Tom Scholl



Offline



Activity: 26

Merit: 0







NewbieActivity: 26Merit: 0 Cooperative unmixing for anti-money-laundering June 03, 2013, 07:48:54 PM #1



TL;DR If a large enough % of people in a mix decide to secretly report their (input, output) mix pair to a chosen AML organisation, the organization can trace dirty money going through the mix. This can all be done automatically. This might lead to AML organizations encouraging model citizens to use mixers routinely to keep that % high.



Protocol



Whenever you make a payment to anyone with a freshly mixed coin, you generate a new Bitcoin address as a "notify" address for that coin. You sign the notify address with the address key you're paying from, and encrypt the result with Interpol's well-known public key (or it might be the UN, Bitcoin Foundation, etc).

You give this encrypted "notify" data to the person you've just paid.

If you haven't mixed your coin, you can forward any notify data you received with the coin to whoever you give your coin to, or you can decide you want to block the unmix and just don't pass on any data.



Now when Interpol sees the known proceeds of crime, address X, go into a mix, they wait for the mix outputs to hit well-known businesses like exchanges or Mike Hearn's whitelists in

Then Interpol makes a standard low-value Bitcoin payment (eg min tx fee) to each notify address, from their well-known Bitcoin address corresponding to their public key.



Your wallet is watching your notify address, and can automatically take some action when it detects the payment from Interpol's address.

You'll have set your wallet to only let Interpol do so many unmixes per year, so they can't abuse the system. If they're within quota, your wallet makes a Tor connection to Interpol's server and securely submits your mix (input, output) pair, with signatures for both the mix input key and mix output key.



So every person who decides to help out Interpol sends them part of the information needed to reverse the mix, enabling them to follow the criminal's money and catch him when he spends it with a well-known business/whitelist server.



http://bitprivacy.org/files/unmixing.png



If it was a 100-person mix, and 90% decide to help Interpol, this system narrows their leads to 10 outputs. Interpol might actively encourage model citizens to routinely mix their coins, to push that percentage higher.



Adversaries

There can be any number of adversaries in a mix.

Adversaries can just be people who don't want to help that AML organization, or they may be malicious and colluding with each other and the criminal in order to implicate an honest participant.

By using the AML organization as a trusted 3rd party this algorithm is resilient to adversaries.



Why use a low-value Bitcoin transaction for notification, shouldn't this use a proper p2p messaging system like Bitmessage?

You could, but every wallet owner would have to sync up with this other messaging system just to help out with AML - I don't think the incentive is really there, hence this lightweight protocol.

Also as Bitcoin transactions are public, everyone can see exactly how much unmixing the AML organization is trying to do, and could adjust their unmix quota for them accordingly.



This tells the AML organization where my coins came from! Isn't there a better way?

Maybe. Here's what I've thought about so far:



Broken Probabilistic Technique

Instead of submitting your mix input/output pair to the authority, you could submit your input + a set of m outputs containing your actual output. This hides which your exact output was, and statistical analysis on the data could be able to narrow down the criminal to a few candidates. Repeat the process until you've got them.

But if there are many malicious participants, they can now totally subvert the process, and completely implicate an innocent party. So we can't use this algorithm.





Instead of submitting your mix input/output pair to the authority, you could submit your input + a set of m outputs containing your actual output. This hides which your exact output was, and statistical analysis on the data could be able to narrow down the criminal to a few candidates. Repeat the process until you've got them. But if there are many malicious participants, they can now totally subvert the process, and completely implicate an innocent party. So we can't use this algorithm. Secure Multi-Party Computation

You might be able to use MPC to identify the criminal without leaking private data - I don't know enough about this to say.

