Bitcoin Anonymity basics

Anonymity
• Which one is true?
– “Bitcoin is a secure and anonymous digital currency”
– “Bitcoin won't hide you from the NSA's prying eyes”
– Both are true to some extend because while doing a
bitcoin transaction, the public key is used as a identity
hence it is anonymous however the transaction be it an
online wallet services, exchange, or other merchant
which demand your real world identity which makes
your transactions linked with your identity hence you
cannot be hidden
• Anonymity basics
– Definition of anonymity
• At a literal level, anonymous means “without a name” which
leads to two possible interpretation
– Interacting without using your real name
» Bitcoin is anonymous as you do not use your real name instead
you are using the hash of the public key
– Interacting without using any name at all
» The address that you use is a pseudo-identity which is not your
real name is pseudonymity
• In computer science, anonymity refers to pseudonymity
together with unlinkability
– Unlinkability means that if a user interacts with the system
repeatedly, these different interactions should not be able to be tied
to each other from the point of view of the adversary in consideration
–
• Difference between Anonymity and Pseudonymity
– In Reddit forum(pseudonymous)
• you pick a long-term pseudonym and interact over a period of
time with that pseudonym.
• You could create multiple pseudonyms, or even a new one for
every comment, but that would be tedious and annoying and
most people don’t do it.
• So interacting on Reddit is usually pseudonymous but not
quite anonymous
– In 4Chan by contrast (Purely anonymous)
• is an online forum in which users generally post anonymously
with no attribution at all
• Is pseudonymous provides privacy?
– NO!!! If anyone is ever able to link your Bitcoin address to
your real world identity, then all of your transactions — past,
present, and future — will have been linked back to your
identity  How this may happen?
• If you interact with a Bitcoin business — be it an online wallet
servics, exchange, or other merchant — they are usually going to
want your real life identity in order to let you transact with them
– An exchange might require your credit card details, while a merchant will
need your shipping address
• Sidechannels
– Even if a direct linkage doesn't happen, your pseudonymous
profile can be de-anonymized due to side channels, or
indirect leakages of information.
• correlate the information about what times of day that user is
active with other publicly available information for instance some
Twitter user is active during roughly same time intervals, creating a
link between the pseudonymous Bitcoin profile and a real-world
identity
• Is pseudonymity guarantee privacy or anonymity?
– NO!!! the stronger property of unlinkability is very much
necessary for guaranteeing privacy and anonymity.
– Unlinkability: key properties that are required for Bitcoin
activity to be unlinkable:
1. It should be hard to link together different addresses of the same
user.
2. It should be hard to link together different transactions made by
the same user.
3. It should be hard to link the sender of a payment to its recipient.
– The real challenge is in third property
• If you interpret “a payment” as a Bitcoin transaction, then the
third property is clearly false
• it’s not feasible to link the sender and the ultimate recipient of
the payment by looking at the block chain which is publicly
avaialable
• Anonymity set
– Somebody looking at the block chain will still be able to
infer something from the fact that a certain number of
bitcoins left one address and roughly the same number
of bitcoins (minus transaction fees, perhaps) ended up
at some other address
• But the advantage is that the adversary knows you made a
transaction, they can only tell that it’s one of the transactions
in the set, but not which one it is
• This set which collocates your transaction within the set of
other transactions is known anonymity set.
• POSSIBLE SOLUTION is to maximize the size of the anonymity
set — the set of other addresses or transactions amongst
which we can hide
• Calculating the anonymous set is tricky
– No general formula is there hence carefully analyzing
each protocol and system on a case-by-case basis
– Since the anonymity set is defined with respect to a
certain adversary or set of adversaries,
• you must first concretely define what your adversary model
is.
• You have to reason carefully about
– what that adversary knows?
– what they don't know?
– what is it that we are trying to hide from the adversary?
» what the adversary cannot know for the transaction to be
considered anonymous?
• Taint analysis
– it’s a way of calculating how “related” two addresses are
also it tells that you have a high degree of anonymity in a
certain situation
• If bitcoins sent by an address S always end up at another address R,
whether directly or after passing through some intermediate
addresses,
• then S and R will have a high taint score.
• The formula accounts for transactions with multiple inputs and/or
outputs and specifies how to allocate taint.
– But taint analysis is not a good measure of Bitcoin
anonymity due to its implicit assumption on adversary is
using the same mechanical calculation to link pairs of
addresses.
• A slightly cleverer adversary may use other techniques such as
looking at the timing of transactions or even exploit idiosyncrasies
of wallet software
• Why we need anonymity?
