Are we going to add ring signatures and stealth addresses to BitShares? Hell no...

Even some people within Dash know that Darksend isn't 100% secure and private. It is a new technology and you never know when someone will be able to break into it. Imagine thinking that you are anonymous and then one day waking up, 5 years later and you realize that all your transactions have been denonymized. Not all people need temporary privacy or anonymity. This is serious stuff where lives might be in danger after such 'revelations'. It isn't just investors trying to hide money like it probably will be in BitShares. Again, there is little privacy, privacy and total privacy-anonymity. If I had to chose the first one, I'd rather not have it at all.

Also at the moment they offer no good obfuscation of IP and many people, including myself, were complaining about this. Mixing was taking hours first and then they added people who get paid to offer liquidity. What are the problems with this :

Let's say CoinJoin offers quite good privacy. There are the following problems :

  1. Only the destinations are mixed up, not the amounts. So someone can track back who sent what with some good analysis.
  2. By not protecting your IP, especially when your mixes take hours, someone could easily find out who you are.
  3. We don't know how many Masternodes are not compromised/control/owned by adversaries. It is currently assumed that only a small portions of the nodes is malicious.
  4. When people offer just liquidity, an attacker can easily see who they are as their funds are probably going from CoinJoin to CoinJoin, while the rest of the participants might spend their coins somewhere.

CoinJoin and Stealth addresses would be pretty good, at least a lot better than CoinJoin itself. But again even these are not enough. If you can't hide the fact that you are using Monero, Dash etc, then there is little chance of being able to stay anonymous.

I don't think adding ring cryptography or stealth addresses would be necessarily difficult to include into BitShares. I'm more than happy to lend my expertise on the matter. Then again, what do I know ?

The other issues you raise need to be addressed as well.

  1. You are right that there is some type of amount information that can be used for analysis, particularly the number of tokens moved from 1 address to another. From what I understand Monero Research Labs is considering this problem.

  2. VPN + TOR. Most coins are using TOR anyway nowadays ... those that aren't, you can't really do much about it, unless you use a snapshot of the blockchain at a particular time and then re-launch with TOR added.

  3. Indeed a problem. Run your own masternode. I will be once I have enough DASH saved.

  4. I'll have to think on this one a bit more.

I'm a proponent of implementing simple blinded transfers first and not the current privacy-leaking stealth implementation. Then much later a better design for stealth could be implemented. But even with that approach you do bring up a very good point:

Also don’t forget about the fact that if you hide your balance you won’t be able to vote afterwards. That is quite worrying especially if you wanna hide a big amount. At least Yunbi won’t be hiding it’s balance, so it will be a big blow to how people receive funding.

This is a pretty big concern. I wish there was some way to have voting without exposing the balance that is voting. The only way I have thought of requires exposing your balance to a third-party that accumulates the votes (but is cryptographically prevented from falsifying the votes). Even then there are tricky privacy leaks that are still possible.

Perhaps it makes more sense to have the voting BTS balances be public but stored in an anonymous account that is not linked to the user's normal account. But doing that right means simple blinded transfers are not enough and a better stealth implementation is needed (decentralized on-blockchain coin mixing). So in that case perhaps it makes sense to delay blinded transfers as well until a proper stealth mechanism is designed and implemented.

Finally I wanted to add a side note on sidechains. Honestly that would be even worse than adding stealth. Doom scenario for sidechains : Bitcoins worth 2M USD are held by the Bitshares Blockchain.

Yes, that is a major and potentially devastating risk for BitShares if sidechains were implemented. But there is also great benefits from sidechains, namely that our DEX would actually be decentralized from the perspective of typical cryptocurrency traders who have no interest in smartcoins. Also, you must compare it to the current situation. Right now the trust is in, for example, OpenLedger (a single entity) to not steal the BTC reserves for OPEN.BTC. Now I think OpenLedger is trustworthy, but I think it is a valuable example to use as a point of comparison to sidechains. So instead of the majority of witnesses colluding, OpenLedger would just need to decide to steal the reserves. Instead of the majority of witnesses getting hacked, only OpenLedger would need to get hacked for a hacker to steal the reserves. Decentralization through this sidechain mechanism reduces the risk.

Of course, if the multisig is not selected as a set of trusted parties but rather a dynamic set of witnesses, then a new risk is introduced which you mentioned. That is the risk that someone might compromise the big proxies (or exchanges holding huge amounts of BTS), and use that voting power to vote in their sockpuppets as witnesses for just long enough so that the control of the reserve is handed over to them according to the sidechain protocol. This is a legitimate risk, but we need to decide if it is enough of a risk to outweigh the immense benefits of sidechains.

That said, a lot of the other features you mentioned at the end are also very valuable for BitShares. And perhaps many of them should be prioritized over sidechains.

The model of BitShares isn't good for privacy and people have to understand this. Voting, is far more important than hiding some balances. When we grow, we can add these features. It is like joining a startup and expecting nobody to know who you are, how big your share is and what you are doing, even people within your business/startup.

Right now, I can see a few potential solutions before we move into Stealth and not all of them are great, but are worth mentioning:
1)Split BitShares into VoteBTS and PayBTS (NXT is going to do something similar and got into a lot of trouble)
2)Add CoinJoin/CoinSuffle/Ring Signatures so that people can keep on voting (CoinJoin and Coinshuffle are worthless without huge demand for mixing)
3)Make voting anonymous

The 3rd one is really important in my opinion. If voting is anonymous, then people can use the some simple stealth address implementation, without worrying about leaking information about the fact that they are voting. The main problem at the moment is that very few people are voting and their opinions are public. So even if someone could vote with his stealth balance, that would be very problematic, in the sense that his balance and address would visible by inspecting the votes that workers/witnesses/committee are getting.

Add stealth, only and only if any of the other protocols are useless and if anonymous voting is possible and people want it. But anonymous voting has many problems itself and probably is nearly impossible to achieve.