Suppose everyone routinely mixes every coin they receive. A haven for money-launderers? Not if we don't want it to be...TL;DR If a large enough % of people in a mix decide to secretly report their (input, output) mix pair to a chosen AML organisation, the organization can trace dirty money going through the mix. This can all be done automatically. This might lead to AML organizations encouraging model citizens to use mixers routinely to keep that % high.Whenever you make a payment to anyone with a freshly mixed coin, you generate a new Bitcoin address as a "notify" address for that coin. You sign the notify address with the address key you're paying from, and encrypt the result with Interpol's well-known public key (or it might be the UN, Bitcoin Foundation, etc).You give this encrypted "notify" data to the person you've just paid.If you haven't mixed your coin, you can forward any notify data you received with the coin to whoever you give your coin to, or you can decide you want to block the unmix and just don't pass on any data.Now when Interpol sees the known proceeds of crime, address X, go into a mix, they wait for the mix outputs to hit well-known businesses like exchanges or Mike Hearn's whitelists in "Decentralized crime fighting" . They talk with the exchange and ask for some help tracing address X. The exchange gives them the notify data they have for each coin coming from address X.Then Interpol makes a standard low-value Bitcoin payment (eg min tx fee) to each notify address, from their well-known Bitcoin address corresponding to their public key.Your wallet is watching your notify address, and can automatically take some action when it detects the payment from Interpol's address.You'll have set your wallet to only let Interpol do so many unmixes per year, so they can't abuse the system. If they're within quota, your wallet makes a Tor connection to Interpol's server and securely submits your mix (input, output) pair, with signatures for both the mix input key and mix output key.So every person who decides to help out Interpol sends them part of the information needed to reverse the mix, enabling them to follow the criminal's money and catch him when he spends it with a well-known business/whitelist server.If it was a 100-person mix, and 90% decide to help Interpol, this system narrows their leads to 10 outputs. Interpol might actively encourage model citizens to routinely mix their coins, to push that percentage higher.There can be any number of adversaries in a mix.Adversaries can just be people who don't want to help that AML organization, or they may be malicious and colluding with each other and the criminal in order to implicate an honest participant.By using the AML organization as a trusted 3rd party this algorithm is resilient to adversaries.You could, but every wallet owner would have to sync up with this other messaging system just to help out with AML - I don't think the incentive is really there, hence this lightweight protocol.Also as Bitcoin transactions are public, everyone can see exactly how much unmixing the AML organization is trying to do, and could adjust their unmix quota for them accordingly.Maybe. Here's what I've thought about so far:

There are several different types of Bitcoin clients. Server-assisted clients like blockchain.info rely on centralized servers to do their network verification for them. Although the server can't steal the client's bitcoins directly, it can easily execute double-spending-style attacks against the client. dvertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. dvertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.

cr1776



Offline



Activity: 2730

Merit: 1105







LegendaryActivity: 2730Merit: 1105 Re: Cooperative unmixing for anti-money-laundering June 04, 2013, 01:12:46 AM #4



Mixing does not imply money laundering. In theory in the US you are innocent until proven guilty and exercising your rights to privacy are an important part of preserving freedom. Just because you have nothing to hide legally does not mean your bank account, sexual preferences and the like should be open to anyone else.





Quote from: Tom Scholl on June 03, 2013, 07:48:54 PM Suppose everyone routinely mixes every coin they receive. A haven for money-launderers? Not if we don't want it to be...

We who? Do you really want to have every financial move you make available to be scrutinized by everyone?Mixing does not imply money laundering. In theory in the US you are innocent until proven guilty and exercising your rights to privacy are an important part of preserving freedom. Just because you have nothing to hide legally does not mean your bank account, sexual preferences and the like should be open to anyone else.

Tom Scholl



Offline



Activity: 26

Merit: 0







NewbieActivity: 26Merit: 0 Re: Cooperative unmixing for anti-money-laundering June 04, 2013, 01:34:52 PM

Last edit: June 11, 2013, 03:33:12 PM by Tom Scholl #9 Quote from: scintill on June 04, 2013, 06:27:15 AM Let the anti-anti-money-laundering tricks begin.

The whole public-ledger setup of Bitcoin can lead to a technological arms race on mixing/tainting. Of course, tainting only works if it's done on an international level as otherwise there'll be a p2p market for swapping US-tainted coins for Russian-tainted coins.



Anyway, sounds like no-one is really interested in this. I suspected as such but I thought I'd throw it out there anyway.



EDIT: Having thought about coin-swapping a bit more, it's a pretty complicated problem with a lot of attacks so I don't think it would immediately kill off more local tainting. The whole public-ledger setup of Bitcoin can lead to a technological arms race on mixing/tainting. Of course, tainting only works if it's done on an international level as otherwise there'll be a p2p market for swapping US-tainted coins for Russian-tainted coins.Anyway, sounds like no-one is really interested in this. I suspected as such but I thought I'd throw it out there anyway.EDIT: Having thought about coin-swapping a bit more, it's a pretty complicated problem with a lot of attacks so I don't think it would immediately kill off more local tainting.

trout



Offline



Activity: 334

Merit: 250







Sr. MemberActivity: 334Merit: 250 Re: Cooperative unmixing for anti-money-laundering June 04, 2013, 06:30:26 PM #11 OP, in your scheme "cooperating" citizens don't give any more information to the "interpol" than if they were not part of the mix at all. That is, "interpol" could just as well ask them not to take part in the mix. The only difference they make is that people who want their coins anonymised have more uncertainty as to how many people are using the system for the same purpose.