– The first is simply to achieve the level of privacy that we are
already used to from traditional banking and mitigate the
deanonymization risk that the public block chain brings.
– The second is to go above and beyond the privacy level of
traditional banking and develop currencies that make it
technologically infeasible for anyone to track the
participants.
• Ethics of anonymity
– For hiding some important information
– Truly anonymous cryptocurrencies can be used for money
laundering or other illegal activities
• cryptocurrencies are no panacea for money laundering or other
financial crimes since the interface between digital cash and fiat
currencies is still NOT anaonymous
– It is not possible to segregate the good uses of anonymity
are allowed and the bad uses are somehow prohibited
 Tor: anonymous communication
network
• The same dilemma was faced for Tor, an anonymous communication
network.
• Anonymous communication enables bad actions at least as much as
anonymous cash flows do.
• Tor is a communicating system that:
– routes messages between a sender and a receiver through a network of
nodes.
– through some encryption, ensures that as long as some the nodes in that
network are honest, the adversary is not able to link the sender to the receiver
 Tor: anonymous communication
network
• Let's look at some activities, good and bad, that can happen on the Tor network.
• Good, used by:
– normal people who want to protect themselves from being trapped online by
marketers or
– various other privacy properties online, when they're browsing websites
– journalists, activists and dissidents to not be recognised
– law enforcement since they want to be able to visit websites not revealing
that their IP address is coming from a law enforcement block
• Bad, used by:
– botnets to spread malawares between nodes in the network
– child abuses
 Tor: anonymous communication
network
• Distinguishing between these uses at a technical level is
essentially impossible. So Tor has grappled with this issue.
• At the end, the society concluded that it's better for the world
that the technology exists than it doesn't.
• In fact, one of the main funders of Tor is the US State
Department.
• They're interested in it because Tor helps dissidents in other
countries who might be fighting oppressive governments and
so on.
• Of course we have to remember there is a level above the
technology that law enforcement can exploit, a variety of
ways to get to people who are using these systems for bad
purposes.
• Anonymization vs. decentralization
– Design criteria of anonymization and decentralization
are often in conflict with one another
• Chaum’s ecash achieved perfect anonymity in a sense, but
– through an interactive blind-signature protocol with a central
authority, a bank.
– These protocols are very difficult to decentralize even if we
decentralize, we should have some mechanism to trace transactions
and prevent double spending.
• How to De-anonymize Bitcoin?
– Wikileaks donation page make sure that each donation
they receive goes to a new public key that they create
just for that purpose. For that, the refresh button next
to the donation address is clicked which will replace
the donation address with an entirely new, freshly
generated address
– Wikileaks receives each donation separately, and
presumably they can also spend each of those
donations separately. But things quickly break down.
• Linking
– Anyone who sees it can infer that the two inputs to the
transaction are most likely under the control of the same user.
• In other words, shared spending is evidence of joint control
of the different input addresses.
– There could be exceptions, of course.
• Perhaps Alice and Bob are roommates and agree to jointly
purchase the teapot by each supplying one transaction input.
But by and large, joint inputs imply joint control.
• The adversary can repeat this process and transitively link an
entire cluster of transactions as belonging to a single entity
• Linking
– An adversary can link the addresses by
• shared spending is evidence of joint control
• Monitoring the change address transactions
• By repeat this process transitively on a single entity and
identify a cluster of addresses belonging to him/her.
• Idioms of use
– Powerful heuristic for identifying change addresses
– They found that wallets typically generate a fresh
address whenever a change address is required
• change addresses are generally addresses that have never
before appeared in the block chain
• Non-change outputs, on the other hand, are often not new
addresses and may have appeared previously in the block
chain
– An adversary can use this knowledge to distinguish
change addresses and link them with the input
addresses
• Exploiting idioms of use can be error prone
– The fact that change addresses are fresh addresses just
happens to be a feature of wallet software
– Researchers found that it produced a lot of false
positives, in which they ended up clustering together
addresses that didn’t actually belong to the same
entity.
• They reported that they needed significant manual oversight
and intervention to prune the false positives
Clustering of addresses by combining
the shared-spending heuristic and the
fresh-change-address heuristic
Attaching real-world identities to clusters
1. Mt. Gox was the largest Bitcoin
exchange, so we might guess that
the big purple circle represents
addresses controlled by them
2. brown cluster on the left has a tiny
volume - gambling service Satoshi
Dice
• Tagging by transacting
– To reliably infer addresses is to actually transact with
that service provider — depositing bitcoins,
purchasing an item, and so on
• When you send bitcoins to or receive bitcoins from the
service provider, you will now know one of their addresses,
which will soon end up in the block chain which will then
tag that entire cluster with the service provider’s identity.
