Research Summary: SoK: How private is Bitcoin? Classification and Evaluation of Bitcoin Mixing Techniques

--- tags: Summary category: Privacy --- # Research Summary: SoK: How private is Bitcoin? Classification and Evaluation of Bitcoin Mixing Techniques ### TLDR * This paper reviews and evaluates mixing techniques in the Bitcoin blockchain ecosystem in terms of privacy, security, and efficiency. * CoinJoin-based techniques are commonly used because they reduce the number of transactions needed to run a Bitcoin-mixing protocol, but fail to provide a large anonymity set. * Atomic swap and CoinJoin-based techniques meet the theft resistance criterion which protects user personal information during transactions. ### Core Research Question How do different mixing techniques compare when it comes to increasing users’ anonymity on the Bitcoin blockchain? ### Citation Ghesmati, S., Fdhila, W., and Weippl, E. September 2021. SoK: How private is Bitcoin? Classification and Evaluation of Bitcoin Mixing Techniques. SBA Research, Vienna University of Technology. https://eprint.iacr.org/2021/629.pdf ### Background - **Mixing:** A mechanism that hides the correlation between input and output so an attacker cannot trace an input based on a blockchain transaction. - **Deanonymization:** The process of mapping Bitcoin addresses to their original entities. - **Timelock transaction:** A smart contract primitive that restricts spending until a specified time or block height is reached. - **Hashlock transaction:** Transaction locked by a signature and preimage of a hash. Unlocking the transaction requires publicly revealing a specific piece of data. - **Hash time locked contracts (HTLC):** A script that uses both a hash- and timelock transaction to conceal a transaction. - **Side-channel attacks:** Attacks using information gleaned from the implementation of a contract rather than its weaknesses. - **Stealth address:** A single-use address, generated for a single transaction which makes it possible to anonymously send coins directly to a recipient's address. - **Anonymity set:** A privacy criterion that evaluates the set of individuals in the mixing transaction for enhanced anonymity. - **Unlinkability:** A privacy criterion that evaluates whether the user can receive coins from a different transaction to a distinct address. - **Untraceability:** A privacy criterion where the user cannot find who the sender is based on the transaction address. - **Payment value privacy:** Whether or not blockchain data analysis protects the value of a transaction from observation. - **Theft resistance:** In cryptocurrency, whether or not coins can be stolen during a transaction. Bitcoin has built because an adversary would need access to the private keys to take currency. - **DoS resistance:** A security criterion evaluating user’s ability to refuse in computing a transaction. - **Sybil resistance:** Reistance to a form of attack in which an adversary uses multiple identities to gain influence. - **No interaction with input users:** Whether or not there is interaction between participants for creating a transaction. - **No interaction with the recipient:** An efficiency criterion determining if there is no interaction with the recipient to create the mixing transaction. - **Bitcoin compatible:** Whether or not a technique is compatible with Bitcoin’s blockchain. - **Direct send to the recipient:** Whether or not coins are sent directly to the recipient. - **Number of transactions:** An efficiency criterion that requires the minimum number of transactions used to complete the protocol. - **Minimum required block:** An efficiency criterion that requires the minimum number of blocks to complete the protocol. - **Centralized Mixers:** a mixing technique relying on a centralized party where senders have their coins mixed and forwarded to corresponding recipients. - **Atomic Swap:** a mixing technique that gives the user the ability to exchange coins directly with one other when each party is paid. - **CoinJoin based:** a mixing technique that utilizes non-third party techniques without a single point of failure. Helps prevent theft and remove fees associated with mixing. - **Threshold signatures:** a mixing technique using joint signatures that can be signed by a threshold of signatures to reclaim a transaction. ### Summary - This paper attempts to compare how various mixing techniques increase users’ anonymity on the Bitcoin blockchain. - It begins with a literature review describing mixing techniques and then introduces a selection of de-anonymization attacks. - The mixing techniques are broken down into four main groups: Centralized Mixers, Atomic Swap, CoinJoin based, and Threshold signatures. - These mixing techniques are reviewed and evaluated against the criteria of security, efficiency, and privacy. - The