Tom Scholl



Offline



Activity: 26

Merit: 0







NewbieActivity: 26Merit: 0 Re: Cooperative unmixing for anti-money-laundering June 04, 2013, 10:30:53 PM

Last edit: June 04, 2013, 10:46:37 PM by Tom Scholl #12 Quote from: trout on June 04, 2013, 06:30:26 PM OP, in your scheme "cooperating" citizens don't give any more information to the "interpol" than if they were not part of the mix at all. That is, "interpol" could just as well ask them not to take part in the mix. The only difference they make is that people who want their coins anonymised have more uncertainty as to how many people are using the system for the same purpose.

I see what you're saying. But if you assume the criminals don't all know each other and group together (which they might well do) the statistics do imply more cooperating people is good:



Say we have 900 people who would cooperate, and 1 criminal, and 99 non coops.

Now if only 100 cooperating people use mixing,

the total mix pool is 100 coops + 100 non coops.

If we're doing 10 person mixes, on average we'll get 5 coops and 5 non coops in a mix. Tracing an individual criminal is now pretty hard - you'll get 5 leads per investigation.

But if 900 cooperating people use mixing, the total mix pool is 900 coops + 100 non coops, and on average there'll be only one lead per investigation. I see what you're saying. But if you assume the criminals don't all know each other and group together (which they might well do) the statistics do imply more cooperating people is good:Say we have 900 people who would cooperate, and 1 criminal, and 99 non coops.Now if only 100 cooperating people use mixing,the total mix pool is 100 coops + 100 non coops.If we're doing 10 person mixes, on average we'll get 5 coops and 5 non coops in a mix. Tracing an individual criminal is now pretty hard - you'll get 5 leads per investigation.But if 900 cooperating people use mixing, the total mix pool is 900 coops + 100 non coops, and on average there'll be only one lead per investigation.

scintill



Offline



Activity: 448

Merit: 250







Sr. MemberActivity: 448Merit: 250 Re: Cooperative unmixing for anti-money-laundering June 04, 2013, 11:36:39 PM #13 Quote from: Tom Scholl on June 04, 2013, 01:34:52 PM The whole public-ledger setup of Bitcoin can lead to a technological arms race on mixing/tainting. Of course, tainting only works if it's done on an international level as otherwise there'll be a p2p market for swapping US-tainted coins for Russian-tainted coins.



Anyway, sounds like no-one is really interested in this. I suspected as such but I thought I'd throw it out there anyway.



Agreed, but it seems you are jumping the gun on the arms race. I think few people are going to care either way until "tainted" coins are not accepted by MtGox or people are getting prosecuted for dealing in certain coins. Doing "The Moral Thing" on our own volition is too hazy of a concept to do any of this sort of thing without overwhelming economic or governmental pressure. At that point we will start doing exactly what is required to appease those pressures, no more or less. Agreed, but it seems you are jumping the gun on the arms race. I think few people are going to care either way until "tainted" coins are not accepted by MtGox or people are getting prosecuted for dealing in certain coins. Doing "The Moral Thing" on our own volition is too hazy of a concept to do any of this sort of thing without overwhelming economic or governmental pressure. At that point we will start doing exactly what is required to appease those pressures, no more or less. 1SCiN5kqkAbxxwesKMsH9GvyWnWP5YK2W | donations

oakpacific



Offline



Activity: 784

Merit: 1000







Hero MemberActivity: 784Merit: 1000 Re: Cooperative unmixing for anti-money-laundering June 05, 2013, 08:25:15 AM #15 I think OP's point is:"We the People" get to decide if someone's money should be traced, if we don't want to help out tracking down a certain person, the authorities should be powerless. Otoh, if we all decide to cooperate, whether the criminal uses Bitcoin or banknotes makes no difference, he can be traced. https://tlsnotary.org/ Fraud proofing decentralized fiat-Bitcoin trading.

Sukrim



Offline



Activity: 2562

Merit: 1002







LegendaryActivity: 2562Merit: 1002 Re: Cooperative unmixing for anti-money-laundering June 05, 2013, 09:39:07 AM #16 As far as I understand it, "anti-launderers" can only "un-mix" as many transactions as they themselves have initiated. To uncooperative launderers that doesn't change anything, they would only increase the volume, which might lead to more customers, both reporting and non-reporting ones...