• Identifying individuals
– can we do the same thing for individuals?
• Directly transacting
– Anyone who transacts with an individual — an online or offline merchant, an
exchange, or a friend who splits a dinner bill using Bitcoin — knows at least one
address belonging to them
• Via service providers
– Most users will end up interacting with an exchange or another centralized
service provider. These service typically providers ask users for their identities —
often they’re legally required to
• Carelessness
– People often post their Bitcoin addresses in public forums. A common reason is
to request donations
» creates a link between their identity and one of their addresses
• Things get worse over time
– deanonymization algorithms usually improve over time when the data is publicly
available as more researchers study the problem and identify new attack
techniques
• Transaction graph analysis
– The deanonymization techniques examined so far are all based
on analyzing the graphs of transactions in the block chain
• Network-layer deanonymization
– completely different way in which users can get
deanonymized that does not rely on the transaction graph
– To post a transaction to the block chain, one typically
broadcasts it to Bitcoin’s peer-to-peer network where
messages are sent around that don't necessarily get
permanently recorded in the block chain.
• Blockchain is application layer
• Peer to Peer network is network layer
– when a node creates a transaction,
• it connects to many nodes at once and broadcasts the transaction.
• If sufficiently many nodes on the network collude with each other
(or are run by the same adversary), they could figure out the first
node to broadcast any transaction.
– Presumably, that would be a node that’s run by the user who created
the transaction.
– The adversary could then link the transaction to the node’s IP address
Network layer deanonymization
 Anonymous e-cash
• Bitcoin is not the first case in which we have to face the concept of
anonymous e-cash. Back in 1982, the cryptographer David Chaum
proposed something called blind signatures, that helped him develop
anonymous electronic cash.
• Blind signatures are a two-party protocol, in which two parties
communicate with each other. At the end of communication, one party
has produced a digital signature of some input without knowing what that
input is. It sounds like magic, but it's not that sophisticated at a technical
level if you look into the details.
• Now, assuming that we have blind signatures, how can that help us
achieve an electronic cash protocol?
• Imagine that there is a bank which stores various things in its database. In
particular:
– a table with a mapping of users and the balance of their account which is just
a plain number saved in the database
– a table called spent coins
 Protocol scheme
• Suppose that a user now wants to withdraw an anonymous coin from the
system:
• the bank receives the request and deduct the user balance (i.e. goes from
10$ to 9$)
• the bank and user execute the two parties blind signature protocol.
• The user choose a random serial number for the coin and, at the end of
the protocol, receives a signature for this serial number.
• Using blind signature, the bank signs it without knowing the serial number
and the user. This signed number represents an anonymous token
• if the user want to use the money to make a payment, he will send the red
user both the signed token and the serial number
 Protocol scheme
• the receiving user will immediately contact the bank and
try to deposit this anonymous coin. In fact, he can't be sure
that the blue user is not trying to double spend, until he
deposits the cash. Only if the coin will turn out to be valid,
the red user will complete the rest of transaction (i.e. send
some goods in exchange of the money)
• the bank receives the plain serial number and its signature
and verifies the signature validity and that the coin with the
serial number doesn't appear in the list of spent ones. Since
the bank didn't see the serial number the first time, it
doesn't know which user initially withdraw the amount. In
fact, it will have a lot of requests from different users and
cannot recognize this transaction among others. That's the
anonymity property: the bank cannot link the two users.
Protocol scheme
 Difference with Bitcoin protocol
• This seems to be a trust model that's very different from the
model that BitCoin operates under.
• Most of traditional cryptography research on anonymous e-
cash followed this model when the bank can be trust for
keeping the money, but not for anonymity.
• Looking back to the Bitcoin history, it seems that people gave
much more importance to decentralization. So, people were
willing to accept only sort of pseudonymity properties in
order to have a decentralized system and start working on
anonymity improvements only as a second step.
 Difference with Bitcoin protocol
• Generally anonymization and decentralization are in conflict with each
other, as we will see better in the following lectures.
• There are at least a couple of reasons for this:
– often for anonymity it is necessary to rely on certain interactive
protocols with the bank in order to do some blinding (i.e. blind
signatures). It’s not clear if something like that could be possible
without a central authority
– even it was possible to obtain blinding in a decentralized system,
there’s still the problem that in order to decentralize and still get
security properties like resistance to double spending, often the way
to go is to record and trace everything in a public ledger. So this
compromises further the anonymity and privacy properties
 Bitcoin mixing
• Mixing can improve anonymity in many contexts by using an
intermediary to route your communications (or money).
