Bitcoin and Anonymity

# Bitcoin and Anonymity ## Anonymity = pseudonymity + unlinkability - Bitcoin addresses are public key hashes instead of real identities - Implies Pseudonymity - Unlinkability: - Different interactions of the same user with the system should not be linkable to each other ### Why is unlinkability needed? - Many Bitcoin services require real identity (e.g., buying a coffee at a shop with Bitcoin) - Linked profiles can be deanonymized by a variety of side channels ### Defining unlinkability in Bitcoin - Hard to link different addresses of the same user - Hard to link different transactions of the same user - Hard to link sender of a payment to its recipient ### Quantifying anonymity - Complete unlinkability (among all addresses/transactions) - **Anonymity set**: the crowd that one attempts to blend to - To calculate anonymity set: - define adversary model - reason carefully about: what the adversary knows, does not know, and *cannot* know ### Why anonymous cryptocurrencies? - Block chain based currencies are totally, publicly, and permanently traceable - Without anonymity, privacy is much worse than traditional banking! ## What about money laundering? - Legitimate worry - Bottleneck: moving large flows into and out of Bitcoin ("cashing out") ## Anonymity & decentralization: in conflict - Interactive protocols with bank are hard to decentralize - Decentralization ofter achieved via public tracability to enforce security ## Linking addresses - Shared spending is evidence of joint control ![](https://i.imgur.com/9246fQG.jpg) ## Identifying service providers by tracking address activities - Shared spending: - Accounts that pay for the same transaction would likely be linked to the same person - Idioms of use: - Each address only used once as change - Making transactions: - To tag service providers ![](https://i.imgur.com/iRPDG0t.jpg) ### To de-anonymise users 1. High centralization in service providers - Most flows pass through one of these -- in a tracable way 2. Address -- identity links in online forums ## Network layer de-anonymization - Peer-to-peer network layer - "The first node to inform you of a transaction is probably the source of it" - Solution - Use Tor ## Mixing - use of an intermediary ![](https://i.imgur.com/Ox41fVh.png) - Online wallets ### Dedicated mixing services - Promise not to keep records - Don't ask for identity #### Online wallets: reputable, often regulated, businesses - Typically require identity, keep records => no anonymity w.r.t. wallet service - Users trust them with their bitcoins => keep them for longer => bigger anonymity set w.r.t. everyone else ## Principles for mixing services 1. User a series of mixes Mixes should implement a standard API to make this easy ![](https://i.imgur.com/4kkSbsX.png) 2. Uniform transactions In particular: all mix transactions must have the same value *"chunk size"* 3. Client side must be automated Desktop wallet software 4. Fees must be all-or-nothing Probabilistic fees: 0.1% mixing fee = mix will swallow chunk with 0.1% chance Current mixed follow none of these principles ## Trusting mixes 1. Stay in business, build up reputation 2. Users can test for themselves 3. Cryptographic "warranties"