In your example, 5 inputs (2 unknown, 3 known ones) lead to 5 outputs (in reality probably 6 (--> operator's cut) or even more (--> splitting into more smaller outputs)) of which again 3 are known and 2 unknown.

I don't really see the point other than you paying fees and maybe being able to find out an algorithm behind the outputs (though I guess that can be circumvented if the laundry operator is using enough randomness) - you have the same situation as with only 2 unknown inputs and 2 unknown outputs.



It is a problem with coin laundries though that there is no clear idea who the other participants are - if you can not be convinced that these are not in fact a single entity or (worse) multiple colluding entities as you suggest, there's a problem. The "best" way to launder coins is still buying mining capacity at slightly above returns and request that coins be mined to one of your addresses. This way you'll get vanilla coins that should be untraceable. If you feel risky, you could even spend dirty coins as fee to be mined, but if your miner hits a fork/stale block just at theat moment, you're potentially screwed as other miners then would take this juicy transaction from that block and mine it themselves. https://www.coinlend.org <-- automated lending at various exchanges.

https://www.bitfinex.com <-- Trade BTC for other currencies and vice versa.

Mail me at Bitmessage: BM-BbiHiVv5qh858ULsyRDtpRrG9WjXN3xf

Mike Hearn





Offline



Activity: 1526

Merit: 1008







LegendaryActivity: 1526Merit: 1008 Re: Cooperative unmixing for anti-money-laundering June 09, 2013, 03:46:11 PM #17 Quote from: oakpacific on June 05, 2013, 08:25:15 AM I think OP's point is:"We the People" get to decide if someone's money should be traced, if we don't want to help out tracking down a certain person, the authorities should be powerless. Otoh, if we all decide to cooperate, whether the criminal uses Bitcoin or banknotes makes no difference, he can be traced.



That's exactly right - oakpacific gets it.



I have a bunch of thoughts on this. But firstly I'd like to thank Tom for being willing to take the inevitable arrows in his back and further research in this direction. It's not popular but it's useful to explore these topics in a neutral manner, without passing judgement on the desirability of the resulting ideas.



I have a lot of sympathy with Stephen's position ("financial privacy is not a crime"). It's a simple, efficient and fair position with no chance of innocent people being accidentally caught up in the system. Unfortunately, it's also wrong. In today's world financial privacy is a crime, that's the entire point of AML laws and I'm sure Stephen knows this. We may hate it, but it stands as fact.



Bitcoin is so new and unexpected (to people in government) that we have a window of time in which we can define the debate ourselves. Unfortunately, if we define it simply as "you are wrong about everything" we simply piss off and make enemies of large numbers of very powerful people, people who derive their power from the belief of ordinary citizens that they are being protected by that stripping of financial privacy.



The default view especially on this forum is to see everything as a battle, usually between good and evil. I prefer to see these things as interesting mental challenges - can we find some innovative compromise solution that makes everyone happy, or at least, if not happy then not actively at war with each other?



The idea of decentralised crime fighting is to present a credible alternative to today's world in which the NSA/Treasury/FinCEN/etc has a giant database of all financial transactions and mines them looking for terrorists. This arrangement is incredibly dangerous, opening as it does huge potential for abuse as we saw with WikiLeaks, but it also just undermines basic human dignity and is likely to produce huge numbers of false positives. And finally it reinforces the world view that solving social problems means giving ever more power to an ever larger state, a view not many of us have sympathy with. But simply saying the entire crime fighting apparatus should vanish will simply not be seen as credible by the people who were voted in to make those decisions.



So the question is can we imagine an entirely libertarian or even anarchist society in which people voluntarily co-operate to trace thieves and fraudsters? I think it's possible and Tom's research is an important part of that.



On the topic of MPC, yes, MPC can be used. In my original post I linked to a paper that showed implementing private set intersection with MPC can be efficient and is what I proposed (it also solves full set attacks).



I think the idea of quota-ing law enforcement is a good one, but it's unclear to me how people would select quotas. Perhaps some formula based on reported crime statistics would make sense - if crime in general is going down, the number of attempts to trace money flows should go down too. If you see those two statistics diverge it suggests an increasingly authoritarian government. Rather than quota, perhaps people could simply be paid for taking part - the payment from the police in this case would then not be min fee but rather, some value that tries to compensate people for giving up some of their privacy. This setup provides a nice way to decentralise things further as no particular police force or agency would be special, anyone who is willing to pay people to do a trace could do so. Probably for most people they'd be unwilling to give up that privacy no matter what amount of money is offered, but other people might feel differently.