– Put the coin into some intermediary, some service
– After the insertion, it forgets the sender and treats its entire
Bitcoin storage as indistinguishable from each other.
– At the end, it might combine them into a unique transaction or
merge them in different ways.
– When the user comes back to withdraw their Bitcoins, they won't
be tied to the coins they put in.
– they will get their coin from some other randomly picked deposit
that the intermediary received.
 Bitcoin mixing
• Benefits
– Suppose that somebody is looking at the public information in the
blockchain.
– So, he doesn't know the operations made by the intermediary.
– Then, he won't be able to link the input addresses to the ultimate
output addresses corresponding to the same user. So, this is the
intuition behind intermediaries.
 Are online wallets anonymous?
• Online wallets store your Bitcoins online until you need them. So, now we
might wonder if online wallets are the solution to our anonymity problem.
• It happened, for example, that two Israeli researchers, issued a preprint of
a paper. And they said that there was connection between Dread Pirate
Roberts (Ross Ulbricht, a US hacker) and Satoshi Nakamoto.
• Then, it turned out that they mistook this link. In fact, they did not
consider that the presumed money exchange between them passed
through an intermediary.
• So, online wallets provide a sort of anonymity. In fact, if someone tries to
make a connection between an input and an output address can
completely fail with making the connections.
Are online wallets anonymous?
 Dedicated Mixing services
• So, having rejected online wallets as an anonymity
solution, let's turn to the dedicated mixing services.
• How does a mix service work?
– asks for an address to send Bitcoins to and gives you an
address to send Bitcoins to the mix.
• So, it's basically a swap. What could be the ideas to
improve anonymity?
– Use a series of mixes instead a single one;
– All users make transactions that are almost uniform
 Dedicated Mixing services
• USE A SERIES OF MIXES
– Using a series of mixes increases complexity and you won't have to
trust a single mix to delete its records.
– It would be enough that a single mix deletes them. Mixes should
implement a standard API to let user do this operation, while right
now it's quite complex.
• Suppose that a user wants to use this series of mixes:
• the user send the coins to the mix using an address that an adversary was
able to link to him
• he will get the money back from the mix to another freshly generated
output address. And hopefully the mix will return the same amount of
Bitcoin immediately or after a gap of time
• then he will repeat the same process with another mix which is hopefully
not cooperating with the first mix
Mixing services
• An adversary looking at the
blockchain will see all these
transactions together with all
other transactions that users
are doing using mixes.
• So, it will probably not be able
to distinguish the user
transactions from all others,
especially if the transactions
are almost uniform.
 Dedicated Mixing services
• UNIFORM TRANSACTIONS
– What does it mean to make transactions as uniform as possible? One
important consequence is that all of these mixed transactions, not
only from a particular mix but from all of the mixes in this mix
ecosystem should have the same value. So, to obtain the best result,
all mixes providing service should agree upon a standard chunk size.
• USE AN AUTOMATED CLIENT SOFTWARE
– In addition to this, there are other possible attacks in which a clever
adversary might infer various things. For example he could try using
some other properties, including timing, in order to try to link users
input addresses and output addresses together. This type of linking
can be avoided. But human users interacting with the mix, are surely
not able to take into account all of those possible linking attacks.
– So it would be necessary to provide an automated client side software
built in to desktop wallet software that automatically knows how to
interact with these mixes in order to preserve the user's anonymity
 Dedicated Mixing services
• MIXES FEES
– Why do mixes provide their service?
• Typically, it's because they're a business and so they want to be paid. It turns out
that mostly the only way for these mixers to get paid is to take a cut of the
transaction that the user is sending to the mix.
– Drawback
• That seems a bit weird because if a mix takes a standard percentage, then an
adversary might be able to use that to link the input transaction and the outward
transaction.
– Solution
• So some current mixes try to randomize the transaction fee, they might say we take
a random cut between 1% and 3%. However this is not a good idea either because
if you put that through a chain of mixes, then the amount of the value in the chunk
is going to dwindle in a predictable way and this is an important side channel for
the adversary.
 Dedicated Mixing services
• MIXES FEES
– How to avoid this? (Alternative Solution)
• We proposed that these mixed fees should be all or nothing. In other words, the
mix should either swallow the whole chunk with a small probability or should
return the whole chunk.
– For example if the mix wants to charge a 0.1% mixing fee, then one
out of 1000 times, the mix should swallow the entire chunk and 999
times out of a 1000 it should return the entire chunk without taking
any mixing fee.
