Design B: Users provide inputs, outputs and collateral at once. In this case the master node knows who is sending money to who, but later it can tell who didnt sign.
Ive chosen to use design B (users will add inputs and outputs at the same time) because its the only design that cant be attacked in the way youre saying.
Okay he has confirmed that you are not anonymous to the master node, as I wrote upthread would be the case if he associates the collateral transaction with both input and output stages of the CoinJoin.
eduffield I would like to say that is not acceptable because for the same reason I don't want to use mixer or laundry website, I can't know if the master node is an NSA honeypot.
I would like to suggest you think about my divide-and-conquer idea as another electable option for users.
If there is failed stage, then divide the inputs into two groups. Then ask for outputs again. Divide and conquer as necessary, then the join will complete.
Not ideal, but at least you don't break anonymity and require trust of the master node.
Best of luck with it.
+1
definitiv an nice idea to use a "divide-and-conquer"-algorithm on signing !
the master node is still elected randomly, so no node will be default master everytime
yes, but if you could do it better, than do it better, even if the current solution seems trustfull and enough (because of randomly chosen nodes), but something like the divide-and-conquer approach will help it to make it even better in my eyes.
ofc there are problems, too - which needs a solution. like - if you divide-and-conquer, at some points the darksend transaction wouldn't be as obfuscating as it could be, because only a fragment of users would be in that darksend transaction. (right?)
but i believe thats a good idea, which could help us.
Problem with trusting a random node is Sybil attacks. Unless the cost of creating a node is significant, the adversary can flood with nodes.
Also a market could develop for buying the information from nodes.
Trusting a node is not anonymity. It is a form of privacy.
Can you have perfect trust with perfect anonymity? Or are they dynamic dualities
I'm having trouble conceiving how trust might work with perfect anonymity and vice versa
Let's differentiate between anonymity and privacy.
Anonymity means that no one can know some aspect of your identity, e.g. you might decide to reveal the name of your company but never who runs that company.
Privacy means only some people know some aspect of your identity, e.g. the merchants you buy from may know your account number but otherwise not public unless revealed by one of those merchants.
Anonymity is a more secure form of privacy because there is no trust involved, because no one knows what you have not revealed to anyone.
So I can choose to trust a merchant who reveals its name and stakes its reputation on that name, without needing to know who owns that merchant. The key here is that prior bad outcomes don't follow the owner to new ventures. So history of performance of a merchant becomes paramount.
If I don't want to trust a merchant to deliver the goods, the merchant and I can agree on a 3rd party escrow agent with multisig on payment (both I and escrow agent must sign for payment to be transferred to merchant). Again no need for the escrow agent to reveal his/her true name rather the historical reputation of a pseudonym will suffice.
Ditto on contracts, arbitration agents can be chosen on contract signing.
In short, our personal identity can be orthogonal to our business performance identity.
This allows us to fail and start over again. It is very forgiving. And it keeps the government, conniving attorneys, and the Kangeroo court system out of our business.