That's exactly right - oakpacific gets it.I have a bunch of thoughts on this. But firstly I'd like to thank Tom for being willing to take the inevitable arrows in his back and further research in this direction. It's not popular but it's useful to explore these topics in a neutral manner, without passing judgement on the desirability of the resulting ideas.I have a lot of sympathy with Stephen's position ("financial privacy is not a crime"). It's a simple, efficient and fair position with no chance of innocent people being accidentally caught up in the system. Unfortunately, it's also wrong. In today's world financial privacya crime, that's the entire point of AML laws and I'm sure Stephen knows this. We may hate it, but it stands as fact.Bitcoin is so new and unexpected (to people in government) that we have a window of time in which we can define the debate ourselves. Unfortunately, if we define it simply as "you are wrong about everything" we simply piss off and make enemies of large numbers of very powerful people, people who derive their power from the belief of ordinary citizens that they are being protected by that stripping of financial privacy.The default view especially on this forum is to see everything as a battle, usually between good and evil. I prefer to see these things as interesting mental challenges - can we find some innovative compromise solution that makes everyone happy, or at least, if not happy then not actively at war with each other?The idea of decentralised crime fighting is to present a credible alternative to today's world in which the NSA/Treasury/FinCEN/etc has a giant database of all financial transactions and mines them looking for terrorists. This arrangement is incredibly dangerous, opening as it does huge potential for abuse as we saw with WikiLeaks, but it also just undermines basic human dignity and is likely to produce huge numbers of false positives. And finally it reinforces the world view that solving social problems means giving ever more power to an ever larger state, a view not many of us have sympathy with. But simply saying the entire crime fighting apparatus should vanish will simply not be seen as credible by the people who were voted in to make those decisions.So the question is can we imagine an entirely libertarian or even anarchist society in which people voluntarily co-operate to trace thieves and fraudsters? I think it's possible and Tom's research is an important part of that.On the topic of MPC, yes, MPC can be used. In my original post I linked to a paper that showed implementing private set intersection with MPC can be efficient and is what I proposed (it also solves full set attacks).I think the idea of quota-ing law enforcement is a good one, but it's unclear to me how people would select quotas. Perhaps some formula based on reported crime statistics would make sense - if crime in general is going down, the number of attempts to trace money flows should go down too. If you see those two statistics diverge it suggests an increasingly authoritarian government. Rather than quota, perhaps people could simply be paid for taking part - the payment from the police in this case would then not be min fee but rather, some value that tries to compensate people for giving up some of their privacy. This setup provides a nice way to decentralise things further as no particular police force or agency would be special, anyone who is willing to pay people to do a trace could do so. Probably for most people they'd be unwilling to give up that privacy no matter what amount of money is offered, but other people might feel differently.

cr1776



Offline



Activity: 2730

Merit: 1105







LegendaryActivity: 2730Merit: 1105 Re: Cooperative unmixing for anti-money-laundering June 09, 2013, 11:40:31 PM #18 I think one of the issues that most people have with this type of proposal is that once the camel's nose is under the tent, it is invariably abused.

jdillon



Offline



Activity: 70

Merit: 10







MemberActivity: 70Merit: 10 Re: Cooperative unmixing for anti-money-laundering June 10, 2013, 12:31:32 AM #19 Quote from: cr1776 on June 09, 2013, 11:40:31 PM I think one of the issues that most people have with this type of proposal is that once the camel's nose is under the tent, it is invariably abused.



Cooperative unmixing is only really voluntary if the people participating in the unmixing are anonymous. Otherwise you have known and non-anonymous individuals facing the charge of obstructing a police investigation. Though I will grant that it has the possibility of delaying investigations through multiple jurisdictions, not unlike the Tor model. Tor however is always pretty clear that participants are expected to not maintain logs, for a reason. So the question is why do we want to move away from that model? You have to ask what is so different about finance verses information that we suddenly give up our resolve to allow people freedom.



No-one talks about co-operative unmasking for Tor operators "just in case" we want to trace a crime committed over Tor that the community can agree on. Cooperative unmixing is only really voluntary if the people participating in the unmixing are anonymous. Otherwise you have known and non-anonymous individuals facing the charge of obstructing a police investigation. Though I will grant that it has the possibility of delaying investigations through multiple jurisdictions, not unlike the Tor model. Tor however is always pretty clear that participants are expected to not maintain logs, for a reason. So the question is why do we want to move away from that model? You have to ask what is so different about finance verses information that we suddenly give up our resolve to allow people freedom.No-one talks about co-operative unmasking for Tor operators "just in case" we want to trace a crime committed over Tor that the community can agree on.