– This is tricky because the mix should convince the user that he's
generating a random number without cheating. Of course, in this case,
the users' amounts should be divided in very small chunks so that,
when one of them is taken by the mix, the value won't be high.
Difference between online wallets and
dedicated mixing services
• A good way to understand what level of anonymity online
wallet provide, is to compare them with services created for
specific mixing purposes.
• MIXING SERVICES PROVIDE ADDITIONAL FEATURES
• Dedicated Mixing service, in addition to randomly pick the
money they give back to you, also promise:
– not to keep records of the mixing process. So, even if they wanted
they couldn't know which Bitcoins were the one you put in. So, even if
some authority asked them for information, they would have no
records;
– not to ask information regarding your real life identities in order to
interact with them
Difference between online wallets and
mixing services
• While online wallets are typically reputed and regulated business.
• So they would probably ask for your identity and store records, keeping
link between the identity and Bitcoin address.
• They will probably keep also records of internal operations.
• Even if they don't ask your real identity, you would need a long term
pseudonymous identity to interact with an online wallet and keep track of
your deposits.
• So, even if the online wallet doesn't ask for your real identity, it will know
the address of each deposit you made and every single withdrawal.
• In addition, people who care about anonymity are also worried about
those records being hacked or acquired by authorities that have the power
to ask for them.
Difference between online wallets and
mixing services
• ANONYMITY SET COMPARISON
– However, when you put money into mixing services, you would probably want it back
immediately to some other address.
– In fact, you probably don't trust a mixed service much. While, online wallet can be
trusted more and they are usually used for long term deposits.
– So, an online wallet can provide you a bigger anonymity set since your coin get mixed
with all other coins deposited and withdrawal from the moment of your deposit.
– So, from the point of view of someone with no privileged information, your withdrawal
would look indistinguishable from every single withdrawal ever made from that service
provider.
– The conclusion is that with respect to service providers online wallets provide less
anonymity.
– But, with respect to everybody else they provide a bigger anonymity than mixing
services. This is very similar to a traditional bank, which owns our information, but
there's a good privacy towards strangers with no privileged access. So, those who are
looking for anonymity properties of Bitcoin, probably would like to have a higher
anonymity than the one provided by standard banking systems.
 CONCLUSIONS
• All those principles are really important to preserve a good level of anonimity. The sad news
is that none of the current mixes follow these principles. And each mix operates completely
independently and with distinct web interfaces. The user interact with a single mix at a time
and manually, choosing the amount instead of a standard chunk size.
• So the current situation doesn't provide a good level of anonimity. But changing to a slightly
different model based on the principles above, would increase anonimity a lot.
• Of course there would still be the problem of trust between the user and the mixes.
However, mixes do a lot of things to improve their trustworthiness. For example, staying
online for a long time and not stealing users' money. In addition, if the money goes through
many mixes, one mix itself cannot know from which user the money is coming from. So, if he
wants to steal, he will only be able to steal randomly and not from a particular user.
• Finally, one proposal to increase mixes trustworthiness, could be to use a cryptographic
mechanism where the mix can issue sort of a promissory statement to the user. That once it
receives a chunk at a particular address, it will send a chunk back at some other address that
the user provides. And so if the mix fails to keep this promise, the idea is that the user can
publicize this warranty, and everybody will know that a particular mix has cheated.
Bitcoin decentralized mixing
 Reasons for decentralized mixing
• The fact that a mixed ecosystem currently doesn't exist is
mostly the reason why many people have proposed Bitcoin
decentralized mixing.
• There's a variety of reasons for decentralized mixing:
– No bootstrapping problem: In a decentralized system you find a
community of peers who all want to do mixing. And it is possible to
mix without any central coordination or service that collects your
funds.
– No thefts: nobody is explicitly sending Bitcoins to another user.
– it could also provide a better anonymity.
– it's more philosophically in line with Bitcoin. In fact, it makes possible
to get rid of the need centralized service. Then, there are a lot of
Bitcoin users who find that appealing.
 Coinjoin model
• The main proposal for a decentralized mixing is called Coinjoin
by Greg Maxwell. He's a core Bitcoin developer.
• The proposals consist of:
– Different users coming together to create a single Bitcoin transaction.
They combine in a single transaction their inputs presumably of equal
value. To achieve this result, it is not necessary that someone collects
all the private keys. In fact, each input signature is entirely separate.
– Users also provide different output addresses and randomize their
order between them. In this situation, the users must know which
input address corresponds to which output address. Later, we will also
see how to avoid this.