evaluation section explains how most privacy techniques are Bitcoin compatible and untraceable, yet flaws still remain in the blockchain’s security, which could lead to privacy being compromised. - The paper explains how mixing techniques require fees which can make practical implementation unaffordable. - The paper also explores the idea of law enforcement partnering with blockchains to hold users accountable for taking advantage of mixing techniques to exploit privacy. ### Method - The authors search for research papers published between 2009 and 2020 on mixing methods. - Papers were selected based on whether the technique is compatible with Bitcoin blockchain, a novel area that the community is already interested in, and unique privacy solutions. - Mixing techniques were organized into four groups: centralized mixers, atomic swap, CoinJoin-based, and threshold signatures. - Each technique is then evaluated on the basis of three main categories: security, privacy, and efficiency. - Within those categories, there are sub categories that are defined which help the authors check the techniques on a specific level. - Privacy’s subcategories include anonymity set, unlinkability, value privacy, and untraceability. - Security includes theft resistance, DoS resistance, and sybil resistance. - Efficiency included no interaction with input users, no interaction with recipient, Bitcoin compatibility, and direct send to recipient. ### Results ![](https://i.imgur.com/VAVnZoY.png) - Most, if not all, of the techniques checked had untraceability and BTC compatibility. - The majority of threshold signatures, CoinJoin based, and atomic swap techniques were theft resistant. - The majority of centralized mixers and atomic swaps were DoS resistant, Sybil resistant, had no interaction with input users, and had direct sends to recipients. - Only one CoinJoin based technique, known as the value shuffle, had unlinkability. ### Discussion and Key Takeaways - **Anonymity Set:** Most of the techniques provide a large anonymity set, but timelock transactions in the techniques curb it. - **Unlinkability:** Users always needed to create new addresses to receive mixed coins, unless the technique used stealth addresses. - **Untraceability:** Techniques that have partial coverage of untraceability are those which have internal traceability, in which the connection between inputs and outputs is traceable among the participants. - **Value privacy:** Hiding the value of a transaction and preventing the tracing of transactions increases transaction privacy. - **Theft-resistance:** Though theft can be detected in the techniques, it cannot be prevented since they need the majority users to be honest in this peer-to-peer network. - **DoS-resistance:** Most CoinJoin techniques lack DoS resistance because they need users to act honestly. Centralized mixers and atomic swap techniques are DoS resistant because participants are not allowed to abort the protocol and affect other users. - **Sybil-resistance:** Most techniques prevent Sybil attacks by receiving a fee upfront. - **No interaction between input users:** Most CoinJoin-based techniques require input user interactions since they require input registration, then the creation of the transaction, and signing to show availability of the users during the protocol. - **No interaction with the recipient:** Obscoro, PayJoin, and Payswap require interaction with the recipients where the recipients are required to be online to complete the protocol. - **BTC Compatibility:** Most techniques are compatible with the Bitcoin blockchain. - **Direct send to recipient:** Most centralized mixers and atomic swaps provide the user to send coins to their own address and to their intended destination. - **Number of transactions and Minimum required block:** Atomic swaps have the highest number of transactions which results in higher fee costs and delays. While Coinjoin based have the least amount. ### Implications and Follow-ups - As these techniques are slowly being implemented, the question of the extent of user privacy awareness arises. - How much of the privacy of these techniques is actually private based on user knowledge? - There is the implication that people, who are aware of the consequences of de-anonymizing the blockchain, can take advantage of these techniques for illicit activities. - As a result,law enforcement could collaborate with parties involved in blockchain transactions to find criminals, which will bring accountability. ### Applicability - Implementing mixing techniques such as PayJoin could provide privacy for users since it can break the common input ownership heuristic. - Some mixing techniques can be used to help distinguish transactions that are illicit versus regular ones. This can become more effective with the help of law enforcement.