Anonymous Bitcoin
Privacy is a fundamental human right. Fungibility is an essential property of good money. Anonymity is just another word for that.
As of February 2018, the path to anonymous Bitcoin is finally clear. While strong anonymity in itself was already achievable, no strategies could achieve it in a convenient and economical way. During 2017, new research and techniques were invented that pave the path to both convenient and cheap anonymity. Furthermore, it is just a matter of time that we get to the point, where anonymous transactions will be more economical, than transparent ones.
2019 Update
Check out my UNCHAIN conference talk if you prefer consuming this topic in a video form.
Two Dimensions Of Anonymity
Companies dedicated to deanonymize Bitcoin users apply two strategies:
- Network Analysis
- Blockchain Analysis
Network Analysis
Private Transaction Broadcasting
Broadcasting transactions in a private way is tricky. Today a privacy conscious developer can choose to utilize an anonymity network, like Tor. In January 2017 Dandelion was introduced, it eliminates the anonymity network dependency by implementing a private transaction broadcasting mechanism.
Flagship Project: Dandelion
Private Transaction Retrieval
You need to know how much money you have. For that, you must ask someone. If you ask someone how much money you have, he will likewise know the amount of money you have. Well then, ask him over Tor, problem solved, right? No.
Your wallet has many Bitcoin addresses, and if you ask someone “hey, how much money do I have in these addresses?” then the third party you are asking will know those addresses belong to the same person.
It seems like the only way to avoid address linking is to run your own full node. Your node downloads all the transactions ever happened on the Bitcoin network, then calculates balances locally. Since you ask for all the transactions, nobody knows, which ones you are interested in.
However, running a full node is anything, but convenient. You must wait a few days or weeks in order to synchronize the blockchain and start using your wallet. So why not start syncing from the creation of your wallet, then? And the idea of full-SPV wallet was born. Projects implementing this are: Jonas Schnelli’s Bitcoin Core PR, Stratis: Breeze Wallet and my HiddenWallet. However, this is still far from convenient, let alone mobile friendly. If you do not turn this wallet on for a week, then you must download 1008 blocks, which is 1–4 GB of data, before you can start using it.
It is worth pointing out that there was another bandwagon, invented in 2012: BIP37: Bloom filtering SPV wallets. These were designed to provide privacy for light wallets, although it turned out to be a privacy nightmare.
In June of 2017, Lightning Labs researchers came to rescue: BIP Proposal: Compact Client Side Filtering for Light Clients. Furthermore, they provide an implementation, called Neutrino. I know, there is a lot of nonsense terminology here, however, let me demystify it to you. Additionally, every full node maintains a small index table, which they serve to light clients. After light clients acquired it, they can now figure out which blocks they have transactions in. Finally, they ask for the few blocks they care about from full nodes and go on with their life.
Today I am working on implementing this approach into HiddenWallet.
Flagship Projects: Client-Side Filtering, Neutrino, HiddenWallet
Blockchain Analysis
In 2013, Gregory Maxwell introduced CoinJoin. When multiple participants add inputs and outputs to a common transaction, it obfuscates the transaction graph. A stronger variant is if everyone registers with the same amount of money into the CoinJoin. This way no one can tell which input is intended to fund which output.
Such technique was briefly described by Maxwell in the same thread, called Chaumian CoinJoin. In 2014, another, similar technique was proposed under the name of CoinShuffle, which went through an iteration in 2015: CoinShuffle++. These techniques are round based. That means if you have 8 bitcoins and the denomination of a CoinJoin round is 1 bitcoin, then you must participate in 8 rounds. Thus, you are paying transaction fees 8 times. What if you have 0.9 bitcoin? You are not lucky. It gets worse. If the blockchain observer starts looking at transaction chains, then it can deanonymize the CoinJoin users, therefore we need to have a dedicated wallet with a privacy conscious coin control in place.
To tackle all these edge cases, in 2017, I designed and implemented ZeroLink, where I worked out Maxwell’s Chaumian CoinJoin idea as well.
Flagship Projects: CoinJoin, CoinShuffle, ZeroLink
However, let us not get lost in the details, and rather recognize, dealing with all this complexity would be unnecessary, if we would not have to care about the transaction amounts. Transaction amounts are the root of all evil in privacy technologies.
Here comes Confidential Transactions! CT solves exactly this. It replaces the output values with Pedersen commitments. The problem is, these commitments are huge and the larger your transaction is the more you have to pay for it. For this reason, CT was unlikely to ever to be seen in Bitcoin and even if it would have got into it, some kind of hybrid half CT, half CoinShuffle/ZeroLink model would have needed to be done in order to keep the fees in bay.
Then something happened. In November, 2017 Bulletproofs was introduced, which is an improvement on Confidential Transactions. It makes the commitment sizes smaller. Instead of huge, now they are only large. More importantly, if you want to have many CT outputs in a transaction, then your transaction size does not grow linearly with the number of outputs, which is great for CoinJoin, where the number of outputs can reach high numbers. Numbers, where the cost of CT becomes insignificant. Participating in this CoinJoin would result in similar transaction fees, as the user would send a normal transaction!
As a takeaway Confidential Transactions can be easily added to CoinShuffle and ZeroLink. It does not only simplify these systems, moreover it dissolves many restrictions they have on their users. A CT compatible CoinShuffle is called ValueShuffle.
Flagship Projects: Confidential Transactions, Bulletproofs, ValueShuffle
It gets better! There is another technology coming to Bitcoin called Schnorr Signatures.
Today when a CoinJoin transaction has 100 inputs, then it must hold 100 signatures as well. With Schnorr, we can do it with only one signature. This will make CoinJoin transactions about 30–40% cheaper than normal transactions.
Flagship Project: Schnorr Signatures
Conclusion
What did we achieve here? Making a CoinJoin mixing transaction with a high anonymity set becomes about 30% cheaper than making a transparent, traditional Bitcoin transaction.
Meta Update
A few months ago, I delayed the release of HiddenWallet then I started working on its stability. I refactored its Tor library and I worked out my own networking protocol as well, I called it Tor Over TCP, however I cannot seem to get this one right, so it may be a bandwagon. In the meantime, I did my long due research on Client Side Filtering, which you can read in this article and it became clear to me, this is clearly the right approach. Although Matthew slowly faded away, a week ago Lucas Ontivero joined me to the development. He is the second most frequent contributor to the NBitcoin library, so I am very excited to work with him. We started designing our own Client Side Filtering wallet. This will definitely get into HiddenWallet before the next release. It is a huge improvement and saves a lot of developer time, too. We created a new GitHub repository to work on the prototype, we called it MagicalCryptoWallet, because it sounds funny and the naming is not important. We will merge this into HiddenWallet as soon as we are there.
Anyway, consider feeding us with a pizza. Or better: with a protein shake, I am on a diet now.