 Coinjoin model
• Someone looking at this single transaction in the blockchain will not
be able to find the mapping between the input and the output.
– This even true if he knows that it's a Coinjoin transaction.
• The one above is only one mixing round. While it's better to do a
sequence of Coinjoins and be sure that the chunks are standardized
so that the transactions are uniform.
 Coinjoin transaction structure
• Let's see how a transaction looks like from an algorithmic point of
view:
1. First of all, it's necessary to find peers who want to mix
2. They have to exchange their input and output address with each
other
3. One of the user must construct the cumulative transaction
4. He signs his inputs and send the transaction to other peers. Each
one will check if their output is present, before signing their input. If
a single peer refuses to sign the transaction, it won't be forwarded
5. Broadcast the transaction
• The entire security property comes from each peer checking that
their output address is there. And that their output address
receives at least as much value as went in from their input.
• This seems secure enough, but let's look at the remaining
problems.
 Coinjoin transaction structure
• HOW TO CHOOSE PEERS TO MIX
– To find peers, it is enough to use an untrusted server.
– It's sort of a watering hole where different users can
connect and find each other.
– But the users have to trust the server in running the
protocol.
– So, this already requires a whole peer to peer protocol for
finding these Coinjoin peers.
 Coinjoin transaction structure
• HOW TO SOLVE THE ANONIMITY PROBLEM
– In the centralized mix case, we can almost be sure that the mixes are
run by different entities who are not colluding with each other.
– In addition, at least some of them will be real life identities who have
incentives to maintain a good reputation.
– And, it would be really unlikely that an attacker is able to compromise
all the mixes we are using at a time.
– While, with the decentralized case, we have no idea of who peers are.
– A single attacker could create many identities and try to get inside
every single Coinjoin transaction. So that he could know the output
mappings.
– So, even with a series of Coinjoins, it could be that at least one of the
participants was an attacker or was controlled by the same attacker.
 Coinjoin transaction structure
• HOW TO SOLVE THE ANONIMITY PROBLEM
– There's a simple Strawman solution to this problem. You need to
communicate the set of inputs to all the peers and also you need to
communicate the set of outputs. But it is possible to break the linkage
between the input and the output.
– In fact, this becomes a communications anonymity problem instead of
a Bitcoin anonymity problem. We have already seen that there are
anonymous communicating systems such as Tor. And a Strawman
solution to our problem is that the peers connect and exchange input
addresses. Then they disconnect and reconnect after a while before
exchanging also the output addresses.
– In practice, an even better solution, might be to build a special
purpose anonymous routing mechanism for these participants to
utilize just for this protocol. And there are things called decryption
mixnets that allow to do exactly that.
 Coinjoin transaction structure
• HOW TO SOLVE A DENIAL SERVICE ATTACK
– Another problem could be a denial service attack. In fact, it could also
happen that after providing input and output pair, one nodes
disappear. So that it would be impossible to broadcast the transaction.
It could also happen that one malicious node takes an already signed
input and tries to broadcast it. So that the Coinjoin will look like a
double spend attempt and gets rejected.
– A traditional solution to a denial of service attack is to make a little bit
expensive for the client to connect to the server and to receive
service. This scheme is usually applied to client server models. But we
can adapt it to peer-to-peer models introducing either a:
• proof-of-work: it is possible to re-use the same algorithm behind Bitcoin's protocol.
So, every node must do a bit of computational work before joining a Coinjoin
protocol. In this way, it would be very computationally expensive for the adversary
to try to join every transaction
• proof-of-burn: also called fidelity bonds. It allows to irreversibly destroy some
Bitcoins by sending at an unspendable address in order to get into the system.
 Coinjoin transaction structure
• Another solution could be to build a cryptographic system
that let identify one or more malicious peers who launched a
denial service and kick them out.
• So that the Coinjoin can be run only by other participants.
• This technique can be applied even in a decentralized system
using something called zero knowledge.
• With this method it will be possible to understand that at
least one player misbehaved, without necessarily learning
much more about what happened.
 Side channels
• Let's look at some side channels that can be very tricky and reveal something
about the identity even using every possible mixing service.
• For example, suppose that Alice receives almost the same amount of Bitcoins on
weekly basis. And then she transfers 5% of that to her retirement amount almost
immediately. So, no matter what she does to obscure the link between the income
receiving address and the retirement one. The patterns will be clear thanks to the
constant amount and constant 5% percentage.
• The idea to protect ourselves from this is called merge avoidance by Mike Hearn.
The idea is really simple. When a user wants to do payments, he shouldn't create a
giant transaction that combines many inputs to make a payment to a single
address. Instead, he could use a protocol to which the users provide a certain
number of output addresses.
• This avoids a lot of problems. In fact, an adversary might not even be able to
observe the fact that this is a high level flow. And it also avoids problems like
clustering addresses together because of evidence of share spending. This is a
proposal that one could think about incorporating right now, into Bitcoin based
payment flows in order to improve anonymity for everyone.
Merge Avoidance
Alice wishes to buy a teapot for 8 BTC. The
store gives her two addresses and she pays
5 to one and 3 to the other, matching her
available input funds. This prevents
revealing that these two addresses were
both belong to Alice
 Zerocoin and Zerocash
• All of the existing anonymity-enhancing technologies
that we have seen so far
– add anonymity on top of the core protocol
• Zerocoin and Zerocash
– incorporate anonymity at the protocol level
– Properties
• Compatibility
– not compatible with Bitcoin
– technically possible to deploy Zerocoin with a soft fork to Bitcoin
– With Zerocash, a fork is not even possible, an altcoin is the only option
• Cryptographic guarantees - relies only on the adversary’s computational limits
– incorporate protocol-level mixing
– anonymity properties come with cryptographic guarantees
» qualitatively better than those of the other mixing technologies
– No need of trust on the following to ensure privacy
» mixes, peers, intermediaries, miners and the consensus protocol
• Zerocoin
– Basecoin is a Bitcoin-like altcoin, and Zerocoin is an extension of
this altcoin
– Anonymity is achieved by converting basecoins into zerocoins
and vice-versa
• it breaks the link between the original basecoin and the new basecoin
• Basecoin is the currency that you transact in, and
– Zerocoin just provides a mechanism to trade your basecoins in for new ones that
are unlinkable to the old ones.
– Each Zerocoin you own as a token of ownership on a basecoin
and made it unspendable (a.k.a Proof).
• The proof does not reveal which basecoin you owned rather it says that
you did own a basecoin.
• Later, redeem this proof for a new basecoin by presenting this proof to
the miners
– This proof is implemented cryptographically(Zero-knowledge
proofs) and is allowed to redeem for a basecoin only once.
• redeeming it more than once leads to more free basecoins
• zero-knowledge proof
– which is a way for somebody to prove a (mathematical)
statement without revealing any other information that
leads to that statement being true
– Is it a zero-knowledge proof?  NO
• I know ‘x’ s.t H(x || 〈 other known inputs 〉 ) < 〈 target
• revealing ‘x’ is mandatory and also the users aware of the
procedure
– Is it a zero-knowledge proof?  YES
• “I know x such that H(x) belongs to the following set: {...}”
• The proof would reveal nothing about x, nor about which
element of the set equals H(x)
• Minting Zerocoins
– Zerocoins come into existence by minting
– come in standard denominations
– Basic Assumption: each zerocoin is worth one basecoin
– Mint a Zerocoin give any value to it?
• No!!! It acquires value only when you put it onto the block chain,
and doing that will require giving up one basecoin
– How to mint a zerocoin?
• use a cryptographic commitment
– sealing a value in an envelope and putting it on a table in everyone’s view
• Minting a zerocoin is done in three steps:
1. Generate serial number S and a random secret r
2. Compute Commit(S, r) , the commitment to the serial number
3. Publish the commitment onto the block chain which burns a basecoin,
making it unspendable, and creates a Zerocoin.
1. Keep S and r secret for now.
 Minting a Zerocoin

Putting a zerocoin on the block chain

• To put a zerocoin on the blockchain, you create a special ‘mint’ transaction whose
• output ‘address’ is the cryptographic commitment of the zerocoin’s serial
number.
• The input of the mint transaction is a basecoin, which has now been spent in
creating the zerocoin.
• The transaction does not reveal the serial number
To spend a zerocoin and redeem a new basecoin
• you need to prove that you previously minted a zerocoin
• This can be done by opening your previous commitment, that is, revealing S and r .
• But this makes the link between your old basecoin and your new basecoin
apparent.
• How can we break the link?
• How to unlink your old basecoin and your new basecoin
while spending a zerocoin?
– Solution: Zero-Knowledge proofs
• At any point, there will be many commitments on the block
chain — let’s call them c ,c ,...,c .
1 2 n

• Steps for spending a zerocoin with serial number S to

redeem a new basecoin
1. Create a special “spend” transaction that contains S, along
with a zero-knowledge proof of the statement:
1. “I know r such that Commit(S, r) is in the set { c 1 ,c 2 ,...,c n }”.
2. Miners will verify your zero-knowledge proof which establishes
your ability to open one of the zerocoin commitments on the
block chain, without actually opening it.
3. Miners will also check that the serial number S has never been
used in any previous spend transaction (not a double-spend).
4. The output of your spend transaction will now act as a new
basecoin.
1. For the output address, you should use an address that you own.
 Spending a Zerocoin

Spending a zerocoin
• The spend transaction reveals the serial number S committed by the
earlier mint transaction, along with a zero-knowledge proof that S
corresponds to some earlier mint transaction.
• Unlike a mint transaction (or a normal Bitcoin/basecoin transaction),
the spend transaction
• has no inputs, and hence no signature.
• Instead the zero-knowledge proof serves to establish its validity.
Once you spend a zerocoin, its serial number becomes public, and you
will never be able to redeem this serial number again.
• How anonymity is preserved in Zerocoin?
– Observe that r is kept secret throughout
• Neither the mint nor the spend transaction reveals it
– Nobody knows which serial number corresponds to
which zerocoin
– No link on the block chain between the mint transaction
that committed a serial number S and the spend
transaction that later revealed S to redeem a basecoin
– Idea is this: (Zero-Knowledge proof)
• It’s as if there are a bunch of sealed envelopes on a table with
different serial numbers, and you can prove that a particular
serial number is one of them, without having to reveal which
one and without having to open any envelopes
• How to preserve the efficiency while the
commitments are progressively increasing?
– “I know r such that Commit(S, r) is in the set { c 1 ,c 2 ,...,c n }”.
– Challenge
• The size of the zero-knowledge proofs would grow linearly as
n increases, which is the number of zerocoins that have ever
been minted
– Solution
• Zerocoin manages to make the size of these proofs only
logarithmic in n
• The proof itself can be much shorter.
– Drawback
• Zerocoin still adds quite a sizable overhead, with proofs
about 50 kB in size
• Trusted setup
– Establishing a one-time trusted-set up is mandatory in
building a Zerocoin once where secret inputs must be
used once in generating the public parameters and
then securely destroyed
• Here secret inputs are nothing but p and q , the public
parameter is public key N, where N=p*q. Here, p and q are
two large prime numbers which are the factors of N. After
the creation of N, safely destroy p and q
• if anyone knows the secret factors p and q (called the
“trapdoor”), then they’d be able to create new zerocoins for
themselves without being detected
– How to ensure that p and q are destroyed actually?
• “threshold cryptography” techniques that allow a set of
delegates to jointly compute N in such a way that as long as
any one of them deletes their secret inputs, the system will
remain secure.
• Zerocash
– Zerocash is a different anonymous cryptocurrency that builds on
the concept of Zerocoin but takes the cryptography to the next
level.
• Uses a cryptographic technique called zero-knowledge SNARKs (zk-
SNARKS) which are a way of making zero-knowledge proofs much more
compact and efficient to verify.
• The upshot is that the efficiency of the system overall gets to a point
where it becomes possible to run the whole network without needing a
basecoin. All transactions can be done in a zero-knowledge manner.
– Zerocoin supports regular transactions for when you don’t need
unlinkability, augmented with computationally expensive
transactions that are used only for mixing.
• The mix transactions are of fixed denominations and splitting and
merging of values can happen only in Basecoin.
– In Zerocash, that distinction is gone.
• The transaction amounts are now inside the commitments and no longer
visible on the block chain.
• The cryptographic proofs ensure that the splitting and merging happens
correctly and that users can’t create zerocash out of thin air.
• Zerocash
– The only thing that the ledger records publicly is the
existence of these transactions, along with proofs that
allow the miners to verify all the properties needed for the
correct functioning of the system.
– Neither addresses nor values are revealed on the block
chain at any point.
– The only users who need to know the amount of a
transaction are the sender and the receiver of that
particular transaction.
– The miners don't need to know transaction amounts.if
there is a transaction fee, the miners need to know that
fee, but that doesn't really compromise your anonymity.
– The ability to run as an entirely untraceable system of
transactions puts zerocash in its own category when it
comes to anonymity and privacy.
• Zerocash is immune to the side-channel attacks against mixing
because the public ledger no longer contains transaction
amounts.
• Setting Up a zerocash
– Setting up of public parameters: Zerocash requires
an enormous set of public parameters — over a
gigabyte long.
– To generate these public parameters, Zerocash
requires random and secret inputs , and
• if anyone knows these secret inputs, it compromises the
security of the system by enabling undetectable double-
spends
– Setting up of zk-SNARK system
A comparison of the anonymity